Politics, Weather, Photography, and the Dog
Thursday 30 January 2014

Via my co-worker Matt Stratton, a frustrating example of how companies that should have known better allowed a social-engineering attack against a single-letter Twitter handle:

I had a rare Twitter username, @N. Yep, just one letter. I’ve been offered as much as $50,000 for it. People have tried to steal it. Password reset instructions are a regular sight in my email inbox. As of today, I no longer control @N. I was extorted into giving it up.

It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification.

My [ownership] claim was refused because I am not the “current registrant.” GoDaddy asked the attacker if it was ok to change account information, while they didn’t bother asking me if it was ok when the attacker did it. I was infuriated that GoDaddy had put the burden on the true owner.

The thing is, GoDaddy allowed [the attacker] to keep trying until he nailed it. Insane. Sounds like I was dealing with a wannabe Kevin Mitnick—it’s as though companies have yet to learn from Mitnick’s exploits circa 1995.

The author has some concrete suggestions. Here are his mixed with some of mine:

  • Use GMail for your login email address. The attack described above worked through suborning the author's email accounts at the DNS level. No one's going to do that to Google.
  • Use a very long TTL for MX record expiration. (If you don't know what that means, that's OK; this is for administrators.)
  • Use two-factor authentication wherever possible. I've got two-factor authentication on just about everything, including GMail, my Microsoft ID, my DNS provider...everything that can use it. If I lose the authenticators, I'm in trouble. But not as much trouble as I'd be in if someone else logged into any of these accounts.
  • Use unique strong passwords and a password safe. In fact, use a different, strong password for every account that matters. Does the website have a credit card on file? Does it host your email, DNS, or something else vital? Strengthen the passwords.

I hope nothing like this ever happens to me or you.

Thursday 30 January 2014 14:03:07 CST (UTC-06:00)  | Comments [0] | #
Search
On this page....
Another social engineering hack takes another victim
Countdowns
The Daily Parker +3083d 19h 49m
To San Francisco 30d 03h 54m
Parker's 8th birthday 52d 17h 24m
My next birthday 133d 15h 41m
Categories
Aviation (300) Baseball (100) Best Bars (4) Biking (42) Chicago (829) Cubs (180) Duke (131) Geography (300) Higher Ground (5) Jokes (282) Kitchen Sink (580) London (32) Parker (181) Daily (204) Photography (134) Politics (302) US (1015) World (223) Raleigh (20) Readings (8) Religion (61) San Francisco (77) Software (186) Blogs (67) Business (203) Cloud (79) Cool links (123) Security (94) Travel (141) Weather (654) Astronomy (72) Windows Azure (46) Work (27) Writing (7)
Links
Archive
<April 2014>
SunMonTueWedThuFriSat
303112345
6789101112
13141516171819
20212223242526
27282930123
45678910
Full archive
Blogroll
About
David Braverman and Parker
David Braverman is a software developer in Chicago, and the creator of Weather Now. Parker is the most adorable dog on the planet, 80% of the time.
Legal
All content Copyright ©2014 David Braverman.
Creative Commons License
The Daily Parker by David Braverman is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License, excluding photographs, which may not be republished unless otherwise noted.
Admin Login
Sign In
Blog Stats
Total Posts: 4269
This Year: 167
This Month: 32
This Week: 5
Comments: 0