Aretha Franklin, Internet Prophet

Oh, you got me where you want me
I ain’t nothin but your fool
Ya treated me mean
Oh you treated me cruel

Chain, chain, chain,
chain of fools

Chain of Fools, Don Covay

Via Mat Honan of wired.com comes a description of a social engineering attack against Naoki Hiroshima. It is an interesting attack, in no way sophisticated, but all the more terrifying for that.

Hiroshima was the controller of the “@N” username on Twitter. Having a one letter username is apparently prestigious…according to Hiroshima he had been offered up to $50,000 to relinquish it. In a bit of regional trivia, the state of Delaware has a similar cachet with its license plates, with 2- and 3-digit license plates fetching tens of thousands of dollars…seriously.

Don’t know if they did it for the money, or did it for the prestige, but apparently a hacker decided to get control of the “@N” Twitname. Rather than doing the honest hacker thing of trying to hack Twitter, this low-down dirty scoundrel settled on a much more devious route.

First the hacker contacted PayPal, and pretending to be another PayPal employee, and got access to the last four digits of Hiroshima’s credit card. From there, the hacker contacted GoDaddy and used this information to leverage access to Hiroshima’s domain hosting accounts. From there, Hiroshima was contacted and blackmailed, at threat of loss of his web domains, into giving up the Twitname.

This was possible because of a chain of fools, first at PayPal and then at GoDaddy. PayPal is somewhat less culpable, as the attacker pretended to be a fellow employee, and only received the last four digits of the credit card number, digits which are often used as an identifier on transactions. The data probably shouldn’t have been given out, but it is easy to see how PayPal personnel thought no harm would be done.

The folks at GoDaddy are a different story. The hacker only had the last four digits, and pretended to have lost the credit card. The hacker was given multiple opportunities to guess the first two digits, because that provides indisputable authentication. Once he had access to the domains, the hack was complete.

There are two morals to this story. First, social engineering works. People naturally want to be helpful, and at the help desk for PayPal and GoDaddy, there is an understanding that the authentication information they use is subject to changes beyond their control. Not saying this is good, but rather that the sorts of queries that this hack used are going to continue to be answered in the future. We can wish it were different, but if it were, the other 99.9% of people who can’t get access to their web domains because they are secured with an old credit card number are going to be pissed.

Secondly, both the Wired article by Mat Honan and the referenced article by Nagasaki talk about the destruction of their “digital life”. Maybe, just maybe, you shouldn’t value your digital life that much. Honan in particular talks about losing baby pictures of his daughter from his iPad. Losing those memories is a tragedy (I know this as a father of three), but maybe they shouldn’t have been on just one device. As I wrote in a post a while ago, backups cure a lot of what ails ya.

Nagasaki talks about the value of his @N Twitname, but that actually belongs to Twitter, and could have been revoked by them at any time, for any reason, without compensation…that seems to be a dubious store of value. And if it really worth $50,000…why not give up the domain names? Were they worth $50,000? According to the hacker, apparently the @N username wasn’t even used that frequently.

I realize this sounds a bit like blaming the victim, which is not my intention per se. I’m simply pointing out to the gentle reader that if you truly value these digital artifacts, you should do more to protect them. Ironically, in the Nagasaki article, exactly the sorts of tips you need to do so are provided by the hacker!

1. For accounts that you value, contact the company and determine if they can put a hold on the account information. Many companies can ensure that the contact information associated with the account cannot be changed through the Internet. Particularly consider this for banking and financial institutions you deal with.

2. Consider using a free public webmail account as your contact address, as opposed to a private domain. If a private domain is hacked the mail records can be changed, creating an extra layer of difficulty for you. A hacker is unlikely to subvert the MX records for gmail.com or yahoo.com.

3. For important portions of your digital life, seriously consider using an entirely separate infrastructure to support it. Use a different email address, a different device, and for the truly paranoid, a separate NATed subnet in your home network to access it. Heck, even consider using only an external disk that is plugged into the device only when in use.

Now none of this advice would’ve helped much with a Twitname. But as I’m sitting on word 852 as I type, I’m obviously not too fussed about a communications medium with a limit measured in characters. Should you be?

Comments are closed.