Slashdot Mirror
Developer Loses Single-Letter Twitter Handle Through Extortion
Hugh Pickens DOT Com writes "Naoki Hiroshima, creator of Cocoyon and a developer for Echofon, writes at Medium that he had a rare one-letter Twitter username — @N — and had been offered as much as $50,000 for its purchase. 'People have tried to steal it. Password reset instructions are a regular sight in my email inbox,' writes Hiroshima. 'As of today, I no longer control @N. I was extorted into giving it up.' Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account. 'Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.' Hiroshima received a message from his extortionist. 'Your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again. I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?' Hiroshima writes that it''s hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of his credit card number over the phone, or that GoDaddy accepted it as verification. Hiroshima has two takeaways from his experience: Avoid custom domains for your login email address and don't let companies such as PayPal and GoDaddy store your credit card information."
like so many other articles, this just seems like another reminder to never ever use godaddy
Who, the person working at GoDaddy? Or the owner of the domain for using GoDaddy?
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Methinks if Mr. Hiroshima had the funds available, or pro-bono lawyer stepped in, there's grounds for a lawsuit against at least PayPal if not also GoDaddy.
Colin Dean Go a year without DRM
Avoid custom domains for your login email address
Honestly, I don't think that would have helped. I doubt it's much harder to gain control of someone's gmail, yahoo or hotmail account if they are as motivated as it sounds like his attacker was.
Once you gain control of anyone's email account, even if the attacker doesn't have custom domains to hold for ransom, they could easily threaten bank accounts, etc etc.
If your account has two-factor enabled, any account change will require entry of that limited-time token. Now, if the person doing the social engineering was able to access the account in the first place with only the last four digits of the card number, then they may have also been able to bypass this or turn it off with the help of the customer support rep. But I didn't see any mention of this in the article and wanted to point it out for those who use GoDaddy and are afraid of a similar situation occurring.
"It's a reverse vampire...they....they crave the sun!"
Can't he just get the domains back and then alert twitter to reclaim his handle??
sue GoDaddy. aiding and abetting in the act of a FELONY.
I'd be talking to a lawyer. Sounds like someone at Paypal owes $50k to Mr. Hiroshima.
don't let companies such as PayPal and GoDaddy store your credit card information.
I wonder, does Mr. Hiroshima realize that consumers have little to no (closer to the latter) control over what a corporation does with our credit card info once we make a purchase with them?
Does he know of some nuclear option the rest of us aren't aware of?
An enigma, wrapped in a riddle, shrouded in bacon and cheese
This is a story about how 'real' people hate secure things. Nerds are all about creating encryption and security that requires knowing a secret key. Real world people deal with the fact that they forget secret keys, and want companies to restore their data for them. So for companies to keep customers, they have to create workarounds for the secret keys.
As a result the only way to for sure secure something, is to not depend upon companies who have 'real' people for customers.
So Hiroshima is an idiot because someone convinced an employee at PayPal that he was infact the account owner and to give out the last 4 digits of someone elses credit card?
Or is he an idiot because someone at GoDaddy who also in breach of proper authentication of account ownership gave access to the person with the last 4 digits of the credit card number?
Help me out here, I am so confused about how him being less "worthless and superficial" would have stopped someone else from giving out his account information.
And this is why I avoid Twitter, GoDaddy & PayPal like the plague they are.
There is a war going on for your mind.
Why is a 1 character handle valuable anyway?
Also, won't everyone know it's stolen?
i get the feeling that this is high enough profile where the extortionist is going to get a beatdown by one of the tech companies involved.
Anons need not reply. Questions end with a question mark.
When the Target data breach happened, I commented here about some of the advantages to using throw-away, preload credit cards (which limits your potential loss and allows you to quickly switch to an entirely different account if you feel the other might be compromised). I was modded down by people who have bought into the whole big-bank credit card racket, and the attitude "why should I worry, when the bank is responsible and I'll eventually get my money back". Well here is yet another advantage of using preloaded credit cards. You load money on it, pay your annual hosting fees, etc, and then just toss it and get another next year to make the next annual payment. This story illustrates the advantages of using an entirely different credit card per service, so the card you use with Godaddy is not the same as you use with Paypal.
Yes, yes, it will cost you $3 each time you load a card to make that yearly payment, but you can decide for yourself what that extra $3 can buy you.
Better known as 318230.
OR! Does this Slashdot FP itself count as a social engineering attack by Naoki Hiroshima to pressure GoDaddy/Twitter/Paypal/SomeoneElseEntirely into submission, possibly for the stated purpose (control of @N), or for something seemingly unrelated but actually useful?
I kid, of course... I have no reason to doubt the story as given. I do find it odd that someone would actually break the law (at the very minimum, identity theft and extortion) in such a contrived chain of events... Just to gain control of something they won't even realistically get to use (can you imagine trying to use @N for the next few months through the massive volume of hate-tweets it will get?)
phewww
After all Twitter knows which new eMail-address is holding @N. Should not be to hard to figure the real person behind it. And simply asking Twitter to hand it back should also work.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
So fucking what. Now that @N has been stolen, file a police report. Tell Twitter that they're now obliged to send the IP of whomever uses @N to the police.
Good job, you've acquired a useless handle. Try to sell it? The buyer gets nabbed instead. Of course, the burden of proof of actual extortion is on the moron who handed over the credentials in the first place instead of contacting their hosting company. Smells like a dead fish up in here.
I will now be advising my employer to move all domains from GoDaddy to somewhere else.
The moral is to not use a Registrar that allows domain updates from any IP. easydns.com, for example, can be configured to allow DNS updates only from a list of known IPs. That would stop this kind of deviltry in its tracks.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
"It's entirely your fault that a thief held a gun to your wife's head and demanded your Babe Ruth-autographed baseball. If you didn't have a Babe Ruth-autographed baseball in the first place, it never would have happened."
Everything is better with chainsaws.
Because acting like a brain dead conturd is always the right response.
How about calling the FBI and then suing the companies that are going to take your livelihood in identity theft?
Giving in to extortion is never a good thing.
I will assume since it hasn't come up already that there is some reason Twitter can't just give him back the handle. What is it?
This is like kidnap or a mugging. At no point do I have an actual incentive to give in to such a person's demands. "We won't hurt you / them / your website if you do X". I have *absolutely* no guarantee of that.
I *cannot* win. If I do everything you request, you could still trash my domain / stab me anyway / kill your hostage and there's nothing I can do to stop that.
As such, non-compliance is no different to compliance in such a situation. So why voluntarily give them MORE power over you / your assets?
As it is you would have to wipe servers, settings, email etc. and start again even if they did honout their agreement.
But then, you have to remember, this person is already committing a crime... what's in their conscience that will make them honourcan agreement concerning that crime.
Let them squirm, report them, regain control when you can, then purge their access from your systems.
Anything else is just stupid.
Looks like his account got nuked.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Is that the current controller of N is legitimate, and *this* story is the social engineering attack to get control of it.
XML is like violence. If it doesn't solve the problem, use more.
it would be nice if say GoDaddy, PayPal, and twitter made this right. Twitter should at least return the stolen handle, if not ban the other guy for doing illegal things.
He should have kept his twitter name and then sued the shit out of go daddy and paypal.
On a related note, is there insurance for these kinds of things?
My phisical stuff is all insured, so if someone steals my PC I can claim it with the insurance company.
Are there companies that do the same for domain names or things like that?
Also why are the last 4 digits of your cc number a "secret"? They are printed on the damn card, and hundreds of people get to see it.
Exactly. I don't understand what the issue is, the solution appears obvious.
Someone even says get a lawyer to sue for $50k. That's not how it works, someone steals something, you know how to get it back... simple.
What am I missing here? He never agreed, he was extorted. The 'agreement' to transfer ownership never occurred.
So...run your own everything.
The stories and info posted here are artistic works of fiction and falsehood.
Only fools would take it as fact.
And when your ISP hands you a new IP in a new range you've locked yourself out of your sites with that idea. Good job.
There are two types of people in the world. People who have been screwed by Paypal and people who haven't used Paypal yet.
Did you really expect GoDaddy to care about protecting your interests?
Some excellent alternatives were offered by respondents on the OPs blog, and I'll add another - moniker. Their claim to fame? They have "never lost a domain". And, so, they have a really good reason to keep others from taking your domain - they'd have to give-up that claim. They also offer a reasonably-priced enhanced security feature, though I feel it's unnecessary given the company's history. (And just checked, they still make the claim:
"Moniker is serious about security. In fact, in our history, we’ve never “lost” a domain. Not one."
https://www.moniker.com/domain...
While they aren't under their original ownership neither policies, convenience, nor responsiveness seem to have suffered. (You can always get ahold of them on the phone when there is a problem.)
I don't have any affiliation with moniker, other than being a happy customer. Happy to use a professional registrar that doesn't have a name that makes people snicker.
This story reminds me why I don't use GoDaddy and, if you haven't already done so, activate two-factor authentication on your Gmail account.
It's not bulletproof (what is?) but it's an extra layer of security that keeps a hacker from getting control of your email account.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
A social-engineering blackhat extorted a distinctive and notable, and thus allegedly valuable, Twitter handle from its legitimate registered user.
Why?
It's like stolen art: the thief can't display it without implicating himself. The thief can't sell it, because the fool that buys it can't display it without implicating himself, and the thief by association (and vulnerability to investigative back-tracking).
So.... why?
A lot of work to go to for the sole purpose of effectively destroying a Twitter handle.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Why, with this story and confirming emails and confirmations from both Go Daddy and Paypal, would Twitter allow the @N name to be used by the attacker anyways?
Twitter needs to step in and remove control from the attack and return it to its proper owner, GoDaddy needs to rip their security team a new one, and Paypal needs to find out who screwed up by giving out credit card info over the phone.
My question is this: While the Hacker was successful in using Social Engineering, what did he THINK would happen when the story broke? That he'd be allowed to retain control of the Twitter name? Is he that daft?
The good news for him is that PayPal and GoDaddy and Twitter now owe him a hell of a lot more than $50,000.
I'm a good cook. I'm a fantastic eater. - Steven Brust
If he wasn't on Paypal, then this never would have happened. If he wasn't on GoDaddy, then this never would have happened. If he didn't use credit cards, then this never would have happened. If he didn't use a computer, then this never would have happened. You aren't presenting as simple a solution as you think you are.
Simply put -- consumers can't be trusted to be able to deal with complex secure authentication schemes. That's why there's so many easy-to-guess "What city did you grow up in?" password-reset functions. There are so many weak links in the chain of trust, it takes a concerted effort on the individual's part to secure it.
The CEO of Cloudflare fell victim to this when someone CONVINCED AT&T TO REROUTE HIS VOICEMAIL, starting a chain of events that wound up with the interloper having complete control over Cloudflare and the myriad of sites that use CF (and therefore trust it to send legitimate data).
It's a bit exciting/fascinating to read about the chain of events, (particularly the timeline):
http://blog.cloudflare.com/the...
http://blog.cloudflare.com/pos...
I am a GoDaddy customer and had a problem with my ex-partner: he tried to social engineer his way into grabbing control of our domains/email accounts, hosted by GoDaddy. Subsequently, I enabled a feature that GoDaddy offers. GoDaddy sends a text message that I must respond with. This extra factor is required for all changes, now. People should enable this feature, regardless of where you host your email. It makes it impossible to social engineer your way past a customer service rep.
I'm a strong believer in having individual email addresses for each important login. I don't think I have a single email address that is related to more than 3 logins max. This greatly limits the ability to have a single breech allow someone into the entire kingdom. While this may not be as convenient as having a single pass login.... I'm ok with that. I keep everything in a password wallet (locally, no cloud usage) to have it all organized.
Should we not all now jump up and try the same for the other one letter handles? As a matter of civil upsetness?
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Just admit it. You are an idiot for not reading the story and then making stupid assumptions about who did what.
Go Daddy should be on the hook. How stupid!
"Hi, I need the last 4 of my spcial security number so I can prove I am who I am. I, uuuuh, lost it, so can you tell me it?"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Er, Paypal.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
How do you think whitelisting works bright guy?
Someone flopped a steamer in the gene pool.
Seems to me Mr Hiroshima was given some time. Why not give godaddy and the fbi a call? See if they can set up a trap for the hacker?
Please login to access my lawn
Hi, this is $name with account $account, and I had my identity stolen a while ago. They changed all of my account information, and I want to check to see if this account was hacked. What are the last 4 of the SSN on the account?
Of course, the customer support rep wants to be helpful, and the person already knows the other account identifiers... so the idea of fraud never crosses their mind.
You do not have a moral or legal right to do absolutely anything you want.
And how about don't swim with sharks?
If he wasn't a social media (value = what exactly?) then this would never have happened anyway.
Don't get your desirable twitter handle stolen by not having it? I can think of a car analogy for that.
I am not a crackpot.
This is the kind of thing made possible by the absolutely stupid policy of protecting unobtainable information (one's login password) with easily obtainable information (those "secret questions" to reset one's password, such as the city in which one was born, one's first pet, or the last four digits of one's CC or SSN).
If you choose a password that is strong enough, and you're careful enough not to leak it yourself somehow, your password is unobtainable and unguessable. It's as secure as possible. But it requires only a modicum of effort, perhaps a simple public records search, to figure out the answers to most "secret questions" that big companies like GoDaddy use to protect people's passwords. And yet this is how these companies protect your password. And now we see the results.
Liberty in your lifetime
This was a thing of substantial value and his own willingness to trade it for his custom domains is a compelling argument they too are worth a similar amount.
Thus, if he can prove negligence or some other cause of action against payal or godaddy he should be able to receive at least 50k damages. Personally, I suspect paypal is the better target as various privacy laws may have been violated. Of course a real lawyer would have a better idea of whether he has a case.
------
Frankly, it's hard to see what could have made this trade a worthwhile deal. I mean, either the hacker already had control of his email through a dns change or he didn't. If the hacker didn't what about the trade would make the extortion victim believe the hacker would behave differently if he turned over the domain than if he didn't? I mean he could presumably still decide to be a dick and use his access to delete the data.
And why not simply pretend not to be at his computer? He could have called godaddy and the like to lock down all the domains.
If you liked this thought maybe you would find my blog nice too:
That would be Paypal that gave out the last four digits. And really, that's not at all uncommon - you can usually get that information from just about anyone who's holding your credit card information "Hi, I wanted to confirm which card I have associated with this account. Are the last four digits 1234? No, they're 8462? Ah, that explains it, thank you." Hell, they tend to be listed on every single email receipt sent unencrypted across the internet.
GoDaddy is still on the hook in my eyes though - given the completely unsecure treatment of the last four by pretty much everyone, using it for any sort of authentication purposes is completely asinine.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
You can get a bank that will let you make throwaway cards. Bank of America does. You specify how long in the future ti is to expire and how much its limit is. It'll create a throwaway number for you. It is charged against your regular card, but is a separate number with a separate limit that you can shut down as needed.
So, why wouldn't he reach out to one of the 3 letter agencies involved with things like this (namely the FBI)? At the very least with their help he could have pulled in the 3 companies into a conference call, explained what was going on, and gotten this resolved pretty quickly. It's pretty easy to say "Here is the information that was used to open the account, block all recent changes." Or did the hacker somehow get control of his phone too? Am I missing something?
Twitter controls @N. Once he has his domains back and secured twitter should be able to transfer control of #N back to him. It's not lil ether can't reset passwords and registration data. Whomever took it might even have useful info to track them down.
I'm a consultant - I convert gibberish into cash-flow.
That's why your answer to security questions shouldn't be any weaker than your main password. What was your first pet's name? "e3d0b512214fa". What street did you grow up on? "aa16b70cc9526fe". Store the answers in your own strongly-encrypted password file. Just because they ask for weak identifying info, doesn't mean you have to play along.
Just admit it. You are an idiot for not reading my comment and then making stupid straw men.
Seriously. Read my comment. It doesn't mention Hiroshima at all, you ignorant piece of trash. But again, he's an idiot too.
He's in Pasedena, California. Twitter is in San Francisco. It's a cheap flight. He needs to get a lawyer in SF, and make an appointment with Twitter's general counsel. Bring birth certificate and passport. If Twitter then fails to return the handle, use phrases such as "complicit with extortion".
The lesson here is to always use a unique, e-mail specific password for each e-mail account because they are a gateway to generate password resets for other, less critical accounts that may share passwords for convenience.
I am becoming gerund, destroyer of verbs.
This seems like a clear case of extortion and theft.
At the very least, the police ought to be able to recover the stolen property via Twitter.
VLC Remote for iPhone and Android
Well done.
"My Twitter profile linked to my website, my website had WHOIS information. I use a very very old address on all my public WHOIS records, but it happens to be the address of my parents, and since I’ve shipped gifts to my parents through Amazon, they had that address on file.
He then called Amazon with what little information he had gained and cried that he had lost his password and didn’t have access to that email address anymore. The representative caved and reset the password over the phone giving him full access to my Amazon account. His plan was to then gain as much information he could with Amazon (last four of credit card numbers, current and previous addresses, etc) and use that as ammunition to do the same thing with Apple. And it worked. He had an email in his gmail inbox with instructions on how to reset my iCloud account."
It's scary that people can use WHOIS to social engineer other information
"Sorry, Danica is not available. Please pick any other driver."
"Hiroshima writes that..."
What an idiot.
My comment did not mention Hiroshima
It doesn't mention Hiroshima at all... But again, he's an idiot too
Really helping your argument. Not sure if troll or just a fool trying to weasel his way around his own stupid statements.
How do you think it works? How is someone whose IP address suddenly changes with no warning supposed to retroactively whitelist that, "bright guy"?
Can anyone explain what the finality of stealing @N by force is?
Who's going to follow it, buy it or use it when everyone knows that it was stolen by a hacker?
it's not a Ferrari that you can still drive, it's a bloody account to post links online, controlled by a company who can suspend it at will until an investigation is complete!
This is the truth, some customers are not partial to jumping through hoops for secured access, at all.
For those of us that want the hoops, why don't these companies offer you the ability to opt-out of the 'workaround' security practices?
Wow, that must be rare, there can't be more than about a hundred of those.
Of course, the customer support rep wants to be helpful, and the person already knows the other account identifiers... so the idea of fraud never crosses their mind.
Um, they don't have to make a fraud/non fraud. The policy should be to never give out details. Ever.
No sig today...
"Hi, I wanted to confirm which card I have associated with this account. Are the last four digits 1234?
"Our policy is to never give out that sort of information on the 'phone. Why don't you log into your account and check?"
No sig today...
Right. If you don't want to get hit by a car then don't leave your home. Otherwise you were just asking for it.
This is the truth, some customers are not partial to jumping through hoops for secured access, at all.
For those of us that want the hoops, why don't these companies offer you the ability to opt-out of the 'workaround' security practices?
Because "real" customers would think they want to have the higher level of security, when in reality they still want the lower level of security. If the company offers higher security to them, the customer will accept it, and then the customer will get upset when the company delivers it to them. The customer will then change to a competitor who promises high security but in reality delivers low security, because that is what they really want.
Classic IT mistake - you need to deliver what the customer wants, not what they ask for.
Wouldn't that be quite trivial, since he wanted the @N handle so badly and all? Surely someone can now identify the new owner of that handle?
And contact their cousin Vinnie in Joisey to go speak to him?
Not sure if troll
Just ignore him, Anonymous Coward is a known troll.
If I can update the IP range, what is to prevent the attacker from doing the same? It's not like my ISP tells me when their servers are going to change my address. I understand, in general, how whitelisting works, but I don't know how it is handled by the registrars who provide this service.
Except that doesn't help, because you can't run your own domain name registration.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
While you are at it, hope that the answers are stored with a hash just like a "real" password...
Don't blame me, I voted for Kodos
No one that accepts Paypal TOS should blame Paypal for any thing. Getting Paypal account means giving Paypal complete access to your bank accounts, card accounts, all without liability to Paypal.
Read the TOS. Paypal can do no wrong.
http://domainnamewire.com/2013/04/10/go-daddy-two-factor-authentication/
He's an idiot because he used GoDaddy. It's foolish to have registered a domain there that you consider worth more than a couple hundred dollars. The number of people who've been screwed by hosting at GoDaddy is large and that's hardly a secret.
No, you're an idiot. Take a look at the first 6 words from your post:
"A problem only concerning the gullible"
Since this is obviously Hiroshima's problem, you are directly implying that Hiroshima was gullible.
That paragraph goes on to say:
"If you're worthless and superficial, of course people will be able to fool you by acting."
Again, implying that Hiroshima was able to be fooled.
Admit it, it was a stupid post by a stupid AC that hadn't even bothered to read the summary properly.
But no surprise, all the AC's are stupid.
This is only an issue of semantics - You don't offer your users a choice of "more" or "less" security, you have something along the lines of the following options:
(*) Allow account recovery if I forget my password (Default)
( ) Do not allow account recovery if I forget my password (This option is more secure, but makes your account unrecoverable if you forget your password!)
In other words, not "less or more" but "standard or more."
In an ideal world that's what should be done. But in a world where everyone else throws around the information willy-nilly? Then it's just poor customer support.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
I asked the same question as you, because @N is valuable only in the context of those who either make a living directly or indirectly due to legal association/ownership of a social media persona. As it is, @N is getting spammed to hell and back because of this notice, and until it gets publically returned back to its rightful owner, it's worthless. When I asked myself why a sane, reasonable, logical and rational person would do this given the expected outcome (which is happening now), the answer is, "because it's for the lulz". Someone wanted to intentionally destroy the value of @N, just to make a point that he/she could, and because it's "for the lulz". Maybe the intent wasn't to resell or own @N, maybe the intent was to show to certain individuals the capability to make that happen, and to be able to sell that capability.
Here's to hot beer, cold women, and Glaswegian kisses for all.
certainly twitter can work with law enforcement to track this guy down, then return the handle to its correct owner
Should not take long. As soon as the new @N tweets, the NSA has the data, and they can pass it on to the FBI. Which is why this entire story is suspect to begin with.
You are being MICROattacked, from various angles, in a SOFT manner.
If he wasn't a social media (value = what exactly?) then this would never have happened anyway.
And if she wasn't wearing those clothes, she wouldn't have gotten raped. Clearly, she was asking for it.
Blaming the victim for having something a criminal wanted is about the closest thing you can get in terms of being human scum to being the criminal himself. You should be ashamed of yourself, but you're probably way to smug about how your life choices wouldn't have led to you having anything this guy wanted. Like that somehow makes you superior.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
A big fucking trail. I mean, I'm no computer forensic investigator, but I believe the new owner of @N did it.
Why is this being looked at like he will get away with it?
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
Should have read the article. He had MANY high profile and high dollar business websites at risk. It was "Give me @N or loose all your websites."
"Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account."
What an idiot.
Nuke it from orbit. It's the only way to be sure.
Does not need to be obscure. SafeNames is well know, and yet has fantastic customer service. They are more expensive than GoDaddy, and for a good reason.
The person who did this has gone a long way to ensure that @N has minimal resale value. If I was some company that was looking at @N for my online presence, would I want my online presence to be associated with this story in any way, shape or form? No. At least, not until the story dies down. And that could take a while, since people will happily drag it out again when someone sets up shop.
It could be for personal use, but that seems like a lot of trouble to go through for a personal account. Stranger things have happened, though.
Beats me how the police would find them.
For one thing, he/she did this all under the name "Naoki Hiroshima".
I don't know for sure, but I'll suppose that the part done through the Internet was from a laptop with a spoofed mac address from some open wireless access point.
As for the part done over the phone, I kind of doubt that it was done from his home phone. Perhaps Google Talk or some other free Internet phone service.
That is all assuming that the attacker's story is true. I would not at all be surprised if it had been done by a PayPal or GoDaddy employee or associate, and all the hacking talk was a red herring.
Agreed. We need to move to text message confirmation. Google, Facebook and Craigslist all send text messages to your phone before any major changes can be made to your account.
my karma will be here long after I'm gone
He's going to sell it to someone else, duh.
While that's a good social engineering thing, it still shouldn't be accepted; the phone support should then say "Ok sir/maam, know let me authenticate your access by asking you a series of security questions"
And let the websites go.
They would have been returned.
Pointing out that something the powers that be consider a crime may actually be an act of extra-legal social justice is a perfectly legitamate comment. Sometimes, the 'victim' really did have it coming. In no way is that the same thing as saying rape victims are at fault for dressing sexy. Nor is it necessarily "blaming the victim for having something a criminal wanted"; would you say the same if the victim was the Sheriff of Notingham?
I know almost nothing about the people involved in this case, but if I had to I'd bet that your read on the situation is correct and the commenter you reacted to is an idiot. Still, attacking anyone who questions the rights and wrongs of the situation is kinda dickish.
And your particular phrasing of "having something the criminal wanted" combined with your assumption that the commenter's 'life choices' are the sole cause of his present level of poverty or affluence strongly suggests your a right wing asshat who should be taken out and shot for the good of the nation.
given the completely unsecure treatment of credit card and social security numbers by pretty much everyone, using it for any sort of authentication purposes is completely asinine.
I like my version better.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
You thank that's bad, Q is giving me hell over Q, literally.
Table-ized A.I.
They're among the few unique numbers for the user. Try comparing your card against another person's from the same issuer. You'll quickly see what I mean.
Really badly when your IP address changes to be outside the range of the whitelist.
Both Paypal and Godaddy helped his assailant, but your position is that he is owed nothing by these companies.
Good God.
Yes, and people will pick 2 and be upset that you held them to their choice, and then leave for your competitors. I didn't say that consumers were rational.
If you didn't have a wife in the first place, it never would have happened. yeah, THIS is why I am single.
The problem with hashing the answers is that they aren't treated the same. Suppose my password is "Correct,horse battery staple". I can be expected to type it the same time every time, because it's a password. If my favorite child stuffed animal was "Lamb Chop", I might be asked that over the phone, or expected to type "Lamb chop" or "LambChop", so, depending on the company, close might have to count.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
GoDaddy is still on the hook in my eyes though - given the completely unsecure treatment of the last four by pretty much everyone, using it for any sort of authentication purposes is completely asinine.
Lot's of places use the last 4 digits as authentication. Hopefully the same place that uses the last 4 digits aren't the ones handing
it out but that's part of the problem. Every place has their own "hopefully" adequate security but another firm might have a slightly
different authentication method that is also adequate on its own but combined with the 2nd firm there is a huge security hole. Then
there are the completely idiotic ones like "year you graduated" or "favorite color" There are what maybe less than a dozen common
colors and if you know the person's age you can guess the graduation year probably within a couple years. I've been given a list
of a dozen questions that none of them have more than maybe a dozen or so common answers.
I'm pretty sure it's the same guy just arguing with himself.
Seems to me Mr Hiroshima was given some time. Why not give godaddy and the fbi a call? See if they can set up a trap for the hacker?
This.
Call up GoDaddy and tell them what's going on. They'll lock shit down, you can provide the full credit card number, photos of your driver's license, etc. to confirm who you are.
Maybe I just don't know enough about how law works in this area, but it seems like everyone now knows that "@N" is stolen. What can the hacker do except post "hey, I'm the anonymous person who stole this account"? Is it legal to buy a stolen Twitter account? Can't he just contact the company and get it back? If regular identity theft worked this way then you'd get police saying "sorry sir, but he has your name, SS, and DOB, so he can now use your identity in any way he wants"
While we all know that godaddy will do horrible horrible things like give up access to or control of your domain or other account info there is another company whose just as bad. Dotster failed to follow there very own policies and handed over a domain in my possession to that of another multiple times (the very same domain name!!!!). They kept no track of this info either and at one point there was no way for me to re-gain access had I not printed off (for evidence) an order with the person who defrauded dotster into handing over access. The reason I was able to re-gain access was because I had that persons last 4 digits on the invoice.
Long story short I changed the email address back and then immediately sent a transfer request. Ultimately I was able to transfer it to gandi.net and when the person attempted to get gandi.net to hand the domain over to them they failed. Apparently gandi.net takes security a bit more seriously than dotster.
If this actually happened, I don't see why Twitter can't just at least consider rendering the name permanently invalid. I would think, if nothing else, the terms of service would cover this as an unauthorized transfer of accounts, which is an act that many providers consider a situation where the account can be locked or deleted.
Actually I prefer stuff like the favorite color validation - you can usually say your favorite color is "hgydusafgs" and get at least a little security out of it. If they want your last four card digits, social security number (ick), or other widely shared, institutionally issued number then you're SOL.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Link
You are being MICROattacked, from various angles, in a SOFT manner.
Pointing out that something the powers that be consider a crime may actually be an act of extra-legal social justice is a perfectly legitamate comment.
How is it social justice to steal someone's Twitter identity just because it happens to be very short and catchy? Did you not read the post I responded to in which the poster blamed Mr. Hiroshima for "swimming with the sharks" just for being "a social media (value = what exactly?)" That's straight up blaming the victim of theft and extortion for nothing more than being popular in a forum the poster doesn't respect.
And your particular phrasing of "having something the criminal wanted" combined with your assumption that the commenter's 'life choices' are the sole cause of his present level of poverty or affluence strongly suggests your a right wing asshat who should be taken out and shot for the good of the nation.
His life choices for being a social media personality where what was being blamed for him being targeted. Poverty or affluence has nothing to do with this. He just was just an early adopter who got lucky that his first name's initial wasn't taken yet. That was why he was targeted. He had something that someone else wanted and wasn't willing to take the legal road or just accept his right to refuse. There is no justification for extortion for here.
Also, I'm solidly a progressive, but your lunatic off-topic strawmanning here is reminding me once against the only thing worse than arguing politics with an idiot is having one publicly take your side.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Why not? Is there a quota on domain registrars or so?
"Give me @N or loose all your websites."
I dislike extortion but I really hate extortion from people who don't know the difference between lose and loose. These people should be caught and forced to retake fifth grade English class... and then be sent to jail.
Which twitter can easily fix. But they won't. Before you go around trashing these companies, keep in mind that federal non-regulation has probably made it pretty to circumvent others verification by using data from other services. This goes back to network solutions transferring sex because of a fraudulent fax. Nothing happened to correct this then, nothing is going to happen now without religious nuts rising up against a mark of the beast.
Americans are about as dumb as they come.
The term "blaming the victim" has been dubious since it's very origin. I'll grab text from Wikipedia, because it's handy:
The Negro Family: The Case For National Action (the 1965 Moynihan Report) was written by Assistant Secretary of Labor[1] Daniel Patrick Moynihan, a sociologist and later U.S. Senator. It focused on the deep roots of black poverty in America and concluded controversially that the relative absence of nuclear families (those having both a father and mother present) would greatly hinder further progress toward economic and political equality.
Moynihan argued that the rise in single-mother families was not due to a lack of jobs but rather to a destructive vein in ghetto culture that could be traced back to slavery and Jim Crow discrimination. Though black sociologist E. Franklin Frazier had already introduced the idea in the 1930s, Moynihan's argument defied conventional social-science wisdom. As he wrote later, "The work began in the most orthodox setting, the U.S. Department of Labor, to establish at some level of statistical conciseness what 'everyone knew': that economic conditions determine social conditions. Whereupon, it turned out that what everyone knew was evidently not so."
Moynihan had concluded that ... the uniquely cruel structure of American slavery [had created a pattern which]..., manifested itself in high rates of unwed births, absent fathers, and single mother households in black families. Moynihan then correlated these familial outcomes, which he considered undesirable, to the relatively poorer rates of employment, educational achievement, and financial success found among the black population. Moynihan advocated the implementation of government programs designed to strengthen the black nuclear family.
Ryan objected that Moynihan then located the proximate cause of the plight of black Americans in the prevalence of a family structure in which the father was often sporadically, if at all, present, and the mother was often dependent on government aid to feed, clothe, and provide medical care for her children. Ryan's critique cast the Moynihan theories as attempts to divert responsibility for poverty from social structural factors to the behaviors and cultural patterns of the poor.[8][9]
"We need to help these people understand how not to be poor." "RACIST, He's BLAMING THE VICTIMS!"
Ryan has set minorities back 4 decades. Unwed births among all races are now on the rise, and we see that there really is a strong statistical correlation with ongoing multi-generational poverty. We'd actually be a more integrated society if we'd dealt with this problem years ago. But no. The knee-jerk reaction is to assume that any action a "victim" takes must be their own fault (often false), and to assume that if anyone is in poverty, it must be someone else's fault (also false; sometimes it is, sometimes it isn't). By this twisted and broken logic, one can never suggest that an individual change their own behavior to change their outcome. Any attempt to suggest that minorities adjust their behavior or world-view has been met with vitriolic screams of racism. (In any degree, no matter how small a part of any larger plan.)
The phrase "blaming the victim" is inherently broken, not in concept, but in functional use. It is a poor excuse to make uncomfortable topics off limits, and it always has been.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
Well, you need to pay $3,500 to ICANN to apply, $4,000 per year in maintenance, a variable percentage of ICANN's operating expenses once a quarter, have access to at least $70,000 in cash or loans, and have liability insurance in the amount of half a million dollars.
And you'll get rejected if you're just trying to run it for yourself.
So no, you can't run your own domain name registration.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Heavy requirements, making it definitely "can't" as in "not as private person".
Though technically you still can do it - just have to set up a big enough company to fulfil the requirements. Of course it's anything but easy or practical to do for just a few personal domain names.
The same way I do when I try to SSH into a server and find out my IP address changed and is no longer whitelisted? I email the host's support and have them add my new IP to the whitelist.
I'm sorry if that's too inconvenient for you.
Someone flopped a steamer in the gene pool.
Actually I prefer stuff like the favorite color validation - you can usually say your favorite color is "hgydusafgs" and get at least a little security out of it. If they want your last four card digits, social security number (ick), or other widely shared, institutionally issued number then you're SOL.
Yeah, I agree that this partially solves the problem FOR YOU but not for anyone else who actually follows the rules. You've basically added your
own layer of security on top of theirs and it's technically a violation of the intended purpose of the system. It's possible that your account can be
blocked, banned, deleted, etc... for not following the rules. Even worse, by not following the rules it's highly likely that if someone calls in to try to
unlock your account and are asked what their favorite color is that the response "I think I just typed some random garbage into that field" would
probably be sufficient to get the account unlocked.
Since this is obviously Hiroshima's problem, you are directly implying that Hiroshima was gullible.
Incorrect. Social engineering is a problem concerning the people who gave away that guy's information. Clearly you don't know how to read.
Again, implying that Hiroshima was able to be fooled.
I never mentioned his name there. I was insulting the people who gave away the information, and absolutely nothing implies otherwise.
Quit making shit up, fool.
For those interested in higher security and willing to accept responsibility, Google should offer an option (confirmed by entering your password) to turn off account resets and only allow resets to be enabled again by entering the password. They could also use this password generate a private key, not stored by them, to decrypt the email on demand. This would mean that if you lose your password, your account is essentially gone but security would be much improved.
Of course. And using made-up answers is exactly what I do. But the vast majority of people don't think about this. They create a halfway-decent password then protect that password with "New York City" and "Fido."
Liberty in your lifetime
namecoin domains are secure in the same way offline computers are secure.
What use is a domain that nobody I have ever know can access without tweaking their dns resolver?
it is.. but a lot of people are stupid. I used to work at PayPal, for three years actually, and despite how hard they try to make sure their reps are halfway competent.. some really dumb people with the teenager-working-at-mcdonalds mentality still make it through.
Can anyone tell me what that means?
My comment did not mention Hiroshima, but Hiroshima is an idiot for dealing with companies that are known to be shitty.
What, twitter?
interesting topic..thanks for all the answers - I learned a lot. I found something like than LINK what are you think about ?
Another reason to consider interesting ideas to make it useless to steal credit card numbers.
Security questions whose answer is probably easy to find from the mark's Facebook profile.
It's useful to everyone who knows how to tweak a dns resolver today, to everyone who can install a browser add-on tomorrow, and everyone everyone eventually.
Yet another reason I avoid cute and meaningful online names (most of the time, I guess I trust Slashdot more than any other forum). Who would go through all this just to steal x1415926@?
"There is no god but allah" - well, they got it half right.
Doesn't the FBI have a Cyber Crime Division for exactly this sort of crime?
It's slightly better if their pet is "New York" and they grew up in "Fido".
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
And pwgen.
Holy tweets Batman! I have always had a one letter Twitter account and no one ever offered me anything. Could it be because I only follow others and have never tweeted my first twit? Just for the record my account was hacked once but I caught it immediately and after changing passwords never had a problem with that again.
An extorted Twitter handle isn't like extorted cash that may never be found and recovered.
The extortionist may not ever be identified and punished, but it's not like the handle disappeared, never to be seen again. They know where it is and how to recover it.
Ummm... don't use a single credit card for everything?
Sign up for multiple credit card accounts.
Keep your sh*t separate.
People generally feel safe, but it doesn't mean that they *are* safe.
Good reason to keep your good passwords, look after your cyber security. And being armed and trained isn't a bad idea either. :-)
Avoid custom domains for your login email address and don't let companies such as PayPal and GoDaddy store your credit card information.
What's a "custom domain"? Or rather, which domains aren't custom?
I think that "Avoid evil companies like paypal and godaddy" are the only real lesson here.
Twitter should respond by removing access to the @N account (after giving the Feds the info to chase and persecute the hacker-troll)...
Then they could achieve cool points and dev-cred by magnanimously giving access back to it's rightful "owner" Naoki.
Winning.