Good news — as of 12/11/12 noon, @CancelYourCard is back up. No explanation from Twitter as to why they made the decision, or response to the card-posting problem. Unsurprising, as acknowledgment might lead to legal liability, I guess.
Aaaaand as of 12/14 it’s back down again. — Gus
If you’re following me on Twitter (so closely that you’re reading my @tweets, the ones that don’t show up in your stream if you don’t know both parties to the conversation), you’ll have seen that I have been trying to respond to anyone whose post shows up on the @NeedADebitCard feed. @NeedADebitCard is a ‘bot, I believe, which automatically retweets any post in which someone mentions “bank card” or “debit card” or suchlike and attaches an image. The bulk of these posts are someone posting a picture of their card. Numbers, name, expiration date and all.
This cannot end well, as you’d imagine. Let me lay it out just in case any of you aren’t seeing what might be the problem, here: You put your numbers online, and anyone can use your card, charging things to your credit or even wiping out your bank account. That’s simple and intuitive for most of us, but apparently it is not clear to everyone.
@NeedADebitCard’s account has posted 131 tweets as of this writing. I don’t have solid numbers on who is posting these pictures, but I feel like I am seeing trends in the posters’ icons, names, and geographic locations:
- Many are not in the US. Those who are, sadly, appear to be from minority communities.
- There is a significant percentage from countries in the Global South.
- Are they young? There’s a number of teenagers, but I’ve seen at least one parent on there who tweeted a picture of her card that featured her infant daughter.
- There’s been an upswing recently from the UK in particular, and I was seeing some tweets from Australia and Canada as well.
In the past few weeks traffic on the @NeedADebitCard stream has gone up somewhat. Not a deluge yet, but still at least a couple of cards a day. The number doesn’t matter; the effects on any one poster’s finances could be catastrophic.
The Evening Standard controversially laid blame for this uptick on Barclays, which recently allowed for card customization with a personal picture. Many card pic posters are showing off their personalized cards. Obviously, the problem is the behavior and not the cards themselves, but at the same time, Barclays could do a better job of educating consumers. Every newly-issued card comes with a sticker on it telling you how to phone in and activate it, right? Why not add a warning on there telling people not to post pictures of their cards online?
Because I am naturally concerned about this as a digital literacy educator, and because I’ve seen endless repetitions of social engineering talks at HOPE and know how easy it would be to get these tweeters’ security codes on the back of the cards, I’ve been responding to as many tweets as I can, like chucking beached starfish back into the sea. But it’s occurred to me that if it was so easy to find and retweet the original card posts in a chaotic-neutral way, that could lead either to posters getting warned or to their card details being stolen, it would also be trivial to code a bot to respond to @NeedADebitCard and warn the posters to cancel their cards.
I floated the idea on Twitter the other day and got a lightning-fast response from other concerned citizens, @wirehead2501 and @is4tomj. The latter wrote up a bot, @CancelYourCard, so fast it was active for a day before I got around to thanking him. For a moment there, we had an automatic educator (albeit one that was saying “yo dawg” in the style of Xzibit) which attempted to help people be safer online.
Current status of this project: as of this afternoon @CancelYourCard is down, suspended by Twitter apparently. Yet @NeedADebitCard is still up, amplifying the reach of stealable credit cards. A heartbreaking mistake on the part of Twitter; Tom and I have tried to contact them to make our case for the bot. It’s quite possible it got itself into some sort of retweet loop that went out of control, or otherwise tripped their spam sentries. I suppose a possible happy side effect, though, could be bringing this card-posting phenomenon to Twitter’s attention, and giving them the option to warn users about security breaches like this.
Really, there’s a lot of things Twitter could do to help make people safer here. A warning flag could interrupt the posting process anytime someone tried to tweet something shaped like a street address, credit card number, password (preceded by “password”), or social security number (yes! it actually happens! I haven’t seen it on Twitter yet, but while writing my dissertation I actually saw it once, plus a handful of credit card numbers). I hope they’ll think about it. Things seem to be evolving as I write this, so I’ll post updates.
I fight with people periodically who, like so many commenters in my dissertation, say the card-pic posters are stupid and deserve to be weeded out of the gene pool. This is pretty ridiculous. Yes, it’s not the wisest move to post the information that leads to your bank account and credit reputation, but it’s worth keeping in mind that all of us alive today are still, and constantly, learning how to use rapidly-changing technology. Anyone alive over the past 20 years or so has had to learn all of this from scratch, and almost none of us learned any of it in school. What there even is to be learned is in flux. Not only do we need to be patient with each other, but we need to remember that what all of us — software developers, grandchildren, Twitter users — are doing when we respond to events like this is educating each other. There is no other school for digital education right now but us. (I’m working on that.)