How to run or ruin a company in 140 characters

How to run or ruin a company in 140 characters

How to run or ruin a company in 140 characters

(Updated by Endah)
British-born financier Nat Rothschild leaves after a Bumi shareholder meeting in London on Feb. 21, 2013. (Stefan Wermuth / Reuters)
British-born financier Nat Rothschild leaves after a Bumi shareholder meeting in London on Feb. 21, 2013. (Stefan Wermuth / Reuters)

LONDON – When Nat Rothschild, the co-founder of troubled miner ARMS, insulted his former investment partner on Twitter last week, he showed the power of social media for business leaders seeking publicity – but also the perils of saying the wrong thing.

“Whilst your dad is an evil genius,” the scion of the Rothschild banking dynasty tweeted to Aga Bakrie, “the word on the street is that you are extremely DUMB.”

The tweet made the front pages of media around the world as journalists, used to the measured language of corporate press releases, seized on a seemingly unguarded remark showing that even powerful businessmen can descend to playground taunts.

For Rothschild, the publicity was a welcome opportunity to revive interest in his long-running campaign against Indonesia’s influential Bakrie family, whom he blames for a plunge in the value of ARMS’ predecessor company. Within 24 hours, his number of followers on Twitter had jumped to 1,700 from 200.


But not all business leaders have been so fortunate with their apparently off-the-cuff remarks on social media.

Last year Michael O’Leary, boss of budget airline Ryanair , was denounced by one Twitter user as a “sexist pig” after he tweeted: “Nice pic. Phwoaaarr!” to a woman, whose image was shown during a live question and answer session.

The former chief executive of Britain’s Co-operative Group , meanwhile, laid open the divisions within the company in March when he accused one or more board members via Facebook of being “determined to undermine me personally” after his pay package was leaked to the press. He resigned a few days later.

Even Twitter boss Dick Costolo has got into hot water on the social media site, comparing academic Vivek Wadwha to over-the-top U.S. comedian Carrot Top, after the professor was quoted as saying Twitter’s board lacked diversity.

Little surprise then that research last year by and Domo found 68 percent of Fortune 500 chief executives were not on any social network. Company bosses on Twitter are on the increase, up more than half from 2012 to 2013, but the number remains small with just 28 out of top 500 CEOs on the site.

For many chief executives, the risks are just too high.

“Unless you’re happy for something to appear on the front page of a newspaper or on a newswire you shouldn’t really tweet it,” said Mary Whenman, managing director of corporate, financial and public affairs at PR agency Weber Shandwick.


While a dangerous platform for plain-speaking chief executives, social media has been used more effectively by activist investors looking to drum up support for a campaign.

Billionaire investor Carl Icahn, for example, used Twitter for months to urge Apple to buy back more shares, before the technology group eventually proposed in February a $14 billion stock repurchase programme.

Nat Rothschild himself, while insisting his outburst against Aga Bakrie was “instinctive”, concedes he joined Twitter a few weeks ago for “strategic reasons.”

“I’m interested in Indonesia and my investments, one of which has a serious litigation component to it, and in that respect I want to make sure people continue to focus on the situation,” he told Reuters.

Although announcing market moving news over Twitter has been allowed in the United States since last year, it is off limits in Britain, where it must first go though a regulated channel.

But Twitter allows businesses to jump into a moving news story and respond to events immediately.

“You can see how slow it is to use traditional emails and press release distribution systems,” said Rory Godson, founder of communications agency Powerscourt, who suggested to Rothschild he should join Twitter.

“It is definitely not suitable for everyone … but for Nat in this case it enables him to respond very quickly and it also enables him to build global support.”


Some business leaders do make it work.

Rupert Murdoch and Richard Branson are both seen within the communications industry as masters of moving minds with 140 characters or less, although they are protected by virtually unassailable positions within their own companies. Murdoch has around 500,000 followers on Twitter, and Branson four million.

Jeff Joerres, chief executive of staffing group Manpower who has over 7,000 Twitter followers, told Reuters the social network was an important way of giving big business a human face, though it was essential to know the boundaries.

“You’ve got to put a bit of personality and imagination into it, but not go overboard,” he said. “It’s my personal account, but at the same time it is not – I’m speaking as the company.”

One executive to have won plaudits for his use of Twitter is Paul Pester, boss of Britain’s TSB Bank, who jumped on to the social network in January to respond to complaints after thousands of cash machines failed. His personal tone in apologising and offering advice helped to manage the crisis.

For Whenman at Weber Shandwick, social media now has to be seen as part of being a CEO. “In the same way a chief executive of any FTSE 100 company needs to do media interviews, needs to go into analyst briefings, they also now need to have a social media profile. It’s a normal part of business life,” she said.

Manpower’s Joerres said Twitter, like drinking, was just a matter of knowing your limits.

“People only need to worry about it if they do something stupid,” he said. “I go to bars and don’t worry about it. You only go to bars and worry about it if you think you are going to do something stupid when you are drinking.”

(Additional reporting by Ben Hirschler)

Stephen Eisenhammer and Silvia AntonioliReuters



The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack

The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack

The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack

(Updated by Endah)

twittergodaddyhack primary

The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack

Christopher Null@christophernull
  • Jan 31, 2014 3:30 AM
  • print
Of all the lessons to be learned from the hacking of Naoki Hiroshima and the loss of his coveted @N Twitter handle, the most troubling is the one which will ultimately be the most difficult to solve. In online security, weak passwords and poor encryption standards may be part of the problem, but the biggest problem of all remains ourselves.

Hiroshima outlined the events that led up to the loss of his Twitter handle, which he valued at $50,000 based on previously-received offers from would-be buyers, in a posting published on Medium on Wednesday. It wasn’t sophisticated password cracking or a zero-day, code-based exploit that sealed the deal. In fact, all it really took was a telephone call or two.

The saga began on Jan. 20 when Hiroshima reported that someone was attempting to hack into his Paypal account. Hiroshima had two-factor authentication set up, and when the attacker attempted to reset his password, he received a text message requesting his approval for the change, which he ignored.

Unable to get through Paypal’s gates, the attacker took a surprising next step, attacking Hiroshima’s personal domain name through his registrar, GoDaddy. The hacker got through GoDaddy’s security measures by calling a representative on the phone. The hacker claimed to be Hiroshima and said he was having trouble accessing his account. GoDaddy asked for the last six digits of his credit card number on file as proof of identity, which the hacker miraculously was able to provide.

How’d he do that? Again, via a simple phone call. That first volley at Paypal was no coincidence. According to Hiroshima, the hacker had also called Paypal’s support staff and used social engineering tricks to get that representative to tell him the last four digits of the credit card he had on file. (While the details of this conversation have not been published, it isn’t hard to imagine how it must have gone: “Hi, I lost my wallet and don’t know which credit card I have linked to my Paypal account. Can you tell me the last four digits you have on file so I know if I need to change the card on my Paypal account?” Or something like that.)

The hacker then took those four digits and was—amazingly—able to parlay that into the last six digits. How? According to Hiroshima’s narrative, the GoDaddy support agent simply let the hacker guess them, two by two, until he struck upon the right combination, unleashing the keys to the account. The hacker reported to Hiroshima that he told GoDaddy he’d lost his card, but remembered the last four digits, opening the door for the guesswork operation. The hacker got it all done in one call.

All of this was prologue to the hacker’s ultimate goal. With his GoDaddy account in hand, the hacker extorted Hiroshima to hand over the @n handle, which he did. A variety of investigations are now ongoing, but @n is now in the hands of one “Badal_NEWS.”

Social engineering still works… and works well

What went wrong? It’s easy to say Paypal and GoDaddy share the blame, but the common denominator in both cases is simple human nature. To really understand how social engineering like this works, put yourself in the shoes of the company that receives the phone call from the hacker. A panicked user calls you, asking for your help with a problem. He’s been the victim of a crime or an accident, and the standard security systems available on the Web aren’t helping him. A company like Paypal probably receives thousands of calls like this every day, and the vast majority are likely totally legitimate—real people in real crisis.

It’s natural to want to help these people, and a good hacker will have acting skills that are just as developed as his tech skills. But considering the general level of training and experience that most tier one tech support operators have, it probably doesn’t take a lot of convincing to trick them into giving up data that they have no business handing out over the phone. To quote David Mamet, “It’s called a confidence game. Why? Because you give me your confidence? No. Because I give you mine.”

Paypal has denied that its employees released Hiroshima’s personal or credit card information. GoDaddy has ‘fessed up to its part of the problem, saying it is “making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.”

That same rhetoric is used every time a big hack takes place. Apple, for example, brieflyfroze all over-the-phone password resets after reporter Mat Honan was catastrophically attacked in 2012. The average computer user has dozens of active online accounts, and they’ll never all be locked down tight. If a hacker can’t grab your Paypal account or your GoDaddy account, he’ll simply go after another one. Eventually someone will answer the phone.

Imperfect solutions are better than none

Hiroshima offered a few tips in his Medium post that you can use to help you protect yourself. Don’t use an email address tied personal domain for logins. Increase the time to live (TTL) on your mail server’s MX record to give you more time to plan a response if someone takes over your email account. And use two-factor authentication wherever possible. The hacker in the case also gave Hiroshima some good advice: If you’re worried about attacks, call the company (Paypal in this case) and ask them to make a note on your file not to release any details about your account over the phone. It can’t hurt.

Consider using different credit cards for different services. In Hiroshima’s case, had he tied Paypal and GoDaddy to different cards, the hacker wouldn’t have been able to complete his two-step attack in the manner he did. Some banks will also issue one-time card numbers which you can use, say, when paying for a ten-year domain registration, then burn forever.

You might consider undertaking a faux attack of your own account as a test. Call your providers and see what they’ll divulge over the phone. Beg and plead and rely on human nature to cajole them into helping you. If you’re not satisfied that they’ll stick to their policies and protect your personal information, it’s probably time to jump ship.