>b) whether these specific attacks are still possible.
Why not? It's been proven over and over again that customer support can be manipulated easily. Most companies want their customer support to help the average user. The average user isn't being hacked but instead loses their passwords and access in a variety of ways. The cost of screwing over one customer compared to aiding the rest is nothing to them (because nobody has sued them for it yet and won)
> The point of failure wasn't "using a non-gmail address," it was "using an untrustworthy registrar."
But wasn't his point that gmail.com is much less likely to have its MX record compromised than any domain you could possibly register? So using your gmail.com address removes the issue of registrar trustworthiness completely.
Sim Hacking is now a thing to get around MFA but it wasn't as popular in 2014. Call up the telecom provider and use the same approach. Leverage Googleable info of the target person and use that as answers to the customer support reps questions.
I never had a good feeling with GoDaddy, their managment console is bad, they are spamming you constantly with offers and their pricing is not transparent. And now this story. What are good alternatives for Domain registration and DNS hosting?
They probably won't be the cheapest (most .com's are $12 a year), but they don't try to upsell much if at all, the pricing is really consistent and there are no surprises (no bullshit like the first year is $1 and the next year is $40 unless you remember to go do something), and their management UI is really nice.
I only have about 6 domains with them, so keep that in mind, but I've been extremely happy with the whole thing.
Where are you from that you only have access to those few hosters? I think there are hundreds of hosters in Germany, at least somewhat like a dozen big ones which all do a pretty good job. Wonder why everybody seems to stick to GoDaddy, also in the tech scene.
For Germany, just for reference, there is Webhostlist [0], which gives me over 400 different hosting packages (obviously not 400 hosters) available with at least one domain and an included SSL certificate. Starting at 0.38 € per month (.de domain included) with a one-time setup of 0.99 €.
> I tried to log in to my GoDaddy account, but it didn’t work. I called GoDaddy and explained the situation. The representative asked me the last 6 digits of my credit card number as a method of verification. This didn’t work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.
It's a little odd that GoDaddy didn't have the credit card number from before the change.
I can’t say enough negative things about GoDaddy, and that is even not considering anything in this story. Please don’t use GoDaddy. If you have domains you really care about, consider Gandi.
There MUST be some sort of ISO certification for support people.
Giving first line, poorly trained support people access to people's PII and the ability to change passwords is something that needs to be stopped. Social engineers are completely exploiting poorly trained, minimum wage workers for huge gains.
We need to have some sort of ISO certification so that front line support people must hand over any security information to highly trained second-tier staff. If EVERY company used the same subset of information to verify, under the guidance of well-trained staff with a consistent methodology across all companies, and didn't expose various bits and pieces of info (some use last for of SSN, some use credit card info, address, date of birth, etc) then it would extremely hard for social engineers to do hacks like this.
Assuming Twitter TOS prohibit trading in usernames, I'm not sure how you can value a username.
"Strangely, someone I don’t know sent me a Facebook message encouraging me to change my Twitter email address. I assumed this was sent from the attacker but I changed it regardless." – what?
Biggest lesson I learned here: Long-lived TTLs for MX records seem ideal to prevent an custom-domain email takeover.
The bigger risk these days is how easy it is to lose your phone number, which seems to be the trendy way to break into accounts. Using Google Voice for SMS 2FA seems like an OK workaround until companies get a clue that phone numbers are barely tied to their user if access to the user's account is desired.
Welp, I wish Cloudflare would add Yubikey support now too to make it easier to lock down account.
> however if you’d like me to recommend a more secure registrar i recommend: NameCheap
Please don't. NameCheap is horrible at security of your account and at customer support in general; I personally had a battle with my ex (who just happened to know my name and DOB, very easy to find online anyways) and she was able to start transfer of all my domains. I was able to get involved but it was he say / she say battle for days during which all my domains were suspended so no traffic and no sales online (loss of about $80,000). The big problem was to cut cost NameCheap hires cheap helpers from Eastern European block (just login to their chat you can quickly see by name of CS) and each helper was telling me (and her) different story. Eventually it got "solved" after about five days where my ex just agreed to cancel the transfer altogether. This was circa 2016, unsure if anything changed, but I gradually moved out most of my domains (I prefer NameSilo and DynaDot these days - much more robust verification process)
Edit: to clarify: the domains have stayed with my ex and that was final decision of NameCheap since she was the one to answer security questions correctly. As I indicated, what solved the issue is she eventually decided to drop it and return them to me. A change of heart if you will.
Anyone else's BS detector sounding off right now? This is certainly the most helpful "attacker" I've ever heard of, politely answering all kinds of detailed questions AFTER he got what he wanted. This story states the attacker was able to register a Twitter handle just minutes after the author changed his. Does Twitter actually allow this, it doesn't lock up the old handle for a period of time?Seems like a basic security measure for Twitter to implement.
And what does the Facebook account have to do with anything -- why would the attacker want it, and further, how did he steal that without already knowing the password (if the attacker couldn't receive Twitter's reset emails, he couldn't have received Facebook's either)? And if the attacker "was able to control my email" then how did the author continue to communicate, by email? There's just a lot to unravel here.
That's what's called "Self-justification". Helping your victim after victimizing them allows you to say "I'm not that bad, I'm helping make sure this doesn't happen again".
This is a terrible person doing bad things to other people. He could donate all the money he makes selling the user name to orphans and it still doesn't really justify the behavior.
Unfortunately some domain registrars still don't work with less common TLDs. I'm stuck with GoDaddy unless someone knows a better registrar for .boston domains
I now also wonder if there's a domain registrar better than Godaddy, and better than Namecheap and Gandi. One where I can have a cryptographic guarantee of my control over domains.
[+] [-] geofft|6 years ago|reply
a) how the account got transferred back (did Twitter support do it)?
b) whether these specific attacks are still possible.
[+] [-] delfinom|6 years ago|reply
Why not? It's been proven over and over again that customer support can be manipulated easily. Most companies want their customer support to help the average user. The average user isn't being hacked but instead loses their passwords and access in a variety of ways. The cost of screwing over one customer compared to aiding the rest is nothing to them (because nobody has sued them for it yet and won)
[+] [-] whatshisface|6 years ago|reply
[+] [-] legohead|6 years ago|reply
[+] [-] Eric_WVGG|6 years ago|reply
This strikes me as bad advice. Getting access to a hijacked Google account is about as hopeless as everything else he got put through.
The point of failure wasn't "using a non-gmail address," it was "using an untrustworthy registrar."
And I know it's not a silver bullet, but it's unclear from the article that he was using MFA for his GoDaddy account.
[+] [-] brianmcd|6 years ago|reply
But wasn't his point that gmail.com is much less likely to have its MX record compromised than any domain you could possibly register? So using your gmail.com address removes the issue of registrar trustworthiness completely.
[+] [-] s_dev|6 years ago|reply
Sim Hacking is now a thing to get around MFA but it wasn't as popular in 2014. Call up the telecom provider and use the same approach. Leverage Googleable info of the target person and use that as answers to the customer support reps questions.
[+] [-] Mathnerd314|6 years ago|reply
[+] [-] golover721|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] theomega|6 years ago|reply
[+] [-] zaphod4prez|6 years ago|reply
[+] [-] Klathmon|6 years ago|reply
They probably won't be the cheapest (most .com's are $12 a year), but they don't try to upsell much if at all, the pricing is really consistent and there are no surprises (no bullshit like the first year is $1 and the next year is $40 unless you remember to go do something), and their management UI is really nice.
I only have about 6 domains with them, so keep that in mind, but I've been extremely happy with the whole thing.
[+] [-] martin_a|6 years ago|reply
For Germany, just for reference, there is Webhostlist [0], which gives me over 400 different hosting packages (obviously not 400 hosters) available with at least one domain and an included SSL certificate. Starting at 0.38 € per month (.de domain included) with a one-time setup of 0.99 €.
[0]: https://www.webhostlist.de
[+] [-] snek|6 years ago|reply
[+] [-] xfitm3|6 years ago|reply
[+] [-] i_am_proteus|6 years ago|reply
[+] [-] lightwin|6 years ago|reply
[1] https://www.cloudflare.com/en-ca/products/registrar/
[+] [-] a11yguy|6 years ago|reply
[+] [-] barneygale|6 years ago|reply
[+] [-] mattbk1|6 years ago|reply
[+] [-] codetrotter|6 years ago|reply
DNS: CloudFlare
[+] [-] mtmail|6 years ago|reply
The article reads "As of today, I no longer control @N. I was extorted into giving it up." I see he controls it again https://twitter.com/N
[+] [-] pfalafel|6 years ago|reply
It's a little odd that GoDaddy didn't have the credit card number from before the change.
[+] [-] crusso|6 years ago|reply
[+] [-] jchw|6 years ago|reply
[+] [-] whym|6 years ago|reply
[+] [-] docker_up|6 years ago|reply
Giving first line, poorly trained support people access to people's PII and the ability to change passwords is something that needs to be stopped. Social engineers are completely exploiting poorly trained, minimum wage workers for huge gains.
We need to have some sort of ISO certification so that front line support people must hand over any security information to highly trained second-tier staff. If EVERY company used the same subset of information to verify, under the guidance of well-trained staff with a consistent methodology across all companies, and didn't expose various bits and pieces of info (some use last for of SSN, some use credit card info, address, date of birth, etc) then it would extremely hard for social engineers to do hacks like this.
[+] [-] CiPHPerCoder|6 years ago|reply
Would it matter if there was?
You have to pay money to even read what the ISO standards say. The lack of ISO certification is not an impediment for most people or businesses.
[+] [-] dmitryminkovsky|6 years ago|reply
"Strangely, someone I don’t know sent me a Facebook message encouraging me to change my Twitter email address. I assumed this was sent from the attacker but I changed it regardless." – what?
[+] [-] Scirra_Tom|6 years ago|reply
[+] [-] kylehotchkiss|6 years ago|reply
The bigger risk these days is how easy it is to lose your phone number, which seems to be the trendy way to break into accounts. Using Google Voice for SMS 2FA seems like an OK workaround until companies get a clue that phone numbers are barely tied to their user if access to the user's account is desired.
Welp, I wish Cloudflare would add Yubikey support now too to make it easier to lock down account.
[+] [-] joering2|6 years ago|reply
Please don't. NameCheap is horrible at security of your account and at customer support in general; I personally had a battle with my ex (who just happened to know my name and DOB, very easy to find online anyways) and she was able to start transfer of all my domains. I was able to get involved but it was he say / she say battle for days during which all my domains were suspended so no traffic and no sales online (loss of about $80,000). The big problem was to cut cost NameCheap hires cheap helpers from Eastern European block (just login to their chat you can quickly see by name of CS) and each helper was telling me (and her) different story. Eventually it got "solved" after about five days where my ex just agreed to cancel the transfer altogether. This was circa 2016, unsure if anything changed, but I gradually moved out most of my domains (I prefer NameSilo and DynaDot these days - much more robust verification process)
Edit: to clarify: the domains have stayed with my ex and that was final decision of NameCheap since she was the one to answer security questions correctly. As I indicated, what solved the issue is she eventually decided to drop it and return them to me. A change of heart if you will.
[+] [-] listenallyall|6 years ago|reply
And what does the Facebook account have to do with anything -- why would the attacker want it, and further, how did he steal that without already knowing the password (if the attacker couldn't receive Twitter's reset emails, he couldn't have received Facebook's either)? And if the attacker "was able to control my email" then how did the author continue to communicate, by email? There's just a lot to unravel here.
[+] [-] judge2020|6 years ago|reply
[+] [-] simonebrunozzi|6 years ago|reply
[0]: https://medium.com/@simon/mobile-twitter-hacked-please-help-...
[+] [-] joelx|6 years ago|reply
[+] [-] taborj|6 years ago|reply
[+] [-] moate|6 years ago|reply
That's what's called "Self-justification". Helping your victim after victimizing them allows you to say "I'm not that bad, I'm helping make sure this doesn't happen again".
This is a terrible person doing bad things to other people. He could donate all the money he makes selling the user name to orphans and it still doesn't really justify the behavior.
[+] [-] dpcan|6 years ago|reply
[+] [-] t0astbread|6 years ago|reply
[+] [-] foobarbecue|6 years ago|reply
[+] [-] sureste|6 years ago|reply
[+] [-] slowhand09|6 years ago|reply
[+] [-] magashna|6 years ago|reply
[+] [-] Null-Set|6 years ago|reply
[+] [-] oomem|6 years ago|reply
[+] [-] Tepix|6 years ago|reply
I've used NameSilo and had no complaints. They offer 2FA. And they are a lot cheaper than GoDaddy.
[+] [-] riffic|6 years ago|reply
[+] [-] aasasd|6 years ago|reply