The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack
Hiroshima outlined the events that led up to the loss of his Twitter handle, which he valued at $50,000 based on previously-received offers from would-be buyers, in a posting published on Medium on Wednesday. It wasn’t sophisticated password cracking or a zero-day, code-based exploit that sealed the deal. In fact, all it really took was a telephone call or two.
The saga began on Jan. 20 when Hiroshima reported that someone was attempting to hack into his Paypal account. Hiroshima had two-factor authentication set up, and when the attacker attempted to reset his password, he received a text message requesting his approval for the change, which he ignored.
Unable to get through Paypal’s gates, the attacker took a surprising next step, attacking Hiroshima’s personal domain name through his registrar, GoDaddy. The hacker got through GoDaddy’s security measures by calling a representative on the phone. The hacker claimed to be Hiroshima and said he was having trouble accessing his account. GoDaddy asked for the last six digits of his credit card number on file as proof of identity, which the hacker miraculously was able to provide.
How’d he do that? Again, via a simple phone call. That first volley at Paypal was no coincidence. According to Hiroshima, the hacker had also called Paypal’s support staff and used social engineering tricks to get that representative to tell him the last four digits of the credit card he had on file. (While the details of this conversation have not been published, it isn’t hard to imagine how it must have gone: “Hi, I lost my wallet and don’t know which credit card I have linked to my Paypal account. Can you tell me the last four digits you have on file so I know if I need to change the card on my Paypal account?” Or something like that.)
The hacker then took those four digits and was—amazingly—able to parlay that into the last six digits. How? According to Hiroshima’s narrative, the GoDaddy support agent simply let the hacker guess them, two by two, until he struck upon the right combination, unleashing the keys to the account. The hacker reported to Hiroshima that he told GoDaddy he’d lost his card, but remembered the last four digits, opening the door for the guesswork operation. The hacker got it all done in one call.
All of this was prologue to the hacker’s ultimate goal. With his GoDaddy account in hand, the hacker extorted Hiroshima to hand over the @n handle, which he did. A variety of investigations are now ongoing, but @n is now in the hands of one “Badal_NEWS.”
Social engineering still works… and works well
What went wrong? It’s easy to say Paypal and GoDaddy share the blame, but the common denominator in both cases is simple human nature. To really understand how social engineering like this works, put yourself in the shoes of the company that receives the phone call from the hacker. A panicked user calls you, asking for your help with a problem. He’s been the victim of a crime or an accident, and the standard security systems available on the Web aren’t helping him. A company like Paypal probably receives thousands of calls like this every day, and the vast majority are likely totally legitimate—real people in real crisis.
It’s natural to want to help these people, and a good hacker will have acting skills that are just as developed as his tech skills. But considering the general level of training and experience that most tier one tech support operators have, it probably doesn’t take a lot of convincing to trick them into giving up data that they have no business handing out over the phone. To quote David Mamet, “It’s called a confidence game. Why? Because you give me your confidence? No. Because I give you mine.”
Paypal has denied that its employees released Hiroshima’s personal or credit card information. GoDaddy has ‘fessed up to its part of the problem, saying it is “making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.”
That same rhetoric is used every time a big hack takes place. Apple, for example, brieflyfroze all over-the-phone password resets after reporter Mat Honan was catastrophically attacked in 2012. The average computer user has dozens of active online accounts, and they’ll never all be locked down tight. If a hacker can’t grab your Paypal account or your GoDaddy account, he’ll simply go after another one. Eventually someone will answer the phone.
Imperfect solutions are better than none
Hiroshima offered a few tips in his Medium post that you can use to help you protect yourself. Don’t use an email address tied personal domain for logins. Increase the time to live (TTL) on your mail server’s MX record to give you more time to plan a response if someone takes over your email account. And use two-factor authentication wherever possible. The hacker in the case also gave Hiroshima some good advice: If you’re worried about attacks, call the company (Paypal in this case) and ask them to make a note on your file not to release any details about your account over the phone. It can’t hurt.
Consider using different credit cards for different services. In Hiroshima’s case, had he tied Paypal and GoDaddy to different cards, the hacker wouldn’t have been able to complete his two-step attack in the manner he did. Some banks will also issue one-time card numbers which you can use, say, when paying for a ten-year domain registration, then burn forever.
You might consider undertaking a faux attack of your own account as a test. Call your providers and see what they’ll divulge over the phone. Beg and plead and rely on human nature to cajole them into helping you. If you’re not satisfied that they’ll stick to their policies and protect your personal information, it’s probably time to jump ship.