Slashdot Mirror

← Back to Stories (view on slashdot.org)

Developer Loses Single-Letter Twitter Handle Through Extortion

Posted by Unknown on from the kevin-mitnick-returns-to-get-a-cool-twitter-handle dept.

Hugh Pickens DOT Com writes "Naoki Hiroshima, creator of Cocoyon and a developer for Echofon, writes at Medium that he had a rare one-letter Twitter username — @N — and had been offered as much as $50,000 for its purchase. 'People have tried to steal it. Password reset instructions are a regular sight in my email inbox,' writes Hiroshima. 'As of today, I no longer control @N. I was extorted into giving it up.' Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account. 'Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.' Hiroshima received a message from his extortionist. 'Your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again. I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?' Hiroshima writes that it''s hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of his credit card number over the phone, or that GoDaddy accepted it as verification. Hiroshima has two takeaways from his experience: Avoid custom domains for your login email address and don't let companies such as PayPal and GoDaddy store your credit card information."

14 of 448 comments (clear)

  1. the moral of the story by royallthefourth · · Score: 5, Insightful

    like so many other articles, this just seems like another reminder to never ever use godaddy

    1. Re:the moral of the story by David_W · · Score: 5, Insightful

      They gave away the last four digits of the guy's credit card to a stranger...

      Not to defend PayPal, but the last 4 digits are often not treated as particularly secret. They put it on your credit receipts, many sites show them to help you figure out which card you have registered with them... Yeah, PayPal shouldn't be giving it out, but GoDaddy really really shouldn't be using it as some sort of ID verification. One of these is kinda dumb, the other is weapons-grade dumb.

    2. Re:the moral of the story by ArhcAngel · · Score: 5, Funny

      gmail would have worked. Google never answers the phone or email support requests anyway.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    3. Re:the moral of the story by Em+Adespoton · · Score: 5, Informative

      They gave away the last four digits of the guy's credit card to a stranger...

      Not to defend PayPal, but the last 4 digits are often not treated as particularly secret. They put it on your credit receipts, many sites show them to help you figure out which card you have registered with them... Yeah, PayPal shouldn't be giving it out, but GoDaddy really really shouldn't be using it as some sort of ID verification. One of these is kinda dumb, the other is weapons-grade dumb.

      I know it's common practice, but it really shouldn't be -- the last four digits of your credit card number are really 3 digits plus the Luhn check. That means that with that string, you can test out all the number combinations and arrive at a significantly narrowed set of possible credit card numbers.

      Take for example American Express -- the first 4 digits are known (they're the card ID). If you give away the last four digits, that's 3 digits and Luhn. That means that you now have only 8 unknown digits, and they have to be in a permutation that totals with the other 7 digits to the proper Luhn total. In effect, this means that you can also reliably guess the 5th and 12th digit (as they're paired with the known digits and have an extremely limited set of permutations for the remaining 6 -- only a few hundred for in-my-head calculations.

      That may still sound like a lot, but it means that if you have access to the last four digits of 1,000 cards, you're likely going to get the correct card number on the first try on a significant portion of them.

      Summary: the last number of a credit card shouldn't be given out, as it tells a lot more about the entire number than it appears at first glance.

    4. Re:the moral of the story by Obfuscant · · Score: 5, Informative

      I know it's common practice, but it really shouldn't be -- the last four digits of your credit card number are really 3 digits plus the Luhn check. That means that with that string, you can test out all the number combinations and arrive at a significantly narrowed set of possible credit card numbers.

      It doesn't matter where the check digit is, the fact that it exists changes a 16 digit number into a 15 digit one. (And AMEX is an exception, they're only 15 to start with.) I can give you three digits and the "check" and you will need to guess the other 7 (because one of the 8 is constricted by checksum), or I give you four digits and you guess 7 more and calculate the check.

      Once you have the bank and the last four, it is still 7 you get to guess at and the 8th is still limited by having to meet the check.

      but it means that if you have access to the last four digits of 1,000 cards, you're likely going to get the correct card number on the first try on a significant portion of them.

      One in 10 to the 7th power for each one, right on the first guess, assuming you know the first four from the bank for each one. Let's see, the chance of getting it wrong is 1-1e7, so getting all 1000 wrong is (1-1e7)^1000. I get 0.99990. Very close to 1, but about 1/10,000. Odds say you won't get any of them right on the first guess.

      And of course, now that I look up the actual Luhn algorithm it is clear that giving you the check digit actually doesn't help you as much as giving you one of the real digits would. If you have to guess 8 digits that match the check I've given you, you will get false positives for all the failure modes listed in the reference, but if I give you an extra digit you'll have one less digit to get wrong.

  2. Re:Two-factor on GoDaddy? by jaymz666 · · Score: 5, Interesting

    the godaddy person let him keep trying various numbers until it worked. How can you trust them when it comes to security at all.

    These companies need to be held accountable for their actions.

  3. Multiple credit cards by Dan+East · · Score: 5, Insightful

    When the Target data breach happened, I commented here about some of the advantages to using throw-away, preload credit cards (which limits your potential loss and allows you to quickly switch to an entirely different account if you feel the other might be compromised). I was modded down by people who have bought into the whole big-bank credit card racket, and the attitude "why should I worry, when the bank is responsible and I'll eventually get my money back". Well here is yet another advantage of using preloaded credit cards. You load money on it, pay your annual hosting fees, etc, and then just toss it and get another next year to make the next annual payment. This story illustrates the advantages of using an entirely different credit card per service, so the card you use with Godaddy is not the same as you use with Paypal.

    Yes, yes, it will cost you $3 each time you load a card to make that yearly payment, but you can decide for yourself what that extra $3 can buy you.

    --
    Better known as 318230.
  4. Re:Sounds like a lawsuit waiting to happen by squiggleslash · · Score: 5, Insightful

    Why Paypal?

    The last four digits of your credit card are printed on pretty much every receipt, shown on every order confirmation page, every "My account saved credit cards" screen, and are usually shown in addition to an expiration date. That's information that's never been considered confidential - quite the opposite indeed. It's pretty much public information.

    GoDaddy was insane to consider it valid authentication information. You might just as well treat someone's name as their password.

    --
    You are not alone. This is not normal. None of this is normal.
  5. Re:comeuppance? by Antipater · · Score: 5, Insightful

    "It's entirely your fault that a thief held a gun to your wife's head and demanded your Babe Ruth-autographed baseball. If you didn't have a Babe Ruth-autographed baseball in the first place, it never would have happened."

    --
    Everything is better with chainsaws.
  6. What you don't know... by Junta · · Score: 5, Interesting

    Is that the current controller of N is legitimate, and *this* story is the social engineering attack to get control of it.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  7. Re:Sounds like a lawsuit waiting to happen by rudy_wayne · · Score: 5, Insightful

    Why Paypal?

    The last four digits of your credit card are printed on pretty much every receipt, shown on every order confirmation page, every "My account saved credit cards" screen, and are usually shown in addition to an expiration date. That's information that's never been considered confidential - quite the opposite indeed. It's pretty much public information.

    True, but irrelevant. Think about that for a minute -- you call PayPal and tell them:

    "I have forgotten the last 4 digits of my credit card number, can you give them to me".

    In what bizzaro parallel universe does that even make sense? There is no amount of "social engineering" that can explain why you need someone to tell you the last 4 digits of YOUR credit card.

    PayPal needs to be reamed for such a major fuck up.

  8. Re:Sounds like a lawsuit waiting to happen by femtobyte · · Score: 5, Insightful

    "I have forgotten the last 4 digits of my credit card number, can you give them to me".

    "Hi, Paypal phone service person, I recently switched banks, and I think I might need to update my card info. I forget if I did this earlier --- can you tell me which card you've already got on file for me? Just the last four digits would be enough, thanks."

  9. Re:Sounds like a lawsuit waiting to happen by codegen · · Score: 5, Insightful

    "I have forgotten the last 4 digits of my credit card number, can you give them to me".

    "Hi, Paypal phone service person, I recently switched banks, and I think I might need to update my card info. I forget if I did this earlier --- can you tell me which card you've already got on file for me? Just the last four digits would be enough, thanks."

    In an ideal universe: "Sir, if you tell me the last four digits of the card number, I can tell you if you updated it."

    --
    Atlas stands on the earth and carries the celestial sphere on his shoulders.
  10. Re:Sounds like a lawsuit waiting to happen by femtobyte · · Score: 5, Insightful

    Right, in an ideal universe everyone would follow security-conscious procedures. In the real universe, the phone service rep is a minimum-wage worker in a foreign country, whose top priority is keeping down their time-per-call-resolution metric. Quickly helping a friendly, innocent, and clueless-sounding customer, versus remembering and strictly following every procedure in the 400-page employee handbook, doesn't always happen. That's why social engineering works --- the system is not designed for maximum security rigor, but for cutting corners on call-answering costs.