The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack

High-tech security measures fell before good, old-fashioned con artistry.

Of all the lessons to be learned from the hacking of Naoki Hiroshima and the loss of his coveted @N Twitter handle, the most troubling is the one which will ultimately be the most difficult to solve. In online security, weak passwords and poor encryption standards may be part of the problem, but the biggest problem of all remains ourselves.

Hiroshima outlined the events that led up to the loss of his Twitter handle, which he valued at $50,000 based on previously-received offers from would-be buyers, in a posting published on Medium on Wednesday. It wasn't sophisticated password cracking or a zero-day, code-based exploit that sealed the deal. In fact, all it really took was a telephone call or two.

The saga began on Jan. 20 when Hiroshima reported that someone was attempting to hack into his Paypal account. Hiroshima had two-factor authentication set up, and when the attacker attempted to reset his password, he received a text message requesting his approval for the change, which he ignored.

Unable to get through Paypal's gates, the attacker took a surprising next step, attacking Hiroshima's personal domain name through his registrar, GoDaddy. The hacker got through GoDaddy's security measures by calling a representative on the phone. The hacker claimed to be Hiroshima and said he was having trouble accessing his account. GoDaddy asked for the last six digits of his credit card number on file as proof of identity, which the hacker miraculously was able to provide.

How'd he do that? Again, via a simple phone call. That first volley at Paypal was no coincidence. According to Hiroshima, the hacker had also called Paypal's support staff and used social engineering tricks to get that representative to tell him the last four digits of the credit card he had on file. (While the details of this conversation have not been published, it isn't hard to imagine how it must have gone: "Hi, I lost my wallet and don't know which credit card I have linked to my Paypal account. Can you tell me the last four digits you have on file so I know if I need to change the card on my Paypal account?" Or something like that.)

The hacker then took those four digits and was--amazingly--able to parlay that into the last six digits. How? According to Hiroshima's narrative, the GoDaddy support agent simply let the hacker guess them, two by two, until he struck upon the right combination, unleashing the keys to the account. The hacker reported to Hiroshima that he told GoDaddy he'd lost his card, but remembered the last four digits, opening the door for the guesswork operation. The hacker got it all done in one call.

All of this was prologue to the hacker's ultimate goal. With his GoDaddy account in hand, the hacker extorted Hiroshima to hand over the @n handle, which he did. A variety of investigations are now ongoing, but @n is now in the hands of one "Badal_NEWS."

Social engineering still works... and works well

What went wrong? It's easy to say Paypal and GoDaddy share the blame, but the common denominator in both cases is simple human nature. To really understand how social engineering like this works, put yourself in the shoes of the company that receives the phone call from the hacker. A panicked user calls you, asking for your help with a problem. He's been the victim of a crime or an accident, and the standard security systems available on the Web aren't helping him. A company like Paypal probably receives thousands of calls like this every day, and the vast majority are likely totally legitimate--real people in real crisis.

It's natural to want to help these people, and a good hacker will have acting skills that are just as developed as his tech skills. But considering the general level of training and experience that most tier one tech support operators have, it probably doesn't take a lot of convincing to trick them into giving up data that they have no business handing out over the phone. To quote David Mamet, "It's called a confidence game. Why? Because you give me your confidence? No. Because I give you mine."

Paypal has denied that its employees released Hiroshima's personal or credit card information. GoDaddy has 'fessed up to its part of the problem, saying it is "making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques."

That same rhetoric is used every time a big hack takes place. Apple, for example, briefly froze all over-the-phone password resets after reporter Mat Honan was catastrophically attacked in 2012. The average computer user has dozens of active online accounts, and they'll never all be locked down tight. If a hacker can't grab your Paypal account or your GoDaddy account, he'll simply go after another one. Eventually someone will answer the phone.

Imperfect solutions are better than none

Hiroshima offered a few tips in his Medium post that you can use to help you protect yourself. Don't use an email address tied personal domain for logins. Increase the time to live (TTL) on your mail server's MX record to give you more time to plan a response if someone takes over your email account. And use two-factor authentication wherever possible. The hacker in the case also gave Hiroshima some good advice: If you're worried about attacks, call the company (Paypal in this case) and ask them to make a note on your file not to release any details about your account over the phone. It can't hurt.

Consider using different credit cards for different services. In Hiroshima's case, had he tied Paypal and GoDaddy to different cards, the hacker wouldn't have been able to complete his two-step attack in the manner he did. Some banks will also issue one-time card numbers which you can use, say, when paying for a ten-year domain registration, then burn forever.

You might consider undertaking a faux attack of your own account as a test. Call your providers and see what they'll divulge over the phone. Beg and plead and rely on human nature to cajole them into helping you. If you're not satisfied that they'll stick to their policies and protect your personal information, it's probably time to jump ship.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitytwitterGoDaddysocial networks

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Christopher Null

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place