Slashdot Mirror

← Back to Stories (view on slashdot.org)

Developer Loses Single-Letter Twitter Handle Through Extortion

Posted by Unknown on from the kevin-mitnick-returns-to-get-a-cool-twitter-handle dept.

Hugh Pickens DOT Com writes "Naoki Hiroshima, creator of Cocoyon and a developer for Echofon, writes at Medium that he had a rare one-letter Twitter username — @N — and had been offered as much as $50,000 for its purchase. 'People have tried to steal it. Password reset instructions are a regular sight in my email inbox,' writes Hiroshima. 'As of today, I no longer control @N. I was extorted into giving it up.' Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account. 'Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.' Hiroshima received a message from his extortionist. 'Your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again. I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?' Hiroshima writes that it''s hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of his credit card number over the phone, or that GoDaddy accepted it as verification. Hiroshima has two takeaways from his experience: Avoid custom domains for your login email address and don't let companies such as PayPal and GoDaddy store your credit card information."

82 of 448 comments (clear)

  1. the moral of the story by royallthefourth · · Score: 5, Insightful

    like so many other articles, this just seems like another reminder to never ever use godaddy

    1. Re:the moral of the story by davek · · Score: 4, Insightful

      like so many other articles, this just seems like another reminder to never ever use godaddy

      Perhaps this is more of an indictment of using ANY non-big-brother email provider for login information to ANY domain registrar. It seems to me the crux of this attack was to a) gain access to the victem's domain registrar account and then b) hijack the domain MX record so all email to that domain goes to the attacker's server. At that point, you can reset all the victem's passwords to all accounts and ALL password reset emails will go to the attacker.

      Time to enable 2-factor on all my registrar accounts.

      --
      6th Street Radio @ddombrowsky
    2. Re:the moral of the story by rwven · · Score: 3, Insightful

      Or paypal? IMHO they're the ones who enabled the entire operation here. They gave away the last four digits of the guy's credit card to a stranger...

      Granted, godaddy should have required a photo id as well.

      They're both rubbish.

    3. Re:the moral of the story by rwven · · Score: 4, Insightful

      Two-factor probably wouldn't have helped here. They reset the account credentials, assuming the owner lost the ability to log in. That would have included resetting any "2nd factor."

      I don't think any action on the user's part would have helped any of this other than maybe his comment about the TTL on the MX record.

    4. Re: the moral of the story by SuricouRaven · · Score: 4, Insightful

      But they are cheap.

    5. Re:the moral of the story by Anonymous Coward · · Score: 4, Insightful

      They gave away the last four digits of the guy's credit card to a stranger...

      I'm not going to defend paypal, but the last 4 digits are generally considered safe to identify a distinct credit card without sharing enough information to allow identify theft. That godaddy accepted the last 4 digits as proof of ownership is far more disturbing than that paypal probably asked 'will this be using the card ending with "1234"?' while the scammer was digging for info.

      Still, I've been avoiding paypal since I got over my old ebay habit. [cue Weird Al song]

    6. Re:the moral of the story by David_W · · Score: 5, Insightful

      They gave away the last four digits of the guy's credit card to a stranger...

      Not to defend PayPal, but the last 4 digits are often not treated as particularly secret. They put it on your credit receipts, many sites show them to help you figure out which card you have registered with them... Yeah, PayPal shouldn't be giving it out, but GoDaddy really really shouldn't be using it as some sort of ID verification. One of these is kinda dumb, the other is weapons-grade dumb.

    7. Re:the moral of the story by sodul · · Score: 2

      You can use gmail with your own domain name. It used to be free (and still free if you got grandfathered in). There are good reasons to use your own domain name with out without gmail. Most notably it looks more professional and you can actually have a very nice looking email instead of @gmail.com I have @.com, and my last name is 4 letters. It can also be more secure if you provide smtp access over ssl for your organization and so email within your own domain is usually fully encrypted while going over the public internet.

      Gmail has been shown on a napkin to be pretty much fully readable while being transferred from one Google DC to an other one.

    8. Re:the moral of the story by ArhcAngel · · Score: 5, Funny

      gmail would have worked. Google never answers the phone or email support requests anyway.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    9. Re:the moral of the story by Antipater · · Score: 4, Insightful

      How in the world is that the conclusion you came to? Hiroshima's Twitter handle, in this case, was simply the thing-of-value stolen by the extortionist. The story would have unfolded exactly the same way for a 2-digit Slashdot UID, or a valuable physical object, or just plain old cash. This story is about the method of extortion, not about the target.

      If a friend says "I got mugged," do you reply "well, you shouldn't have been carrying a wallet"?

      --
      Everything is better with chainsaws.
    10. Re:the moral of the story by sconeu · · Score: 2

      This could quite possibly be a PCI violation.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    11. Re:the moral of the story by jythie · · Score: 2

      A while back I was reading a piece written by someone who was mugged and yeah, the person got lots of victim blaming including that he should not have been carrying valuable things in the first place.

    12. Re:the moral of the story by TCiecka · · Score: 2

      I cannot believe I didn't think of MX records as a big vulnerability here.
      Thank you sir, for noting this in your post!

    13. Re: the moral of the story by scubamage · · Score: 4, Insightful

      Because Danica Patrick in skimpy clothing sells.

    14. Re:the moral of the story by Em+Adespoton · · Score: 5, Informative

      They gave away the last four digits of the guy's credit card to a stranger...

      Not to defend PayPal, but the last 4 digits are often not treated as particularly secret. They put it on your credit receipts, many sites show them to help you figure out which card you have registered with them... Yeah, PayPal shouldn't be giving it out, but GoDaddy really really shouldn't be using it as some sort of ID verification. One of these is kinda dumb, the other is weapons-grade dumb.

      I know it's common practice, but it really shouldn't be -- the last four digits of your credit card number are really 3 digits plus the Luhn check. That means that with that string, you can test out all the number combinations and arrive at a significantly narrowed set of possible credit card numbers.

      Take for example American Express -- the first 4 digits are known (they're the card ID). If you give away the last four digits, that's 3 digits and Luhn. That means that you now have only 8 unknown digits, and they have to be in a permutation that totals with the other 7 digits to the proper Luhn total. In effect, this means that you can also reliably guess the 5th and 12th digit (as they're paired with the known digits and have an extremely limited set of permutations for the remaining 6 -- only a few hundred for in-my-head calculations.

      That may still sound like a lot, but it means that if you have access to the last four digits of 1,000 cards, you're likely going to get the correct card number on the first try on a significant portion of them.

      Summary: the last number of a credit card shouldn't be given out, as it tells a lot more about the entire number than it appears at first glance.

    15. Re:the moral of the story by Immerman · · Score: 4, Insightful

      Seconded. Pretty much everyone throws around the last four indiscriminately - hell, they're sent unencrypted in pretty much every order receipt emailed by anyone in the world. Using them for authentication is extremely stupid.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    16. Re:the moral of the story by allaunjsiIverfox2 · · Score: 2

      Calling victims stupid can be valid, especially if the victims actually were stupid. The term "victim blaming" is useless; while it is true that I think the crooks shouldn't get away, some victims really are idiots and should be called out for being stupid. They're not always idiots, but sometimes they are.

    17. Re:the moral of the story by Charliemopps · · Score: 2

      No, this was a clear violation of CPNI. They either needed to confirm his identity via physical photo ID or his password/Pin over the phone. If they gave ANY information about his account at all, even the fact that he had one, without the Pin/Password they violated CPNI and their fines will be substantial.

      Now if his Pin was something stupid like his birthday, well that's his own fault.

    18. Re:the moral of the story by HornWumpus · · Score: 2

      What kind of moron spells the same word the same way, twice in a row? Doesn't he have any imagination?

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    19. Re:the moral of the story by rthille · · Score: 2

      I run my own email server, so adding Google into the mix lengthens the chain of trust, not shortens it.

      Of course, a registrar would probably be less likely to be socially engineered to changing the domain ownership of gmail.com than my domain, but I do use a good registrar (gandi.net) and do have two-factor auth turned on.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    20. Re:the moral of the story by Obfuscant · · Score: 5, Informative

      I know it's common practice, but it really shouldn't be -- the last four digits of your credit card number are really 3 digits plus the Luhn check. That means that with that string, you can test out all the number combinations and arrive at a significantly narrowed set of possible credit card numbers.

      It doesn't matter where the check digit is, the fact that it exists changes a 16 digit number into a 15 digit one. (And AMEX is an exception, they're only 15 to start with.) I can give you three digits and the "check" and you will need to guess the other 7 (because one of the 8 is constricted by checksum), or I give you four digits and you guess 7 more and calculate the check.

      Once you have the bank and the last four, it is still 7 you get to guess at and the 8th is still limited by having to meet the check.

      but it means that if you have access to the last four digits of 1,000 cards, you're likely going to get the correct card number on the first try on a significant portion of them.

      One in 10 to the 7th power for each one, right on the first guess, assuming you know the first four from the bank for each one. Let's see, the chance of getting it wrong is 1-1e7, so getting all 1000 wrong is (1-1e7)^1000. I get 0.99990. Very close to 1, but about 1/10,000. Odds say you won't get any of them right on the first guess.

      And of course, now that I look up the actual Luhn algorithm it is clear that giving you the check digit actually doesn't help you as much as giving you one of the real digits would. If you have to guess 8 digits that match the check I've given you, you will get false positives for all the failure modes listed in the reference, but if I give you an extra digit you'll have one less digit to get wrong.

    21. Re:the moral of the story by houstonbofh · · Score: 2

      Time to enable 2-factor on all my registrar accounts.

      No, time to use a registrar that does not use untrained idiots for customer support. This would not have happened at SafeNames. Of course, SafeNames is more expensive than GoDaddy. But if you are protecting a business asset worth over $50k, you do not worry about a few bucks a year.

    22. Re:the moral of the story by Anonymous Coward · · Score: 2, Informative

      I lost my original (since beta) Gmail address (and subsequently my WoW account) a couple years ago and could not find a single way to contact a real person about it. All I got was a webform asking me silly questions like "What month/year did you create your account?", "What was the email address of the person that invited you?", and even "Enter the email of 5 frequently emailed contacts".

      I understand they have a huge userbase and can't possibly tend to ever lost account personally, but it was still a kick in the guts to resign myself to creating a new account.

    23. Re:the moral of the story by radarskiy · · Score: 3, Insightful

      If you didn't want to be raped, you shouldn't have been carrying a vagina.

  2. Re:"Social engineering" by hawkinspeter · · Score: 4, Insightful

    Who, the person working at GoDaddy? Or the owner of the domain for using GoDaddy?

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  3. Sounds like a lawsuit waiting to happen by Rinisari · · Score: 4, Insightful

    Methinks if Mr. Hiroshima had the funds available, or pro-bono lawyer stepped in, there's grounds for a lawsuit against at least PayPal if not also GoDaddy.

    --
    Colin Dean Go a year without DRM
    1. Re:Sounds like a lawsuit waiting to happen by squiggleslash · · Score: 5, Insightful

      Why Paypal?

      The last four digits of your credit card are printed on pretty much every receipt, shown on every order confirmation page, every "My account saved credit cards" screen, and are usually shown in addition to an expiration date. That's information that's never been considered confidential - quite the opposite indeed. It's pretty much public information.

      GoDaddy was insane to consider it valid authentication information. You might just as well treat someone's name as their password.

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Sounds like a lawsuit waiting to happen by rudy_wayne · · Score: 5, Insightful

      Why Paypal?

      The last four digits of your credit card are printed on pretty much every receipt, shown on every order confirmation page, every "My account saved credit cards" screen, and are usually shown in addition to an expiration date. That's information that's never been considered confidential - quite the opposite indeed. It's pretty much public information.

      True, but irrelevant. Think about that for a minute -- you call PayPal and tell them:

      "I have forgotten the last 4 digits of my credit card number, can you give them to me".

      In what bizzaro parallel universe does that even make sense? There is no amount of "social engineering" that can explain why you need someone to tell you the last 4 digits of YOUR credit card.

      PayPal needs to be reamed for such a major fuck up.

    3. Re:Sounds like a lawsuit waiting to happen by femtobyte · · Score: 5, Insightful

      "I have forgotten the last 4 digits of my credit card number, can you give them to me".

      "Hi, Paypal phone service person, I recently switched banks, and I think I might need to update my card info. I forget if I did this earlier --- can you tell me which card you've already got on file for me? Just the last four digits would be enough, thanks."

    4. Re:Sounds like a lawsuit waiting to happen by malakai · · Score: 2

      I routinely get service reps reading my last 4 digits of cards they have on file. This happen on Delta all the time. I have about 6 credit cards on file, and sometimes I need them to make sure specific tickets are on specific cards. I often have a conversation like "That's the one ending in 1011 right? No sir. Is it the 1099? No sir. Really? Which is it? It's the 1014 sir. Oh yeah, that one. ok."

      Last 4 are not a secret. Best buy and lots of box retailers now actually ask you for it when you check out. You have to broadcast it in the air in front of everyone in line.

      The issue here is GoDaddy. If GoDaddy doesn't have a 2 factor auth system option you should not be using them for DNS hosting.

      --
      -Malakai
      A Dragon Lives in my Garage
    5. Re:Sounds like a lawsuit waiting to happen by codegen · · Score: 5, Insightful

      "I have forgotten the last 4 digits of my credit card number, can you give them to me".

      "Hi, Paypal phone service person, I recently switched banks, and I think I might need to update my card info. I forget if I did this earlier --- can you tell me which card you've already got on file for me? Just the last four digits would be enough, thanks."

      In an ideal universe: "Sir, if you tell me the last four digits of the card number, I can tell you if you updated it."

      --
      Atlas stands on the earth and carries the celestial sphere on his shoulders.
    6. Re:Sounds like a lawsuit waiting to happen by firex726 · · Score: 2

      SOP for when I was in a call center was that in response to that kind of question, you'd have to let THEM volunteer the information or have them check online.

      And even then we'd expect them to verify all the rest of the account information, server IP addresses, billing address, last bill amount, etc...

    7. Re:Sounds like a lawsuit waiting to happen by Jason+Levine · · Score: 2

      Paypal's response should be "I'm sorry, but we can't give this information over the phone" or "You can see a list of cards you have linked to your account on our website." Possibly they could say "Ok, I can give you that information but first give me this Secret Passcode to prove that you are who you say you are." All of these would help actual customers in this situation while guarding against social engineering.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    8. Re:Sounds like a lawsuit waiting to happen by femtobyte · · Score: 5, Insightful

      Right, in an ideal universe everyone would follow security-conscious procedures. In the real universe, the phone service rep is a minimum-wage worker in a foreign country, whose top priority is keeping down their time-per-call-resolution metric. Quickly helping a friendly, innocent, and clueless-sounding customer, versus remembering and strictly following every procedure in the 400-page employee handbook, doesn't always happen. That's why social engineering works --- the system is not designed for maximum security rigor, but for cutting corners on call-answering costs.

    9. Re:Sounds like a lawsuit waiting to happen by femtobyte · · Score: 4, Insightful

      I never meant to imply at all that the phone service rep was stupid --- rather, they're a person caught in a system that forces them to act stupidly. The person answering the phone probably has a big timer counting down how long they've got to answer the call to keep up their quota. Despite any "official" procedures for security, the real institutional pressures are centered around cost-cutting and quickly getting people off the line. A conscientious worker who studiously prompts callers for rigorous proof of identity before letting slip the least bit of personal information will be out of a job quick, when their performance is compared against far more "efficient" peers. I did not use "foreign" to imply inferiority of foreigners' intelligence, but rather the dysfunctional results of All-American corporate management who put short-term corner cutting above all else. Minimum-pay, minimally-trained call centers in the cheapest distant locations are a symptom rather than a cause of the system that creates poor security.

    10. Re:Sounds like a lawsuit waiting to happen by atheos · · Score: 2

      "In the real universe, the phone service rep is a minimum-wage worker in a foreign country, whose top priority is keeping down their time-per-call-resolution metric"
      And I would call that problematic by design. Mr Hiroshima didn't chose this for Paypal's business model, and Paypal is ultimately responsible for this.

    11. Re:Sounds like a lawsuit waiting to happen by ShaunC · · Score: 2

      Last 4 are not a secret. Best buy and lots of box retailers now actually ask you for it when you check out. You have to broadcast it in the air in front of everyone in line.

      Wait, what? Admittedly I don't shop at Best Buy anymore, but if I'm checking out and I swipe my credit card, why would they ask for the last 4 digits? I just gave the whole number to the card reader.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    12. Re:Sounds like a lawsuit waiting to happen by Xest · · Score: 2

      "In the real universe, the phone service rep is a minimum-wage worker in a foreign country, whose top priority is keeping down their time-per-call-resolution metric."

      Right, but backing up this thread to the previous point that still makes it PayPal's fault for not ensuring security comes before other arbitrary metrics. That excuses the call centre worker, that is why social engineering happens as you say, but none of it is a viable excuse for PayPal as a company allowing the data to be handed over.

    13. Re:Sounds like a lawsuit waiting to happen by Zaelath · · Score: 2

      To be fair, corporations don't improve the situation. I had this conversation several times with Telstra staff:

      Telstra: Hi, this is Telstra. We want to discuss your account, but to prove you are you, what's your birthday?
      Me: You cold-called me, you need to prove who you are, not the other way around.
      Telstra: But it's just your birthday, it's not ID.
      Me: YOU'RE USING IT FOR ID RIGHT NOW!

      Twats.

  4. Don't think custom domains were his problem by egranlund · · Score: 4, Insightful

    Avoid custom domains for your login email address

    Honestly, I don't think that would have helped. I doubt it's much harder to gain control of someone's gmail, yahoo or hotmail account if they are as motivated as it sounds like his attacker was.

    Once you gain control of anyone's email account, even if the attacker doesn't have custom domains to hold for ransom, they could easily threaten bank accounts, etc etc.

    1. Re:Don't think custom domains were his problem by Nemyst · · Score: 3, Insightful

      If your Google account doesn't have your credit card number on file and uses two-factor auth, I think it'd be a lot harder to crack into it even using social engineering. The problem is always that most sites are designed so that in the event of people forgetting EVERYTHING, they can still recover their account somehow. If we accepted that losing your password, your security data for recovery and your two-factor auth would mean you lose your account (or you need something very, very elaborate to recover it, much more than just your last four CC numbers), security would be improved.

      The problem is that for every super-focused hack like this one, there's a thousand people who forget their access credentials and want their account back, so it makes more sense to have lax security and cover the biggest proportion of your audience.

    2. Re:Don't think custom domains were his problem by PRMan · · Score: 2

      It would be VERY hard to break into a Google account using social engineering. First you'd have to find an actual person at Google.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
  5. Two-factor on GoDaddy? by Admodieus · · Score: 2

    If your account has two-factor enabled, any account change will require entry of that limited-time token. Now, if the person doing the social engineering was able to access the account in the first place with only the last four digits of the card number, then they may have also been able to bypass this or turn it off with the help of the customer support rep. But I didn't see any mention of this in the article and wanted to point it out for those who use GoDaddy and are afraid of a similar situation occurring.

    --
    "It's a reverse vampire...they....they crave the sun!"
    1. Re:Two-factor on GoDaddy? by jaymz666 · · Score: 5, Interesting

      the godaddy person let him keep trying various numbers until it worked. How can you trust them when it comes to security at all.

      These companies need to be held accountable for their actions.

    2. Re:Two-factor on GoDaddy? by rwven · · Score: 2

      Godaddy would have just removed the 2nd factor for the same reason they handed over the "1st" factor. Hiroshima pretended he was the user, who has lost the ability to log in. They would have just reset the password and removed two-factor authentication from the account after the identify was "verified."

  6. lawsuit by internerdj · · Score: 4, Insightful

    I'd be talking to a lawyer. Sounds like someone at Paypal owes $50k to Mr. Hiroshima.

    1. Re:lawsuit by Solandri · · Score: 2

      I really doubt that lawsuit would get very far. The only evidence against Paypal is the written testimony of a known criminal (the guy who conducted the attack). For all we know, the attacker could be a worker at Starbucks who lifted Mr. Hiroshima's credit card number when he bought coffee there. And he hates Paypal (like most of us do) so he's setting up a false trail leading to Paypal.

      The real problem is using the credit card number as authentication of anything other than a credit card purchase. It's something that's seen by dozens if not hundreds of people in a month, and trivial to record with a quick photo. Absolutely silly to use it for identity verification.

    2. Re:lawsuit by Pope · · Score: 2

      I'd be talking to a lawyer. Sounds like someone at Paypal owes $50k to Mr. Hiroshima.

      Nobody owes him any money whatsoever. He claims it was "valued at over $50,000", but it's worth exactly $0 until he sells it.

      --
      It doesn't mean much now, it's built for the future.
    3. Re:lawsuit by bill_mcgonigle · · Score: 4, Informative

      Patience may be rewarded. Somebody will start using @N at some point, and that person will have a money trail to the criminal.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  7. "Don't 'Let' Them?" by CanHasDIY · · Score: 3, Insightful

    don't let companies such as PayPal and GoDaddy store your credit card information.

    I wonder, does Mr. Hiroshima realize that consumers have little to no (closer to the latter) control over what a corporation does with our credit card info once we make a purchase with them?

    Does he know of some nuclear option the rest of us aren't aware of?

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  8. Stupid people prevent us from having secure things by jader3rd · · Score: 4, Insightful

    This is a story about how 'real' people hate secure things. Nerds are all about creating encryption and security that requires knowing a secret key. Real world people deal with the fact that they forget secret keys, and want companies to restore their data for them. So for companies to keep customers, they have to create workarounds for the secret keys.

    As a result the only way to for sure secure something, is to not depend upon companies who have 'real' people for customers.

  9. Re:"Social engineering" by Anonymous Coward · · Score: 2

    So Hiroshima is an idiot because someone convinced an employee at PayPal that he was infact the account owner and to give out the last 4 digits of someone elses credit card?

    Or is he an idiot because someone at GoDaddy who also in breach of proper authentication of account ownership gave access to the person with the last 4 digits of the credit card number?

    Help me out here, I am so confused about how him being less "worthless and superficial" would have stopped someone else from giving out his account information.

  10. Multiple credit cards by Dan+East · · Score: 5, Insightful

    When the Target data breach happened, I commented here about some of the advantages to using throw-away, preload credit cards (which limits your potential loss and allows you to quickly switch to an entirely different account if you feel the other might be compromised). I was modded down by people who have bought into the whole big-bank credit card racket, and the attitude "why should I worry, when the bank is responsible and I'll eventually get my money back". Well here is yet another advantage of using preloaded credit cards. You load money on it, pay your annual hosting fees, etc, and then just toss it and get another next year to make the next annual payment. This story illustrates the advantages of using an entirely different credit card per service, so the card you use with Godaddy is not the same as you use with Paypal.

    Yes, yes, it will cost you $3 each time you load a card to make that yearly payment, but you can decide for yourself what that extra $3 can buy you.

    --
    Better known as 318230.
    1. Re:Multiple credit cards by Chris+Mattern · · Score: 4, Informative

      Nothing, really, since the bank will eat the costs of the fraud. It's annoying, yes, and it's a bit of a hassle, but generally you aren't buying much of value for that $3.

      For Mr. Hiroshima, that $3 would have apparently bought him continued ownership of his single-letter Twitter account.

    2. Re:Multiple credit cards by PraiseBob · · Score: 2

      First, the bank doesn't simply "eat" the cost of that fraud. They pass that cost on to customers.

      Second, a "bit of a hassle" doesn't quite do justice to describing the process of having all your money stolen electronically at some inconvenient time, and then jumping through hoops for the process of reclaiming your money. Oh, were you busy? Because now you need to devote many many hours to this task immediately.

  11. Should not be to difficult to get it back by angel'o'sphere · · Score: 4, Insightful

    After all Twitter knows which new eMail-address is holding @N. Should not be to hard to figure the real person behind it. And simply asking Twitter to hand it back should also work.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  12. Re:I must be missing something. by geogob · · Score: 4, Insightful

    That's totally absurd. I can't believe a service provider like Godaddy has no record history or history of customer information change. Of course, this historical informaiton may not be available to the first level of customer support. But come on... that shouldn't be the end of it.

    Actually, I'm surprised that a service like Godaddy doesn't have checks in place for cases like this. An account where ALL the customer information is changed within a short period of time, should raise alarm bells. The owner, under the contact information previously available, should automatically be contacted.

  13. Re:comeuppance? by Antipater · · Score: 5, Insightful

    "It's entirely your fault that a thief held a gun to your wife's head and demanded your Babe Ruth-autographed baseball. If you didn't have a Babe Ruth-autographed baseball in the first place, it never would have happened."

    --
    Everything is better with chainsaws.
  14. All right, I'll bite. by Tenek · · Score: 3, Interesting

    I will assume since it hasn't come up already that there is some reason Twitter can't just give him back the handle. What is it?

  15. Nope by ledow · · Score: 4, Insightful

    This is like kidnap or a mugging. At no point do I have an actual incentive to give in to such a person's demands. "We won't hurt you / them / your website if you do X". I have *absolutely* no guarantee of that.

    I *cannot* win. If I do everything you request, you could still trash my domain / stab me anyway / kill your hostage and there's nothing I can do to stop that.

    As such, non-compliance is no different to compliance in such a situation. So why voluntarily give them MORE power over you / your assets?

    As it is you would have to wipe servers, settings, email etc. and start again even if they did honout their agreement.

    But then, you have to remember, this person is already committing a crime... what's in their conscience that will make them honourcan agreement concerning that crime.

    Let them squirm, report them, regain control when you can, then purge their access from your systems.

    Anything else is just stupid.

    1. Re:Nope by Anonymous Coward · · Score: 2, Insightful

      It isn't like a mugging at all. If he stabs you there's another charge against him in case he's caught.
      Also, I'd rather give the mugger a few bucks than spend a few hundred in a hospital or die. You can pretend you'd be able to disarm the guy, but in my experience they usually grab you from behind and work in groups so unless you're Chuck Norris they'd put a bullet in you even if you somehow manage to kill one of them.

    2. Re:Nope by Jason+Levine · · Score: 2

      Easy to say right now. Harder to say if you are the one who is facing someone who has access to the DNS records of all of your websites (and has locked you out) or (even worse) a mugger with a gun pointed at you.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  16. What you don't know... by Junta · · Score: 5, Interesting

    Is that the current controller of N is legitimate, and *this* story is the social engineering attack to get control of it.

    --
    XML is like violence. If it doesn't solve the problem, use more.
    1. Re:What you don't know... by Quirkz · · Score: 2

      the real reason has traditionally been that if virtual goods (like the account or items in the game world) can be shown to have a legitimate real-world value then there is a good possibility that they might end up with legal liability in the event that their server code screws up and erases the account (or, possibly, even if a bug in their code causes items in the game economy to loose significant value in the real-world).

      In my case, it was because I didn't want to deal with "I bought/sold an account but the other person ripped me off" reports. It's worthwhile to be very vocal up front that it's not allowed, even if you don't actually care, just so people realize they're doing such transactions at their own risk.

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
  17. Use Two-Factor Authentication On Gmail by HangingChad · · Score: 2

    This story reminds me why I don't use GoDaddy and, if you haven't already done so, activate two-factor authentication on your Gmail account.

    It's not bulletproof (what is?) but it's an extra layer of security that keeps a hacker from getting control of your email account.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  18. It goes deeper than GoDaddy, unfortunately. by An+Ominous+Cow+Erred · · Score: 4, Interesting

    Simply put -- consumers can't be trusted to be able to deal with complex secure authentication schemes. That's why there's so many easy-to-guess "What city did you grow up in?" password-reset functions. There are so many weak links in the chain of trust, it takes a concerted effort on the individual's part to secure it.

    The CEO of Cloudflare fell victim to this when someone CONVINCED AT&T TO REROUTE HIS VOICEMAIL, starting a chain of events that wound up with the interloper having complete control over Cloudflare and the myriad of sites that use CF (and therefore trust it to send legitimate data).

    It's a bit exciting/fascinating to read about the chain of events, (particularly the timeline):

    http://blog.cloudflare.com/the...

    http://blog.cloudflare.com/pos...

  19. Multi-factor authentication on GoDaddy by marcgvky · · Score: 4, Interesting

    I am a GoDaddy customer and had a problem with my ex-partner: he tried to social engineer his way into grabbing control of our domains/email accounts, hosted by GoDaddy. Subsequently, I enabled a feature that GoDaddy offers. GoDaddy sends a text message that I must respond with. This extra factor is required for all changes, now. People should enable this feature, regardless of where you host your email. It makes it impossible to social engineer your way past a customer service rep.

    1. Re:Multi-factor authentication on GoDaddy by pspahn · · Score: 2

      I use Google Voice as my phone number, you insensitive clod!

      --
      Someone flopped a steamer in the gene pool.
    2. Re:Multi-factor authentication on GoDaddy by wvmarle · · Score: 2

      "Hey godaddy, my house burned down with that phone in it, so I can't get to those messages nor or ever, please change it to my new number 1234-4321 so I can receive your messages again."

    3. Re:Multi-factor authentication on GoDaddy by wvmarle · · Score: 2

      And how is it not possible for a mobile phone to burn, or get lost, or otherwise cause you to lose access? It's quite interesting you even thought I was talking about a fixed line. That option never crossed my mind when writing that comment.

  20. Re:"Social engineering" by Impy+the+Impiuos+Imp · · Score: 2

    Go Daddy should be on the hook. How stupid!

    "Hi, I need the last 4 of my spcial security number so I can prove I am who I am. I, uuuuh, lost it, so can you tell me it?"

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  21. Re:"Social engineering" by Sarten-X · · Score: 3, Interesting

    Hi, this is $name with account $account, and I had my identity stolen a while ago. They changed all of my account information, and I want to check to see if this account was hacked. What are the last 4 of the SSN on the account?

    Of course, the customer support rep wants to be helpful, and the person already knows the other account identifiers... so the idea of fraud never crosses their mind.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  22. Re:comeuppance? by Rob+the+Bold · · Score: 2

    And how about don't swim with sharks?

    If he wasn't a social media (value = what exactly?) then this would never have happened anyway.

    Don't get your desirable twitter handle stolen by not having it? I can think of a car analogy for that.

    --
    I am not a crackpot.
  23. Re:"Social engineering" by Immerman · · Score: 4, Insightful

    That would be Paypal that gave out the last four digits. And really, that's not at all uncommon - you can usually get that information from just about anyone who's holding your credit card information "Hi, I wanted to confirm which card I have associated with this account. Are the last four digits 1234? No, they're 8462? Ah, that explains it, thank you." Hell, they tend to be listed on every single email receipt sent unencrypted across the internet.

    GoDaddy is still on the hook in my eyes though - given the completely unsecure treatment of the last four by pretty much everyone, using it for any sort of authentication purposes is completely asinine.

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.
  24. Re:The city in which you were born, your first pet by femtobyte · · Score: 2

    That's why your answer to security questions shouldn't be any weaker than your main password. What was your first pet's name? "e3d0b512214fa". What street did you grow up on? "aa16b70cc9526fe". Store the answers in your own strongly-encrypted password file. Just because they ask for weak identifying info, doesn't mean you have to play along.

  25. How would you like your steak? by asylumx · · Score: 2

    writes at Medium that he had a rare one-letter Twitter username

    Well done.

  26. Rare, one-letter Twitter username by Boawk · · Score: 3, Funny

    Wow, that must be rare, there can't be more than about a hundred of those.

  27. Re:"Social engineering" by Joce640k · · Score: 4, Insightful

    Of course, the customer support rep wants to be helpful, and the person already knows the other account identifiers... so the idea of fraud never crosses their mind.

    Um, they don't have to make a fraud/non fraud. The policy should be to never give out details. Ever.

    --
    No sig today...
  28. Re:"Social engineering" by Joce640k · · Score: 4, Insightful

    "Hi, I wanted to confirm which card I have associated with this account. Are the last four digits 1234?

    "Our policy is to never give out that sort of information on the 'phone. Why don't you log into your account and check?"

    --
    No sig today...
  29. Re:Stupid people prevent us from having secure thi by Rich0 · · Score: 3, Insightful

    This is the truth, some customers are not partial to jumping through hoops for secured access, at all.
    For those of us that want the hoops, why don't these companies offer you the ability to opt-out of the 'workaround' security practices?

    Because "real" customers would think they want to have the higher level of security, when in reality they still want the lower level of security. If the company offers higher security to them, the customer will accept it, and then the customer will get upset when the company delivers it to them. The customer will then change to a competitor who promises high security but in reality delivers low security, because that is what they really want.

    Classic IT mistake - you need to deliver what the customer wants, not what they ask for.

  30. Re:Stupid people prevent us from having secure thi by mrchaotica · · Score: 2

    Except that doesn't help, because you can't run your own domain name registration.

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  31. GoDaddy admits they were social engineered by SpaceLifeForm · · Score: 2

    Link

    --
    You are being MICROattacked, from various angles, in a SOFT manner.