Developer Loses Single-Letter Twitter Handle Through Extortion

Hugh Pickens DOT Com writes "Naoki Hiroshima, creator of Cocoyon and a developer for Echofon, writes at Medium that he had a rare one-letter Twitter username — @N — and had been offered as much as $50,000 for its purchase. 'People have tried to steal it. Password reset instructions are a regular sight in my email inbox,' writes Hiroshima. 'As of today, I no longer control @N. I was extorted into giving it up.' Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account. 'Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.' Hiroshima received a message from his extortionist. 'Your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again. I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?' Hiroshima writes that it''s hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of his credit card number over the phone, or that GoDaddy accepted it as verification. Hiroshima has two takeaways from his experience: Avoid custom domains for your login email address and don't let companies such as PayPal and GoDaddy store your credit card information."

the moral of the story

[royallthefourth]

like so many other articles, this just seems like another reminder to never ever use godaddy

Re:the moral of the story

[davek]

like so many other articles, this just seems like another reminder to never ever use godaddy

Perhaps this is more of an indictment of using ANY non-big-brother email provider for login information to ANY domain registrar. It seems to me the crux of this attack was to a) gain access to the victem's domain registrar account and then b) hijack the domain MX record so all email to that domain goes to the attacker's server. At that point, you can reset all the victem's passwords to all accounts and ALL password reset emails will go to the attacker.

Time to enable 2-factor on all my registrar accounts.

Re:the moral of the story

[rwven]

Or paypal? IMHO they're the ones who enabled the entire operation here. They gave away the last four digits of the guy's credit card to a stranger...

Granted, godaddy should have required a photo id as well.

They're both rubbish.

Re:the moral of the story

[davek]

gain access to the victem's domain registrar account

Sometimes I hate not being able to spell :(

Re:the moral of the story

[rwven]

Two-factor probably wouldn't have helped here. They reset the account credentials, assuming the owner lost the ability to log in. That would have included resetting any "2nd factor."

I don't think any action on the user's part would have helped any of this other than maybe his comment about the TTL on the MX record.

Re: the moral of the story

[SuricouRaven]

But they are cheap.

Re:the moral of the story

They gave away the last four digits of the guy's credit card to a stranger...

I'm not going to defend paypal, but the last 4 digits are generally considered safe to identify a distinct credit card without sharing enough information to allow identify theft. That godaddy accepted the last 4 digits as proof of ownership is far more disturbing than that paypal probably asked 'will this be using the card ending with "1234"?' while the scammer was digging for info.

Still, I've been avoiding paypal since I got over my old ebay habit. [cue Weird Al song]

Re:the moral of the story

[David_W]

They gave away the last four digits of the guy's credit card to a stranger...

Not to defend PayPal, but the last 4 digits are often not treated as particularly secret. They put it on your credit receipts, many sites show them to help you figure out which card you have registered with them... Yeah, PayPal shouldn't be giving it out, but GoDaddy really really shouldn't be using it as some sort of ID verification. One of these is kinda dumb, the other is weapons-grade dumb.

Re:the moral of the story

[Antipater]

How in the world is that the conclusion you came to? Hiroshima's Twitter handle, in this case, was simply the thing-of-value stolen by the extortionist. The story would have unfolded exactly the same way for a 2-digit Slashdot UID, or a valuable physical object, or just plain old cash. This story is about the method of extortion, not about the target.

If a friend says "I got mugged," do you reply "well, you shouldn't have been carrying a wallet"?

Re: the moral of the story

[scubamage]

Because Danica Patrick in skimpy clothing sells.

Re:the moral of the story

[Immerman]

Seconded. Pretty much everyone throws around the last four indiscriminately - hell, they're sent unencrypted in pretty much every order receipt emailed by anyone in the world. Using them for authentication is extremely stupid.

Re:the moral of the story

[radarskiy]

If you didn't want to be raped, you shouldn't have been carrying a vagina.

Re:"Social engineering"

[hawkinspeter]

Who, the person working at GoDaddy? Or the owner of the domain for using GoDaddy?

Sounds like a lawsuit waiting to happen

[Rinisari]

Methinks if Mr. Hiroshima had the funds available, or pro-bono lawyer stepped in, there's grounds for a lawsuit against at least PayPal if not also GoDaddy.

Re:Sounds like a lawsuit waiting to happen

[squiggleslash]

Why Paypal?

The last four digits of your credit card are printed on pretty much every receipt, shown on every order confirmation page, every "My account saved credit cards" screen, and are usually shown in addition to an expiration date. That's information that's never been considered confidential - quite the opposite indeed. It's pretty much public information.

GoDaddy was insane to consider it valid authentication information. You might just as well treat someone's name as their password.

Re:Sounds like a lawsuit waiting to happen

[rudy_wayne]

Why Paypal?

The last four digits of your credit card are printed on pretty much every receipt, shown on every order confirmation page, every "My account saved credit cards" screen, and are usually shown in addition to an expiration date. That's information that's never been considered confidential - quite the opposite indeed. It's pretty much public information.

True, but irrelevant. Think about that for a minute -- you call PayPal and tell them:

"I have forgotten the last 4 digits of my credit card number, can you give them to me".

In what bizzaro parallel universe does that even make sense? There is no amount of "social engineering" that can explain why you need someone to tell you the last 4 digits of YOUR credit card.

PayPal needs to be reamed for such a major fuck up.

Re:Sounds like a lawsuit waiting to happen

[femtobyte]

"I have forgotten the last 4 digits of my credit card number, can you give them to me".

"Hi, Paypal phone service person, I recently switched banks, and I think I might need to update my card info. I forget if I did this earlier --- can you tell me which card you've already got on file for me? Just the last four digits would be enough, thanks."

Re:Sounds like a lawsuit waiting to happen

[codegen]

"I have forgotten the last 4 digits of my credit card number, can you give them to me".

"Hi, Paypal phone service person, I recently switched banks, and I think I might need to update my card info. I forget if I did this earlier --- can you tell me which card you've already got on file for me? Just the last four digits would be enough, thanks."

In an ideal universe: "Sir, if you tell me the last four digits of the card number, I can tell you if you updated it."

Re:Sounds like a lawsuit waiting to happen

[femtobyte]

Right, in an ideal universe everyone would follow security-conscious procedures. In the real universe, the phone service rep is a minimum-wage worker in a foreign country, whose top priority is keeping down their time-per-call-resolution metric. Quickly helping a friendly, innocent, and clueless-sounding customer, versus remembering and strictly following every procedure in the 400-page employee handbook, doesn't always happen. That's why social engineering works --- the system is not designed for maximum security rigor, but for cutting corners on call-answering costs.

Re:Sounds like a lawsuit waiting to happen

[femtobyte]

I never meant to imply at all that the phone service rep was stupid --- rather, they're a person caught in a system that forces them to act stupidly. The person answering the phone probably has a big timer counting down how long they've got to answer the call to keep up their quota. Despite any "official" procedures for security, the real institutional pressures are centered around cost-cutting and quickly getting people off the line. A conscientious worker who studiously prompts callers for rigorous proof of identity before letting slip the least bit of personal information will be out of a job quick, when their performance is compared against far more "efficient" peers. I did not use "foreign" to imply inferiority of foreigners' intelligence, but rather the dysfunctional results of All-American corporate management who put short-term corner cutting above all else. Minimum-pay, minimally-trained call centers in the cheapest distant locations are a symptom rather than a cause of the system that creates poor security.

Don't think custom domains were his problem

[egranlund]

Avoid custom domains for your login email address

Honestly, I don't think that would have helped. I doubt it's much harder to gain control of someone's gmail, yahoo or hotmail account if they are as motivated as it sounds like his attacker was.

Once you gain control of anyone's email account, even if the attacker doesn't have custom domains to hold for ransom, they could easily threaten bank accounts, etc etc.

Re:Don't think custom domains were his problem

[Nemyst]

If your Google account doesn't have your credit card number on file and uses two-factor auth, I think it'd be a lot harder to crack into it even using social engineering. The problem is always that most sites are designed so that in the event of people forgetting EVERYTHING, they can still recover their account somehow. If we accepted that losing your password, your security data for recovery and your two-factor auth would mean you lose your account (or you need something very, very elaborate to recover it, much more than just your last four CC numbers), security would be improved.

The problem is that for every super-focused hack like this one, there's a thousand people who forget their access credentials and want their account back, so it makes more sense to have lax security and cover the biggest proportion of your audience.

lawsuit

[internerdj]

I'd be talking to a lawyer. Sounds like someone at Paypal owes $50k to Mr. Hiroshima.

"Don't 'Let' Them?"

[CanHasDIY]

don't let companies such as PayPal and GoDaddy store your credit card information.

I wonder, does Mr. Hiroshima realize that consumers have little to no (closer to the latter) control over what a corporation does with our credit card info once we make a purchase with them?

Does he know of some nuclear option the rest of us aren't aware of?

Stupid people prevent us from having secure things

[jader3rd]

This is a story about how 'real' people hate secure things. Nerds are all about creating encryption and security that requires knowing a secret key. Real world people deal with the fact that they forget secret keys, and want companies to restore their data for them. So for companies to keep customers, they have to create workarounds for the secret keys.

As a result the only way to for sure secure something, is to not depend upon companies who have 'real' people for customers.

Multiple credit cards

[Dan+East]

When the Target data breach happened, I commented here about some of the advantages to using throw-away, preload credit cards (which limits your potential loss and allows you to quickly switch to an entirely different account if you feel the other might be compromised). I was modded down by people who have bought into the whole big-bank credit card racket, and the attitude "why should I worry, when the bank is responsible and I'll eventually get my money back". Well here is yet another advantage of using preloaded credit cards. You load money on it, pay your annual hosting fees, etc, and then just toss it and get another next year to make the next annual payment. This story illustrates the advantages of using an entirely different credit card per service, so the card you use with Godaddy is not the same as you use with Paypal.

Yes, yes, it will cost you $3 each time you load a card to make that yearly payment, but you can decide for yourself what that extra $3 can buy you.

Should not be to difficult to get it back

[angel'o'sphere]

After all Twitter knows which new eMail-address is holding @N. Should not be to hard to figure the real person behind it. And simply asking Twitter to hand it back should also work.

Re:I must be missing something.

[geogob]

That's totally absurd. I can't believe a service provider like Godaddy has no record history or history of customer information change. Of course, this historical informaiton may not be available to the first level of customer support. But come on... that shouldn't be the end of it.

Actually, I'm surprised that a service like Godaddy doesn't have checks in place for cases like this. An account where ALL the customer information is changed within a short period of time, should raise alarm bells. The owner, under the contact information previously available, should automatically be contacted.

Re:comeuppance?

[Antipater]

"It's entirely your fault that a thief held a gun to your wife's head and demanded your Babe Ruth-autographed baseball. If you didn't have a Babe Ruth-autographed baseball in the first place, it never would have happened."

Nope

[ledow]

This is like kidnap or a mugging. At no point do I have an actual incentive to give in to such a person's demands. "We won't hurt you / them / your website if you do X". I have *absolutely* no guarantee of that.

I *cannot* win. If I do everything you request, you could still trash my domain / stab me anyway / kill your hostage and there's nothing I can do to stop that.

As such, non-compliance is no different to compliance in such a situation. So why voluntarily give them MORE power over you / your assets?

As it is you would have to wipe servers, settings, email etc. and start again even if they did honout their agreement.

But then, you have to remember, this person is already committing a crime... what's in their conscience that will make them honourcan agreement concerning that crime.

Let them squirm, report them, regain control when you can, then purge their access from your systems.

Anything else is just stupid.

Re:Nope

It isn't like a mugging at all. If he stabs you there's another charge against him in case he's caught.
Also, I'd rather give the mugger a few bucks than spend a few hundred in a hospital or die. You can pretend you'd be able to disarm the guy, but in my experience they usually grab you from behind and work in groups so unless you're Chuck Norris they'd put a bullet in you even if you somehow manage to kill one of them.

Re:"Social engineering"

[Immerman]

That would be Paypal that gave out the last four digits. And really, that's not at all uncommon - you can usually get that information from just about anyone who's holding your credit card information "Hi, I wanted to confirm which card I have associated with this account. Are the last four digits 1234? No, they're 8462? Ah, that explains it, thank you." Hell, they tend to be listed on every single email receipt sent unencrypted across the internet.

GoDaddy is still on the hook in my eyes though - given the completely unsecure treatment of the last four by pretty much everyone, using it for any sort of authentication purposes is completely asinine.

Re:"Social engineering"

[Joce640k]

Of course, the customer support rep wants to be helpful, and the person already knows the other account identifiers... so the idea of fraud never crosses their mind.

Um, they don't have to make a fraud/non fraud. The policy should be to never give out details. Ever.

Re:"Social engineering"

[Joce640k]

"Hi, I wanted to confirm which card I have associated with this account. Are the last four digits 1234?

"Our policy is to never give out that sort of information on the 'phone. Why don't you log into your account and check?"

Re:Stupid people prevent us from having secure thi

[Rich0]

This is the truth, some customers are not partial to jumping through hoops for secured access, at all.
For those of us that want the hoops, why don't these companies offer you the ability to opt-out of the 'workaround' security practices?

Because "real" customers would think they want to have the higher level of security, when in reality they still want the lower level of security. If the company offers higher security to them, the customer will accept it, and then the customer will get upset when the company delivers it to them. The customer will then change to a competitor who promises high security but in reality delivers low security, because that is what they really want.

Classic IT mistake - you need to deliver what the customer wants, not what they ask for.