Slashdot Mirror

← Back to Stories (view on slashdot.org)

Developer Loses Single-Letter Twitter Handle Through Extortion

Posted by Unknown on from the kevin-mitnick-returns-to-get-a-cool-twitter-handle dept.

Hugh Pickens DOT Com writes "Naoki Hiroshima, creator of Cocoyon and a developer for Echofon, writes at Medium that he had a rare one-letter Twitter username — @N — and had been offered as much as $50,000 for its purchase. 'People have tried to steal it. Password reset instructions are a regular sight in my email inbox,' writes Hiroshima. 'As of today, I no longer control @N. I was extorted into giving it up.' Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account. 'Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.' Hiroshima received a message from his extortionist. 'Your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again. I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?' Hiroshima writes that it''s hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of his credit card number over the phone, or that GoDaddy accepted it as verification. Hiroshima has two takeaways from his experience: Avoid custom domains for your login email address and don't let companies such as PayPal and GoDaddy store your credit card information."

6 of 448 comments (clear)

  1. Re:Multiple credit cards by Chris+Mattern · · Score: 4, Informative

    Nothing, really, since the bank will eat the costs of the fraud. It's annoying, yes, and it's a bit of a hassle, but generally you aren't buying much of value for that $3.

    For Mr. Hiroshima, that $3 would have apparently bought him continued ownership of his single-letter Twitter account.

  2. Re:"Social engineering" by Anonymous Coward · · Score: 0, Informative

    Just admit it. You are an idiot for not reading the story and then making stupid assumptions about who did what.

  3. Re:lawsuit by bill_mcgonigle · · Score: 4, Informative

    Patience may be rewarded. Somebody will start using @N at some point, and that person will have a money trail to the criminal.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  4. Re:the moral of the story by Em+Adespoton · · Score: 5, Informative

    They gave away the last four digits of the guy's credit card to a stranger...

    Not to defend PayPal, but the last 4 digits are often not treated as particularly secret. They put it on your credit receipts, many sites show them to help you figure out which card you have registered with them... Yeah, PayPal shouldn't be giving it out, but GoDaddy really really shouldn't be using it as some sort of ID verification. One of these is kinda dumb, the other is weapons-grade dumb.

    I know it's common practice, but it really shouldn't be -- the last four digits of your credit card number are really 3 digits plus the Luhn check. That means that with that string, you can test out all the number combinations and arrive at a significantly narrowed set of possible credit card numbers.

    Take for example American Express -- the first 4 digits are known (they're the card ID). If you give away the last four digits, that's 3 digits and Luhn. That means that you now have only 8 unknown digits, and they have to be in a permutation that totals with the other 7 digits to the proper Luhn total. In effect, this means that you can also reliably guess the 5th and 12th digit (as they're paired with the known digits and have an extremely limited set of permutations for the remaining 6 -- only a few hundred for in-my-head calculations.

    That may still sound like a lot, but it means that if you have access to the last four digits of 1,000 cards, you're likely going to get the correct card number on the first try on a significant portion of them.

    Summary: the last number of a credit card shouldn't be given out, as it tells a lot more about the entire number than it appears at first glance.

  5. Re:the moral of the story by Obfuscant · · Score: 5, Informative

    I know it's common practice, but it really shouldn't be -- the last four digits of your credit card number are really 3 digits plus the Luhn check. That means that with that string, you can test out all the number combinations and arrive at a significantly narrowed set of possible credit card numbers.

    It doesn't matter where the check digit is, the fact that it exists changes a 16 digit number into a 15 digit one. (And AMEX is an exception, they're only 15 to start with.) I can give you three digits and the "check" and you will need to guess the other 7 (because one of the 8 is constricted by checksum), or I give you four digits and you guess 7 more and calculate the check.

    Once you have the bank and the last four, it is still 7 you get to guess at and the 8th is still limited by having to meet the check.

    but it means that if you have access to the last four digits of 1,000 cards, you're likely going to get the correct card number on the first try on a significant portion of them.

    One in 10 to the 7th power for each one, right on the first guess, assuming you know the first four from the bank for each one. Let's see, the chance of getting it wrong is 1-1e7, so getting all 1000 wrong is (1-1e7)^1000. I get 0.99990. Very close to 1, but about 1/10,000. Odds say you won't get any of them right on the first guess.

    And of course, now that I look up the actual Luhn algorithm it is clear that giving you the check digit actually doesn't help you as much as giving you one of the real digits would. If you have to guess 8 digits that match the check I've given you, you will get false positives for all the failure modes listed in the reference, but if I give you an extra digit you'll have one less digit to get wrong.

  6. Re:the moral of the story by Anonymous Coward · · Score: 2, Informative

    I lost my original (since beta) Gmail address (and subsequently my WoW account) a couple years ago and could not find a single way to contact a real person about it. All I got was a webform asking me silly questions like "What month/year did you create your account?", "What was the email address of the person that invited you?", and even "Enter the email of 5 frequently emailed contacts".

    I understand they have a huge userbase and can't possibly tend to ever lost account personally, but it was still a kick in the guts to resign myself to creating a new account.