Yesterday, Naoki Hiroshima published a gripping account of how he was forced to give up his single character Twitter handle, @N, to an attacker who used social engineering techniques to jack his GoDaddy-hosted domains and then extort the handle away via the threat of deleting data.
It re-exposes a fundamentally unaddressed issue of how easily companies' customer support systems can be tricked into handing out password resets with the right pieces of information. We are relying on secrets to protect our most valuable data. But the Internet doesn't do secrets. Not anymore. Not with everything tracked, everything collected, everything just a Google search away. It's understandable that corporations have systems in place to try to help customers locked out of their accounts. But we need to insist upon security over convenience. Until we do, by refusing to patronize those businesses that don't give enough of a damn about us to keep good protections in place, these things are just going to keep happening.
As Hiroshima's attacker described it, the culprit accomplished this by calling PayPal customer service and posing as an employee in a different department -- a common social engineering technique. (PayPal claims it did not release any credit card information.) The attacker says he (or she) was then able to get the company to hand over the last four digits of Hiroshima's credit card on file with PayPal. He or she then called GoDaddy armed with that information, and tricked the web hosting company into handing out a password reset. Although this didn't give the hacker immediate control of Hiroshima's email, as was apparently the goal, it gave control of Hiroshima's domains -- which were vulnerable to the threat of being deleted. And with that, Hiroshima handed over control of his @N handle.
It's a strikingly similar technique to the way in which my accounts were hijacked last year, also for the purpose of taking over a Twitter handle. In both cases, companies were using credit card data to verify accounts -- a completely terrible and irresponsible idea. It is also extremely similar to a method Josh Bryant documented that allowed an attacker to socially engineer Amazon customer service, and then use that data to attack his iCloud account to ultimately try to takeover his @jb Instagram handle.
In short, all of this has happened before, and all of it will happen again. This was certainly not the first time PayPal has proved vulnerable to social engineering techniques. And as we have also documented, password resets and password problems are an epidemic completely out of control. For most people, account security is an illusion.
When I read accounts like Hiroshima's and Bryant's (or any of the emails I regularly receive from people who have had their accounts taken over) I'm both saddened that things like that still go on, and completely unsurprised.
