Yesterday Naoki Hiroshima, an Echofon developer, posted an article about how he lost his extremely short Twitter handle @N in an extortion scheme. Hackers compromised his GoDaddy account with social engineering (calling and lying to an account rep), gaining access to his email on a personal domain.
They said that they gained access via a similar call to PayPal, who the hacker claimed gave them the last four digits of Hiroshima’s credit card. They then used that CC info to convince GoDaddy that they were the owner of the domain, and reset his login information.
They used that data to leverage Hiroshima into giving them — under duress — his low-character-count Twitter user name @N. This, it turns out, was the point of the entire affair from the beginning.
PayPal has since investigated and claims that it never gave out Hiroshima’s credit card number or any other personal information — though it does acknowledge there was an attempt to get the info. So, that leaves a question about whether the hacker was lying about where it got Hiroshima’s card numbers — but it doesn’t change the fact that the hack happened.
And it leaves an even bigger question. The hack is pretty well documented and it appears evident that the end result was fairly straightforward extortion. So why hasn’t Twitter simply given Hiroshima his @N username back?
Twitter, for its part, will only tell us that it is still investigating the matter.
We spoke to Hiroshima about the ordeal and exactly how it went down. He notes that it’s highly improbable for the hacker to have gained access to his account without credit-card numbers somehow, and that they claim it was via PayPal. He also says that he feels he did everything normally expected to prevent this kind of thing, but that the methods used by the hackers side-stepped any additional efforts he might have taken like two-factor authentication.
“[Two factor authentication] can’t prevent this from happening again,” says Hiroshima. “GoDaddy allowed the guy to reset everything over the phone. As long as a company only uses the last 4 digits of a [credit card] to verify [identity], this will keep happening. They should ask multiple questions.”
GoDaddy has said that it is investigating but has not responded to a request for further comment.
The vector for the attack, in the end, was the weakest link in many security procedures: people. A well-documented attack on Wired writer Mat Honan last year was predicated with relatively similar tactics. The target of Honan’s attack was also a low-character Twitter account.
The question about what can be done to improve security in these matters is a long-running one. There have been some changes like two-factor authentication being offered by more vendors — but sloppy procedures like allowing account resets with credit-card numbers (especially partial ones!) remain commonplace.
And the fact is that many of these ‘hacks’ don’t take any special technical knowledge. They just require a methodical and bold operator that is willing to pick up the phone and follow a script.
Hiroshima also notes that many of these systems are designed to make it easy to change things by phone, but nearly impossible to revert them afterwards.
“They should design the system so that reverting should be easier than changing,” Hiroshima says. “That the attacker changed something was something that can happen, the problem is, I couldn’t revert the change. If someone updated something and someone else said “no” immediately after, what’s the chance of the latter guy is the attacker?”
As far as why Hiroshima’s Twitter account hasn’t simply been ‘given back’ to him — the answer likely lies in the fact that he felt so threatened by the hacker’s access to his accounts that he ‘gave’ the account over willingly. Had he held out and waited for them to cause more damage or take over the account by main force or another feat of customer service manipulation, it would have been a much simpler matter. It would have been stolen and could be returned.
Now, because the account was ‘transferred’, it’s a much murkier affair and Twitter will likely have to do more due diligence before it takes any action. So Hiroshima will probably get @N back, but it will take a bit.
It’s worth noting that Twitter appears to have banned the @N account at the time of this writing, so the gears are turning.
Image Credit: Manuelxk