Thursday, January 30, 2014

'$50,000 Twitter handle' apparently lost after PayPal, GoDaddy errors

If you recall how Matt Honan's digital life was destroyed in 2012, then you can understand why Naoki Hiroshima gave in to a "cyber-terrorist's" demands. Hiroshima lost what he called his $50,000 Twitter username when PayPal and GoDaddy allowed someone to take over his accounts, The Verge reported on Wednesday.

The Twitter username was @N. Indeed, as a single-letter username, it was in high demand, and he had been offered as much as $50,000 for it. Others had tried to steal it, but this thief was successful, when he gained access to Hiroshima's domain names and threatened that they could be repossessed by GoDaddy and "never seen again."

Recalling the horrible digital wasteland that Matt Honan's life became after a similar incident, in which customer service representatives gave a hacker access to his and iCloud accounts, though means that should not have been allowed -- but they were -- Hiroshima gave control of the @N Twitter username to his blackmailer.

How did all this happen?

The first sign that something was amiss came during a meal.
While eating lunch on January 20th, 2014, I (Hiroshima) received a text message from PayPal for one-time validation code. Somebody was trying to steal my PayPal account. I ignored it and continued eating.
Lesson learned: Don't ignore these messages.

By posing (on the phone) as a fellow PayPal employee, the miscreant convinced the CSR he spoke to to give up the last four digits of Hiroshima's credit card. Normally, that is useless, but in this case, the attacker was then able to use them as verification on the phone with GoDaddy.

What's interesting is that when Hiroshima tried to take control of his domain back, he was asked for the last six digits of his credit card. If the original GoDaddy CSR the attacker had spoken to had required that information, the transfer would have never taken place. Instead the CSR allowed the attacker to guess the first two digits of the card, and he got it right away. As he added in communication with Hiroshima after he got what he wanted:
I got it in the first call, most agents will just keep trying until they (the customer, we assume) get it
At this point Hiroshima realized that control of his @N Twitter account was the target of the attack, so he changed the email address associated with the account before the attacker changed the DNS entries for his domain name.

This stopped the attacker's progress, but the attacker then compromised Hiroshima’s Facebook account. Eventually, he made his demands via email, and issued the following ultimatum:
I’ve seen you spoke with an accomplice of mine, I would just like to inform you that you were correct, @N was the target. it appears extremely inactive, I would also like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again D:

I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5minutes while I swap the handle in exchange for your godaddy, and help securing your data?
Faced with the prospect of losing his digital life, and with GoDaddy unwilling to help (as the registration of the domain names had successfully been changed), Hiroshima gave up and gave the hacker control of @N.

After all this, could Twitter give the account back to Hiroshima? If the digital clues are traced, surely all the companies involved would be able to connect the dots.

Probably -- if they bothered to take the time to investigate -- Twitter could do so. However, what is to prevent the hacker to take retribution against Hiroshima?

Instead, it appears Hiroshima has settled. He now owns the Twitter handle @N_is_stolen.

Update: PayPal has issued a post in which it denies giving out Hiroshima's credit card info.

No comments: