Jan 29 2014, 11:42pm CST | by Forbes
Naoki Hiroshima, a developer of social apps like Echofon and Cocoyon, was used to people trying to steal his rare Twitter username, @N. He regularly received password reset instructions from people who were trying to gain control of his account, which he had acquired in 2007.
Once, he was even offered $50,000. He turned it down.
Ten days ago, an @N-coveting ne’er-do-well figured out a way to get Hiroshima to give up his Twitter handle. In the process, he may have committed a near-perfect crime.
Hiroshima recounted the sorry tale in a post on Medium: “My $50,000 Twitter Username Was Stolen Thanks to PayPal and GoDaddy .”
The would-be blackmailer, who goes by the moniker “Social Media King,” and uses an email address “firstname.lastname@example.org,” began his attack by looking for leverage. He noticed that Hiroshima had registered several domains through the GoDaddy domain registration service. He figured control of those domains could lead to control of @N.
In a few simple steps, Social Media King circumvented the security measures of PayPal and GoDaddy. Within minutes. Hiroshima’s domains were his.
Here’s how Social Media King did it. First, he called PayPal. Posing as an employee, he persuaded another, real employee to provide the last four digits of Hiroshima’s credit card. Next, Social Media King called GoDaddy. He told them he had lost his credit card, but that he remembered the last four digits. GoDaddy then let the attacker guess the first two digits of the card. He did so correctly, and GoDaddy gave him access to Hiroshima’s account. Once Social Media King was in, he changed all Hiroshima’s account information.
As part of GoDaddy’s security practices, the company duly informed Hiroshima that his account settings had changed. Hiroshima called GoDaddy to explain the situation. But he was confounded when the representative asked for the last six digits of his credit card to confirm his identity. Unfortunately for Hiroshima the Social Media King had already changed the credit card number. Hiroshima was now nobody as far as GoDaddy was concerned.
By taking over Hiroshima’s GoDaddy accounts, Social Media King was also able to take over his email and his Facebook account. Friends began to alert Hiroshima that his Facebook account was acting funny. But @N was linked to a email address that Social Media King did not control. It was still out of reach.
In response to reporters’ questions about Hiroshima’s story, @Ask PayPal tweeted “our investigation did NOT disclose any credit card details. More info soon.” Twitter said it is investigating but does not comment on individual’s accounts. GoDaddy has not yet responded to a request for comment.
In the mid-afternoon of January 20, Social Media King sent a blackmail note to Hiroshima. “I would like to inform you that your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by GoDaddy and never seen again D:
“I see you run quite a few nice websites, so I have left those alone for now, all the data on the sites has remained intact. Would you be willing to compromise? Access to @N for about 5 minutes while I swap the handle in exchange for your GoDaddy and help securing your data?”
Hiroshima pondered the request for a few hours. Finally, he concluded “giving up the account right away would be the only way to avoid an irreversible disaster.”
He released @N. In exchange, the attacker helpfully provided some tips to Hiroshima so that he could avoid becoming a victim in the future.
First, he suggested calling PayPal and asking an agent to add a note to his account not to release details over the phone.
Second, he suggested switching to a more secure registrar like NameChap or eNom.com.
Looking back, Hiroshima has some suggestions of his own.
Hiroshima advises not using emails based on custom domains (like email@example.com) to log in to service you value. If the registrar of those domains is compromised, then you can kiss the security of your emails goodbye. It is can also be helpful to protect particularly sensitive data with two-factor authorization, which requires a user to enter both a password and a special code that is sent to his or her phone.
Finally, Hiroshima urges making a technical change to your mail server records that would delay the time it took for a change to take effect. Time is the enemy of the digital attackers. The longer it takes to pull off a heist, the most exposed an attacker becomes.
The beauty of the @N heist, from Social Media King’s perspective, was that in an era where everyone leaves digital fingerprints behind wherever they go, he was able to wipe his clean. Law enforcement agencies, already struggling with the enormous rise in digital crime, are unlikely to devote resources to figure out why the ownership of a Twitter handle changed hands.
Today, @N is a locked account. The profile picture features an anonymous person in a hoodie. Only confirmed users can follow @N’s tweets.
For now, Social Media King is lying low. But at some point, the hype will die down. The heist will be forgotten. And @N will likely be for sale.
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.
blog comments powered by Disqus
News | Computing | Technology | Business | Labor | Law | Quotation | Electronic commerce | Internet | Technology News | Payment systems | Web hosting | PayPal | Go Daddy | GoDaddy | king | Person Email Address | Contact Details | Domain registrars | .co | Hiroshima | Naoki Hiroshima