Developer Loses Single-Letter Twitter Handle Through Extortion

Hugh Pickens DOT Com writes "Naoki Hiroshima, creator of Cocoyon and a developer for Echofon, writes at Medium that he had a rare one-letter Twitter username — @N — and had been offered as much as $50,000 for its purchase. 'People have tried to steal it. Password reset instructions are a regular sight in my email inbox,' writes Hiroshima. 'As of today, I no longer control @N. I was extorted into giving it up.' Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account. 'Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.' Hiroshima received a message from his extortionist. 'Your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again. I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?' Hiroshima writes that it''s hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of his credit card number over the phone, or that GoDaddy accepted it as verification. Hiroshima has two takeaways from his experience: Avoid custom domains for your login email address and don't let companies such as PayPal and GoDaddy store your credit card information."

Re:Two-factor on GoDaddy?

[jaymz666]

the godaddy person let him keep trying various numbers until it worked. How can you trust them when it comes to security at all.

These companies need to be held accountable for their actions.

All right, I'll bite.

[Tenek]

I will assume since it hasn't come up already that there is some reason Twitter can't just give him back the handle. What is it?

What you don't know...

[Junta]

Is that the current controller of N is legitimate, and *this* story is the social engineering attack to get control of it.

It goes deeper than GoDaddy, unfortunately.

[An Ominous Cow Erred]

Simply put -- consumers can't be trusted to be able to deal with complex secure authentication schemes. That's why there's so many easy-to-guess "What city did you grow up in?" password-reset functions. There are so many weak links in the chain of trust, it takes a concerted effort on the individual's part to secure it.

The CEO of Cloudflare fell victim to this when someone CONVINCED AT&T TO REROUTE HIS VOICEMAIL, starting a chain of events that wound up with the interloper having complete control over Cloudflare and the myriad of sites that use CF (and therefore trust it to send legitimate data).

It's a bit exciting/fascinating to read about the chain of events, (particularly the timeline):

http://blog.cloudflare.com/the... [cloudflare.com]

http://blog.cloudflare.com/pos... [cloudflare.com]

Multi-factor authentication on GoDaddy

[marcgvky]

I am a GoDaddy customer and had a problem with my ex-partner: he tried to social engineer his way into grabbing control of our domains/email accounts, hosted by GoDaddy. Subsequently, I enabled a feature that GoDaddy offers. GoDaddy sends a text message that I must respond with. This extra factor is required for all changes, now. People should enable this feature, regardless of where you host your email. It makes it impossible to social engineer your way past a customer service rep.

Re:"Social engineering"

[Sarten-X]

Hi, this is $name with account $account, and I had my identity stolen a while ago. They changed all of my account information, and I want to check to see if this account was hacked. What are the last 4 of the SSN on the account?

Of course, the customer support rep wants to be helpful, and the person already knows the other account identifiers... so the idea of fraud never crosses their mind.

Blame the Victim

[gd2shoe]

The term "blaming the victim" has been dubious since it's very origin. I'll grab text from Wikipedia, because it's handy:

The Negro Family: The Case For National Action (the 1965 Moynihan Report) was written by Assistant Secretary of Labor[1] Daniel Patrick Moynihan, a sociologist and later U.S. Senator. It focused on the deep roots of black poverty in America and concluded controversially that the relative absence of nuclear families (those having both a father and mother present) would greatly hinder further progress toward economic and political equality.

Moynihan argued that the rise in single-mother families was not due to a lack of jobs but rather to a destructive vein in ghetto culture that could be traced back to slavery and Jim Crow discrimination. Though black sociologist E. Franklin Frazier had already introduced the idea in the 1930s, Moynihan's argument defied conventional social-science wisdom. As he wrote later, "The work began in the most orthodox setting, the U.S. Department of Labor, to establish at some level of statistical conciseness what 'everyone knew': that economic conditions determine social conditions. Whereupon, it turned out that what everyone knew was evidently not so."

Moynihan had concluded that ... the uniquely cruel structure of American slavery [had created a pattern which]..., manifested itself in high rates of unwed births, absent fathers, and single mother households in black families. Moynihan then correlated these familial outcomes, which he considered undesirable, to the relatively poorer rates of employment, educational achievement, and financial success found among the black population. Moynihan advocated the implementation of government programs designed to strengthen the black nuclear family.

Ryan objected that Moynihan then located the proximate cause of the plight of black Americans in the prevalence of a family structure in which the father was often sporadically, if at all, present, and the mother was often dependent on government aid to feed, clothe, and provide medical care for her children. Ryan's critique cast the Moynihan theories as attempts to divert responsibility for poverty from social structural factors to the behaviors and cultural patterns of the poor.[8][9]

"We need to help these people understand how not to be poor." "RACIST, He's BLAMING THE VICTIMS!"

Ryan has set minorities back 4 decades. Unwed births among all races are now on the rise, and we see that there really is a strong statistical correlation with ongoing multi-generational poverty. We'd actually be a more integrated society if we'd dealt with this problem years ago. But no. The knee-jerk reaction is to assume that any action a "victim" takes must be their own fault (often false), and to assume that if anyone is in poverty, it must be someone else's fault (also false; sometimes it is, sometimes it isn't). By this twisted and broken logic, one can never suggest that an individual change their own behavior to change their outcome. Any attempt to suggest that minorities adjust their behavior or world-view has been met with vitriolic screams of racism. (In any degree, no matter how small a part of any larger plan.)

The phrase "blaming the victim" is inherently broken, not in concept, but in functional use. It is a poor excuse to make uncomfortable topics off limits, and it always has been.