Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Developer Loses Single-Letter Twitter Handle Through Extortion

Unknown Lamer posted about 9 months ago | from the kevin-mitnick-returns-to-get-a-cool-twitter-handle dept.

Twitter 448

Hugh Pickens DOT Com writes "Naoki Hiroshima, creator of Cocoyon and a developer for Echofon, writes at Medium that he had a rare one-letter Twitter username — @N — and had been offered as much as $50,000 for its purchase. 'People have tried to steal it. Password reset instructions are a regular sight in my email inbox,' writes Hiroshima. 'As of today, I no longer control @N. I was extorted into giving it up.' Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account. 'Most websites use email as a method of verification. If your email account is compromised, an attacker can easily reset your password on many other websites. By taking control of my domain name at GoDaddy, my attacker was able to control my email.' Hiroshima received a message from his extortionist. 'Your GoDaddy domains are in my possession, one fake purchase and they can be repossessed by godaddy and never seen again. I see you run quite a few nice websites so I have left those alone for now, all data on the sites has remained intact. Would you be willing to compromise? access to @N for about 5 minutes while I swap the handle in exchange for your godaddy, and help securing your data?' Hiroshima writes that it''s hard to decide what's more shocking, the fact that PayPal gave the attacker the last four digits of his credit card number over the phone, or that GoDaddy accepted it as verification. Hiroshima has two takeaways from his experience: Avoid custom domains for your login email address and don't let companies such as PayPal and GoDaddy store your credit card information."

Sorry! There are no comments related to the filter you selected.

"Social engineering" (-1)

Anonymous Coward | about 9 months ago | (#46100561)

A problem only concerning the gullible. If you're worthless and superficial, of course people will be able to fool you by acting.

"Hiroshima writes that a hacker used social engineering with Paypal to get the last four digits of his credit card number over the phone then used that information to gain control of his GoDaddy account."

What an idiot.

Re:"Social engineering" (4, Insightful)

hawkinspeter (831501) | about 9 months ago | (#46100573)

Who, the person working at GoDaddy? Or the owner of the domain for using GoDaddy?

Re:"Social engineering" (2)

Anonymous Coward | about 9 months ago | (#46100675)

So Hiroshima is an idiot because someone convinced an employee at PayPal that he was infact the account owner and to give out the last 4 digits of someone elses credit card?

Or is he an idiot because someone at GoDaddy who also in breach of proper authentication of account ownership gave access to the person with the last 4 digits of the credit card number?

Help me out here, I am so confused about how him being less "worthless and superficial" would have stopped someone else from giving out his account information.

Re:"Social engineering" (-1)

Anonymous Coward | about 9 months ago | (#46100903)

My comment did not mention Hiroshima, but Hiroshima is an idiot for dealing with companies that are known to be shitty.

the moral of the story (5, Insightful)

royallthefourth (1564389) | about 9 months ago | (#46100569)

like so many other articles, this just seems like another reminder to never ever use godaddy

Re:the moral of the story (4, Insightful)

davek (18465) | about 9 months ago | (#46100613)

like so many other articles, this just seems like another reminder to never ever use godaddy

Perhaps this is more of an indictment of using ANY non-big-brother email provider for login information to ANY domain registrar. It seems to me the crux of this attack was to a) gain access to the victem's domain registrar account and then b) hijack the domain MX record so all email to that domain goes to the attacker's server. At that point, you can reset all the victem's passwords to all accounts and ALL password reset emails will go to the attacker.

Time to enable 2-factor on all my registrar accounts.

Re:the moral of the story (1, Insightful)

davek (18465) | about 9 months ago | (#46100635)

gain access to the victem's domain registrar account

Sometimes I hate not being able to spell :(

Re:the moral of the story (-1)

Anonymous Coward | about 9 months ago | (#46100723)

Misspelled twice, the same way. Remember folks: always drink your coffee before posting to ./

Re:the moral of the story (1)

Anonymous Coward | about 9 months ago | (#46100961)

You didn't misspell twice, you misspelled victim. Oh, wait..

Re:the moral of the story (4, Insightful)

rwven (663186) | about 9 months ago | (#46100645)

Two-factor probably wouldn't have helped here. They reset the account credentials, assuming the owner lost the ability to log in. That would have included resetting any "2nd factor."

I don't think any action on the user's part would have helped any of this other than maybe his comment about the TTL on the MX record.

Re:the moral of the story (1)

hawkinspeter (831501) | about 9 months ago | (#46100767)

How about if he'd used GMail or a similar mail provider? It sounds like the problem was that he was using his own domain for email and GoDaddy was the weakest link.

Re:the moral of the story (2)

sodul (833177) | about 9 months ago | (#46101013)

You can use gmail with your own domain name. It used to be free (and still free if you got grandfathered in). There are good reasons to use your own domain name with out without gmail. Most notably it looks more professional and you can actually have a very nice looking email instead of @gmail.com I have @.com, and my last name is 4 letters. It can also be more secure if you provide smtp access over ssl for your organization and so email within your own domain is usually fully encrypted while going over the public internet.

Gmail has been shown on a napkin to be pretty much fully readable while being transferred from one Google DC to an other one.

Re:the moral of the story (5, Funny)

ArhcAngel (247594) | about 9 months ago | (#46101015)

gmail would have worked. Google never answers the phone or email support requests anyway.

Re:the moral of the story (3, Insightful)

rwven (663186) | about 9 months ago | (#46100623)

Or paypal? IMHO they're the ones who enabled the entire operation here. They gave away the last four digits of the guy's credit card to a stranger...

Granted, godaddy should have required a photo id as well.

They're both rubbish.

Re:the moral of the story (4, Insightful)

Anonymous Coward | about 9 months ago | (#46100851)

They gave away the last four digits of the guy's credit card to a stranger...

I'm not going to defend paypal, but the last 4 digits are generally considered safe to identify a distinct credit card without sharing enough information to allow identify theft. That godaddy accepted the last 4 digits as proof of ownership is far more disturbing than that paypal probably asked 'will this be using the card ending with "1234"?' while the scammer was digging for info.

Still, I've been avoiding paypal since I got over my old ebay habit. [cue Weird Al song]

Re:the moral of the story (5, Insightful)

David_W (35680) | about 9 months ago | (#46100859)

They gave away the last four digits of the guy's credit card to a stranger...

Not to defend PayPal, but the last 4 digits are often not treated as particularly secret. They put it on your credit receipts, many sites show them to help you figure out which card you have registered with them... Yeah, PayPal shouldn't be giving it out, but GoDaddy really really shouldn't be using it as some sort of ID verification. One of these is kinda dumb, the other is weapons-grade dumb.

Re: the moral of the story (1)

techprophet (1281752) | about 9 months ago | (#46100625)

I never understood while people did in the first place. Their website has always been ugly as sin and barely functional; their tv advertisements have never had anything to do with their actual business; they get way more bad press than good (have they ever gotten good press?).

Re: the moral of the story (4, Insightful)

SuricouRaven (1897204) | about 9 months ago | (#46100709)

But they are cheap.

Re: the moral of the story (1)

nullchar (446050) | about 9 months ago | (#46100933)

Many other registrars are inexpensive too like NameCheap and Gandi and BigRock.

Re: the moral of the story (1)

sodul (833177) | about 9 months ago | (#46101069)

But not the cheapest. 1and1.com is just as cheap if not cheaper and their website is a lot more professional. Godaddy feels like you are on a malware site.

Re: (1)

davide marney (231845) | about 9 months ago | (#46100761)

The moral is to not use a Registrar that allows domain updates from any IP. easydns.com, for example, can be configured to allow DNS updates only from a list of known IPs. That would stop this kind of deviltry in its tracks.

Re: (1)

Anonymous Coward | about 9 months ago | (#46100943)

And when your ISP hands you a new IP in a new range you've locked yourself out of your sites with that idea. Good job.

Re:the moral of the story (-1, Troll)

Zontar_Thing_From_Ve (949321) | about 9 months ago | (#46100817)

like so many other articles, this just seems like another reminder to never ever use godaddy

Huh. The conclusion I came to is "NEVER use Twitter". I've deliberately refused to join it and that just reinforced why I refuse to do so. I can't be targeted for my Twitter handle if I don't use the service. GoDaddy has its problems for sure (and I admit to being a customer at present) but I'm not totally convinced that no other registrar wouldn't have done the same thing.

Re:the moral of the story (1)

Anonymous Coward | about 9 months ago | (#46100901)

And remember, you can't ever be targeted for monetary extortion if you never have any money.

Way to miss the point there...

Re:the moral of the story (1)

Anonymous Coward | about 9 months ago | (#46100977)

> The conclusion I came to is "NEVER use Twitter".

You can replace the word Twitter everywhere in this story with your service of choice, and still be extorted for the account. Why do you think that avoiding twitter saves you from this kind of fraud?

Re:the moral of the story (4, Insightful)

Antipater (2053064) | about 9 months ago | (#46101023)

How in the world is that the conclusion you came to? Hiroshima's Twitter handle, in this case, was simply the thing-of-value stolen by the extortionist. The story would have unfolded exactly the same way for a 2-digit Slashdot UID, or a valuable physical object, or just plain old cash. This story is about the method of extortion, not about the target.

If a friend says "I got mugged," do you reply "well, you shouldn't have been carrying a wallet"?

Sounds like a lawsuit waiting to happen (4, Insightful)

Rinisari (521266) | about 9 months ago | (#46100583)

Methinks if Mr. Hiroshima had the funds available, or pro-bono lawyer stepped in, there's grounds for a lawsuit against at least PayPal if not also GoDaddy.

Re:Sounds like a lawsuit waiting to happen (5, Insightful)

squiggleslash (241428) | about 9 months ago | (#46100777)

Why Paypal?

The last four digits of your credit card are printed on pretty much every receipt, shown on every order confirmation page, every "My account saved credit cards" screen, and are usually shown in addition to an expiration date. That's information that's never been considered confidential - quite the opposite indeed. It's pretty much public information.

GoDaddy was insane to consider it valid authentication information. You might just as well treat someone's name as their password.

Re:Sounds like a lawsuit waiting to happen (5, Insightful)

rudy_wayne (414635) | about 9 months ago | (#46100921)

Why Paypal?

The last four digits of your credit card are printed on pretty much every receipt, shown on every order confirmation page, every "My account saved credit cards" screen, and are usually shown in addition to an expiration date. That's information that's never been considered confidential - quite the opposite indeed. It's pretty much public information.

True, but irrelevant. Think about that for a minute -- you call PayPal and tell them:

"I have forgotten the last 4 digits of my credit card number, can you give them to me".

In what bizzaro parallel universe does that even make sense? There is no amount of "social engineering" that can explain why you need someone to tell you the last 4 digits of YOUR credit card.

PayPal needs to be reamed for such a major fuck up.

Re:Sounds like a lawsuit waiting to happen (5, Insightful)

femtobyte (710429) | about 9 months ago | (#46101073)

"I have forgotten the last 4 digits of my credit card number, can you give them to me".

"Hi, Paypal phone service person, I recently switched banks, and I think I might need to update my card info. I forget if I did this earlier --- can you tell me which card you've already got on file for me? Just the last four digits would be enough, thanks."

Re:Sounds like a lawsuit waiting to happen (1)

Anonymous Coward | about 9 months ago | (#46101001)

Credit card processors are responsible for the security of the information in their possession. If my company ever did that, our ability to process credit cards would be revoked.

Don't think custom domains were his problem (4, Insightful)

egranlund (1827406) | about 9 months ago | (#46100585)

Avoid custom domains for your login email address

Honestly, I don't think that would have helped. I doubt it's much harder to gain control of someone's gmail, yahoo or hotmail account if they are as motivated as it sounds like his attacker was.

Once you gain control of anyone's email account, even if the attacker doesn't have custom domains to hold for ransom, they could easily threaten bank accounts, etc etc.

Re:Don't think custom domains were his problem (3, Insightful)

Nemyst (1383049) | about 9 months ago | (#46100729)

If your Google account doesn't have your credit card number on file and uses two-factor auth, I think it'd be a lot harder to crack into it even using social engineering. The problem is always that most sites are designed so that in the event of people forgetting EVERYTHING, they can still recover their account somehow. If we accepted that losing your password, your security data for recovery and your two-factor auth would mean you lose your account (or you need something very, very elaborate to recover it, much more than just your last four CC numbers), security would be improved.

The problem is that for every super-focused hack like this one, there's a thousand people who forget their access credentials and want their account back, so it makes more sense to have lax security and cover the biggest proportion of your audience.

Re:Don't think custom domains were his problem (1)

darkmeridian (119044) | about 9 months ago | (#46100827)

The problem with customs domains is that it created another attack vector that no one really thinks about. The attacker hijacked his mx records and directed his email away. Up until now, I was sitting pretty thinking that I was safe because I used LastPass to create a long fucking Google Apps password and Google Authenticator for two-factor security. I never considered the notion that someone could hijack my mx records. I'm going over to namecheap to enable two-factor authentication.

Two-factor on GoDaddy? (2)

Admodieus (918728) | about 9 months ago | (#46100595)

If your account has two-factor enabled, any account change will require entry of that limited-time token. Now, if the person doing the social engineering was able to access the account in the first place with only the last four digits of the card number, then they may have also been able to bypass this or turn it off with the help of the customer support rep. But I didn't see any mention of this in the article and wanted to point it out for those who use GoDaddy and are afraid of a similar situation occurring.

Re:Two-factor on GoDaddy? (5, Interesting)

jaymz666 (34050) | about 9 months ago | (#46100627)

the godaddy person let him keep trying various numbers until it worked. How can you trust them when it comes to security at all.

These companies need to be held accountable for their actions.

Re:Two-factor on GoDaddy? (1)

AuMatar (183847) | about 9 months ago | (#46100641)

Are you sure about that? My guess would be that they have internal tools that can get around the 2 factor authentication- what would happen if you lost the token generator? In that case social engineering would still work.

Re:Two-factor on GoDaddy? (2)

rwven (663186) | about 9 months ago | (#46100695)

Godaddy would have just removed the 2nd factor for the same reason they handed over the "1st" factor. Hiroshima pretended he was the user, who has lost the ability to log in. They would have just reset the password and removed two-factor authentication from the account after the identify was "verified."

Re:Two-factor on GoDaddy? (0)

Anonymous Coward | about 9 months ago | (#46100785)

Hiroshima pretended he was the user

I think you may have the people in this story mixed up.

I must be missing something. (0)

Anonymous Coward | about 9 months ago | (#46100607)

Can't he just get the domains back and then alert twitter to reclaim his handle??

Re:I must be missing something. (1)

jaymz666 (34050) | about 9 months ago | (#46100659)

The attacker changed all the godaddy customer information, Godaddy doesn't believe he's the owner of the domains.

Re:I must be missing something. (0)

Anonymous Coward | about 9 months ago | (#46100797)

Maybe he never was the owner?

If he was then his registrar could lookup when the account was last changed, what the previous data was, and what to revert it back to.

Re:I must be missing something. (4, Insightful)

geogob (569250) | about 9 months ago | (#46100825)

That's totally absurd. I can't believe a service provider like Godaddy has no record history or history of customer information change. Of course, this historical informaiton may not be available to the first level of customer support. But come on... that shouldn't be the end of it.

Actually, I'm surprised that a service like Godaddy doesn't have checks in place for cases like this. An account where ALL the customer information is changed within a short period of time, should raise alarm bells. The owner, under the contact information previously available, should automatically be contacted.

Re:I must be missing something. (0)

Anonymous Coward | about 9 months ago | (#46100843)

He should not have surrendered control of any other account. The attacker had no reason to return control of the domain to this poor fool; that the attacker did is mostly just luck. Mr. Hiroshima should have started a legal process against GoDaddy for control of his legally paid for domain name, as contractually required. Now that he surrendered control of some username, he will have to try to convince Twitter that he should get control of that back, but there is really no legal reason that Twitter must do anything.

Scroogled again! (-1)

Anonymous Coward | about 9 months ago | (#46100619)

Never would have happened if he used Microsoft and their two step verification for all his services!

one action to take (0)

JaiWing (469698) | about 9 months ago | (#46100633)

sue GoDaddy. aiding and abetting in the act of a FELONY.

lawsuit (4, Insightful)

internerdj (1319281) | about 9 months ago | (#46100637)

I'd be talking to a lawyer. Sounds like someone at Paypal owes $50k to Mr. Hiroshima.

Re:lawsuit (0)

Anonymous Coward | about 9 months ago | (#46100741)

There's no reason to believe the offer was real and backed up by real money.

Re:lawsuit (0)

Anonymous Coward | about 9 months ago | (#46100789)

I..I don't think that's how that works. Please read summary again.

Re:lawsuit (1)

u38cg (607297) | about 9 months ago | (#46100829)

Remoteness. Won't fly. Godaddy is the one to go after.

Re:lawsuit (2)

Solandri (704621) | about 9 months ago | (#46100841)

I really doubt that lawsuit would get very far. The only evidence against Paypal is the written testimony of a known criminal (the guy who conducted the attack). For all we know, the attacker could be a worker at Starbucks who lifted Mr. Hiroshima's credit card number when he bought coffee there. And he hates Paypal (like most of us do) so he's setting up a false trail leading to Paypal.

The real problem is using the credit card number as authentication of anything other than a credit card purchase. It's something that's seen by dozens if not hundreds of people in a month, and trivial to record with a quick photo. Absolutely silly to use it for identity verification.

minldess assault on everything unholycost (-1)

Anonymous Coward | about 9 months ago | (#46100647)

if we add all of the don't do's up we can only deal with our rulers in the end is where they want to give it to us. free the innocent stem cells. atmospheric vandals hard on US etc... again today http://www.globalresearch.ca/weather-warfare-beware-the-us-military-s-experiments-with-climatic-warfare/7561

pardon the spelling as we are hasty puddings (-1)

Anonymous Coward | about 9 months ago | (#46100711)

slashdot only allows anonymous users to post 10 times per day (more or less, depending on moderation). A user from your IP has already shared his or her thoughts with us that many times. Take a breather, and come back and see us in 24 hours or so. If you think this is unfair, just wait dark matters episode VI is being released early in response to demands that it not be released ever

Grimm solution (-1)

Anonymous Coward | about 9 months ago | (#46100665)

Let me be clear to you, you ever do that to me again I'll throw you off this fucking balcony. You're not man enough, you're not man enough. I'll break you in half. Like a boy.

That's what he should have done!

Yeah (0)

Anonymous Coward | about 9 months ago | (#46100849)

Because acting like a brain dead conturd is always the right response.

How about calling the FBI and then suing the companies that are going to take your livelihood in identity theft?

Giving in to extortion is never a good thing.

"Don't 'Let' Them?" (3, Insightful)

CanHasDIY (1672858) | about 9 months ago | (#46100671)

don't let companies such as PayPal and GoDaddy store your credit card information.

I wonder, does Mr. Hiroshima realize that consumers have little to no (closer to the latter) control over what a corporation does with our credit card info once we make a purchase with them?

Does he know of some nuclear option the rest of us aren't aware of?

Re:"Don't 'Let' Them?" (0)

Anonymous Coward | about 9 months ago | (#46100771)

I think the implication was do not use CCs for purchases from either company.

Re:"Don't 'Let' Them?" (1)

Laxori666 (748529) | about 9 months ago | (#46101005)

You could try using temporary credit card numbers for all online purchases. Looks like citibank provides this service.

Re:"Don't 'Let' Them?" (0)

Anonymous Coward | about 9 months ago | (#46100973)

bitcoin ;)

Stupid people prevent us from having secure things (4, Insightful)

jader3rd (2222716) | about 9 months ago | (#46100673)

This is a story about how 'real' people hate secure things. Nerds are all about creating encryption and security that requires knowing a secret key. Real world people deal with the fact that they forget secret keys, and want companies to restore their data for them. So for companies to keep customers, they have to create workarounds for the secret keys.

As a result the only way to for sure secure something, is to not depend upon companies who have 'real' people for customers.

Re:Stupid people prevent us from having secure thi (0)

logjon (1411219) | about 9 months ago | (#46100923)

So...run your own everything.

And this is why.. (1)

Jaysyn (203771) | about 9 months ago | (#46100681)

And this is why I avoid Twitter, GoDaddy & PayPal like the plague they are.

comeuppance? (-1, Flamebait)

Gothmolly (148874) | about 9 months ago | (#46100683)

And how about don't swim with sharks?

If he wasn't a social media (value = what exactly?) then this would never have happened anyway.

Re:comeuppance? (5, Insightful)

Antipater (2053064) | about 9 months ago | (#46100837)

"It's entirely your fault that a thief held a gun to your wife's head and demanded your Babe Ruth-autographed baseball. If you didn't have a Babe Ruth-autographed baseball in the first place, it never would have happened."

Re:comeuppance? (0)

Anonymous Coward | about 9 months ago | (#46101037)

If he wasn't on Paypal, then this never would have happened. If he wasn't on GoDaddy, then this never would have happened. If he didn't use credit cards, then this never would have happened. If he didn't use a computer, then this never would have happened. You aren't presenting as simple a solution as you think you are.

What good is using a stolen twitter handle? (0)

Anonymous Coward | about 9 months ago | (#46100685)

Why is a 1 character handle valuable anyway?

Also, won't everyone know it's stolen?

Re:What good is using a stolen twitter handle? (1)

Enry (630) | about 9 months ago | (#46100713)

They do now.

Re:What good is using a stolen twitter handle? (1)

v1 (525388) | about 9 months ago | (#46100897)

What good is using a stolen twitter handle?

it's a bit like a two character slashdot nick... my... precious...

not going to end well (1)

Gravis Zero (934156) | about 9 months ago | (#46100693)

i get the feeling that this is high enough profile where the extortionist is going to get a beatdown by one of the tech companies involved.

Multiple credit cards (5, Insightful)

Dan East (318230) | about 9 months ago | (#46100725)

When the Target data breach happened, I commented here about some of the advantages to using throw-away, preload credit cards (which limits your potential loss and allows you to quickly switch to an entirely different account if you feel the other might be compromised). I was modded down by people who have bought into the whole big-bank credit card racket, and the attitude "why should I worry, when the bank is responsible and I'll eventually get my money back". Well here is yet another advantage of using preloaded credit cards. You load money on it, pay your annual hosting fees, etc, and then just toss it and get another next year to make the next annual payment. This story illustrates the advantages of using an entirely different credit card per service, so the card you use with Godaddy is not the same as you use with Paypal.

Yes, yes, it will cost you $3 each time you load a card to make that yearly payment, but you can decide for yourself what that extra $3 can buy you.

Re:Multiple credit cards (0)

dkleinsc (563838) | about 9 months ago | (#46100823)

Yes, yes, it will cost you $3 each time you load a card to make that yearly payment, but you can decide for yourself what that extra $3 can buy you.

Nothing, really, since the bank will eat the costs of the fraud. It's annoying, yes, and it's a bit of a hassle, but generally you aren't buying much of value for that $3.

Re:Multiple credit cards (4, Informative)

Chris Mattern (191822) | about 9 months ago | (#46100925)

Nothing, really, since the bank will eat the costs of the fraud. It's annoying, yes, and it's a bit of a hassle, but generally you aren't buying much of value for that $3.

For Mr. Hiroshima, that $3 would have apparently bought him continued ownership of his single-letter Twitter account.

Re:Multiple credit cards (1)

swb (14022) | about 9 months ago | (#46100885)

I like this idea, but have never used preloaded cards before. Do they work like "real" credit cards, ie, broadly accepted like any card? How do you load them up with money, can you buy value with a credit card or does it require a cash transaction?

There was a story in the paper today about banks reissuing 150 million cards due to the Target debacle and I thought -- why don't they just do that every year anyway? Or when they issue cards, maybe they should give you a 12 pack of cards that are only good for 30 days from first use, and then they auto-expire and you have to activate the next card in your pack. You can go on from there and get more restrictive and say that you can only have N active at a time, etc.

  Then I start to wonder how big the pool of possible credit card numbers is -- are there enough numbers total to allow everyone to suddenly use 10-20x as many as they use now?

Re:Multiple credit cards (0)

Anonymous Coward | about 9 months ago | (#46100895)

The catch there is that you (a) have to remember (or pay attention to reminders) to do that again next year (no automatic renewals for you), and (b) have to be reasonably sure of what your cashflow at that point next year will be. Oh, and (c), have to be sure the registrar's renewal system won't fuck up on you.

I managed to lose a domain because of some combination of the above. the (c) part was that the company's processing system billed the card before flagging the domain as renewed, and somehow errored out between those two steps. ("Transactions? We don't need not stinkin' transactions!"). By the time I got it sorted out, the domain had been flagged as expired and some third party had squatted on it. I've got auto-renew on my other domains now.

Re:Multiple credit cards (0)

Anonymous Coward | about 9 months ago | (#46100999)

Thank you Captain Hindsight, but who is going to use a separate credit card for every transaction they make?

Without the hindsight of knowing it was PayPal & GoDaddy he'd have to use a different CC for every single company he does business with. Is that what you're advocating? Loading a different CC for every bill you pay?

OR... (1)

pla (258480) | about 9 months ago | (#46100739)

OR! Does this Slashdot FP itself count as a social engineering attack by Naoki Hiroshima to pressure GoDaddy/Twitter/Paypal/SomeoneElseEntirely into submission, possibly for the stated purpose (control of @N), or for something seemingly unrelated but actually useful?

I kid, of course... I have no reason to doubt the story as given. I do find it odd that someone would actually break the law (at the very minimum, identity theft and extortion) in such a contrived chain of events... Just to gain control of something they won't even realistically get to use (can you imagine trying to use @N for the next few months through the massive volume of hate-tweets it will get?)

paid poster pickens wordiest of all (0)

Anonymous Coward | about 9 months ago | (#46100747)

phewww

Should not be to difficult to get it back (4, Insightful)

angel'o'sphere (80593) | about 9 months ago | (#46100751)

After all Twitter knows which new eMail-address is holding @N. Should not be to hard to figure the real person behind it. And simply asking Twitter to hand it back should also work.

What you don't know... (5, Interesting)

Junta (36770) | about 9 months ago | (#46100883)

Is that the current controller of N is legitimate, and *this* story is the social engineering attack to get control of it.

Re:What you don't know... (1)

Shatrat (855151) | about 9 months ago | (#46100997)

Hah, that's the first thing I thought of as well. He could have accepted that $50,000 and now be trying to get that domain back.

Re:What you don't know... (0)

Anonymous Coward | about 9 months ago | (#46101027)

It would be the most elaborate and unbelievable social engineering attempt ever. But the corroborating evidence is in favor of Mr. Hiroshima regardless of any idea that he might simply be trying to social engineer the account through public media.

So, fucking what. (1)

Anonymous Coward | about 9 months ago | (#46100753)

So fucking what. Now that @N has been stolen, file a police report. Tell Twitter that they're now obliged to send the IP of whomever uses @N to the police.

Good job, you've acquired a useless handle. Try to sell it? The buyer gets nabbed instead. Of course, the burden of proof of actual extortion is on the moron who handed over the credentials in the first place instead of contacting their hosting company. Smells like a dead fish up in here.

Agree. Just call the police... (0)

Anonymous Coward | about 9 months ago | (#46100909)

Exactly. I don't understand what the issue is, the solution appears obvious.

Someone even says get a lawyer to sue for $50k. That's not how it works, someone steals something, you know how to get it back... simple.

What am I missing here? He never agreed, he was extorted. The 'agreement' to transfer ownership never occurred.

Goodbye GoDaddy (0)

Anonymous Coward | about 9 months ago | (#46100759)

I will now be advising my employer to move all domains from GoDaddy to somewhere else.

fictional heritage & history failing us again (-1)

Anonymous Coward | about 9 months ago | (#46100815)

coming home not as advertised on cnn ominous (very nearly fatal) 'welcome home' from our 'civil' servants http://www.youtube.com/results?search_query=scott%20olsen&sm=3

to be dedacted text; Edward Snowden was nominated for the Nobel Peace Prize by Norwegian politicians, including a former government minister, for contributing to transparency and global stability

All right, I'll bite. (3, Interesting)

Tenek (738297) | about 9 months ago | (#46100863)

I will assume since it hasn't come up already that there is some reason Twitter can't just give him back the handle. What is it?

Nope (4, Insightful)

ledow (319597) | about 9 months ago | (#46100873)

This is like kidnap or a mugging. At no point do I have an actual incentive to give in to such a person's demands. "We won't hurt you / them / your website if you do X". I have *absolutely* no guarantee of that.

I *cannot* win. If I do everything you request, you could still trash my domain / stab me anyway / kill your hostage and there's nothing I can do to stop that.

As such, non-compliance is no different to compliance in such a situation. So why voluntarily give them MORE power over you / your assets?

As it is you would have to wipe servers, settings, email etc. and start again even if they did honout their agreement.

But then, you have to remember, this person is already committing a crime... what's in their conscience that will make them honourcan agreement concerning that crime.

Let them squirm, report them, regain control when you can, then purge their access from your systems.

Anything else is just stupid.

Poor Hiroshima (0)

jez9999 (618189) | about 9 months ago | (#46100875)

Looks like his account got nuked.

would be nice if... (0)

Anonymous Coward | about 9 months ago | (#46100899)

it would be nice if say GoDaddy, PayPal, and twitter made this right. Twitter should at least return the stolen handle, if not ban the other guy for doing illegal things.

Stupid stupid decision. (0)

Anonymous Coward | about 9 months ago | (#46100907)

He should have kept his twitter name and then sued the shit out of go daddy and paypal.

On a related note, is there insurance for these kinds of things?
My phisical stuff is all insured, so if someone steals my PC I can claim it with the insurance company.
Are there companies that do the same for domain names or things like that?

Also why are the last 4 digits of your cc number a "secret"? They are printed on the damn card, and hundreds of people get to see it.

Its hot (-1)

Anonymous Coward | about 9 months ago | (#46100935)

Same Day Loans [same-day-loans1.com] Same Day Loans Direct Lenders [same-day-loans1.com] Same Day Cash Wire Transfer [same-day-loans1.com] Same Day Loan Lenders [same-day-loans1.com] Small Loans No Credit Check Same Day Pay Out [same-day-loans1.com] Same Day Payday Loan Deposit [same-day-loans1.com] Same Day Payday Loan [same-day-loans1.com] Same Day Loans Online [same-day-loans1.com] Same Day Loans Bad Credit [same-day-loans1.com] Same Day Payday Loans In Texas [same-day-loans1.com] Same Day Payday Loans No Faxing [same-day-loans1.com] Same Day Loan Bad Credit [same-day-loans1.com] Same Day Loans Scam [same-day-loans1.com] Same Day Loans No Credit Checks [same-day-loans1.com] Same Day Payday Loan No Faxing [same-day-loans1.com] Instant Same Day Payday Loans Online [same-day-loans1.com] Same Day Payday Loans No Teletrack [same-day-loans1.com] Same Day Loan Review [same-day-loans1.com] Same Day Payday Loan Companies [same-day-loans1.com] Same Day Loans Monthly Payments [same-day-loans1.com] Same Day Payday Loans Online No Credit Check [same-day-loans1.com] Same Day Payday Loan Reviews [same-day-loans1.com] Same Day Payday Loans No Credit Check [same-day-loans1.com] Same Day Payday Loans Bad Credit [same-day-loans1.com] Same Day Payday Loans Oceanside Ca [same-day-loans1.com] 90 Day Same As Cash Loans Now [same-day-loans1.com] Easy Quick Loans Same Day [same-day-loans1.com] Same Day Payday Loan Lenders [same-day-loans1.com] Same Day Payday Loans Online Direct Lender [same-day-loans1.com] Same Day Payday Loans Direct Lender [same-day-loans1.com] Same Day Loan Lenders Only [same-day-loans1.com] Same Day Loans Online No Credit Check [same-day-loans1.com] Same Day Payday Loans [same-day-loans1.com] Same Day Loans California [same-day-loans1.com] Same Day Loan Companies [same-day-loans1.com] Same Day Loan No Interest [same-day-loans1.com] Fast Cash Same Day Loans [same-day-loans1.com] Same Day Payday Loans By Phone [same-day-loans1.com] Same Day Payday Loans Online Indiana [same-day-loans1.com] Same Day Payday Loan Direct Lenders [same-day-loans1.com] Same Day Loans For Bad Credit [same-day-loans1.com] Same Day Payday Loans Texas [same-day-loans1.com] Same Day Payday Loans Direct Lenders Bad Credit [same-day-loans1.com] Same Day Loan No Credit Check [same-day-loans1.com] Same Day Payday Loans Without Employment Verificat [same-day-loans1.com] Same Day Loans By Phone [same-day-loans1.com] Same Day Payday Loans Guaranteed Approval [same-day-loans1.com] Same Day Loan Direct Lender [same-day-loans1.com] Same Day Loans Over The Phone [same-day-loans1.com] Same Day Payday Loans Direct Lender Only [same-day-loans1.com] Fast Cash Same Day [same-day-loans1.com] Same Day Payday Loans Near Albany Ny [same-day-loans1.com] Fast Same Day Payday Loans Online [same-day-loans1.com] Same Day Loans Online Instant Cash [same-day-loans1.com] Same Day Payday Loans For Bad Credit [same-day-loans1.com] Same Day Loans For Unemployed [same-day-loans1.com] Same Day Payday Loans Kcmo [same-day-loans1.com] Same Day Payday Loan Direct Lender [same-day-loans1.com] Same Day Loans Reviews [same-day-loans1.com] Fast Same Day Cash Advance [same-day-loans1.com] Same Day Loans In Georgia [same-day-loans1.com] Same Day Loan Approval [same-day-loans1.com] Same Day Loans For Unemployed Students [same-day-loans1.com] Same Day Payday Loan Lender [same-day-loans1.com] Same Day Payday Loans Online [same-day-loans1.com] Same Day Loan With New Checking Account [same-day-loans1.com] Same Day Loans In Arkansas [same-day-loans1.com] Same Day Payday Loans Direct Lenders [same-day-loans1.com] Same Day Payday Loans Reviews [same-day-loans1.com] Same Day Military Loans [same-day-loans1.com] Same Day Payday Loans Online Reviews [same-day-loans1.com] Same Day Loans With Long Term Repayment [same-day-loans1.com] Same Day Loan Direct Deposit [same-day-loans1.com] Same Day 1 Hour Loans [same-day-loans1.com] Same Day Payday Loans Online Without Faxing [same-day-loans1.com] Fast Easy Same Day Cash Loans [same-day-loans1.com] Same Day Payday Loans Online No Faxing [same-day-loans1.com] Same Day Payday Loans Direct [same-day-loans1.com] Same Day Loan Deposit [same-day-loans1.com] Same Day Loan Reviews [same-day-loans1.com] Same Day Payday Loan No Telecheck [same-day-loans1.com] Same Day Loans No Credit Check [same-day-loans1.com] Same Day Payday Loans Online Lenders [same-day-loans1.com] Same Day Payday Loan Cash Advance Wired Through We [same-day-loans1.com]

Good Old Paypal (0)

Anonymous Coward | about 9 months ago | (#46100957)

There are two types of people in the world. People who have been screwed by Paypal and people who haven't used Paypal yet.

Just rewards for using GoDaddy (1)

jtara (133429) | about 9 months ago | (#46100963)

Did you really expect GoDaddy to care about protecting your interests?

Some excellent alternatives were offered by respondents on the OPs blog, and I'll add another - moniker. Their claim to fame? They have "never lost a domain". And, so, they have a really good reason to keep others from taking your domain - they'd have to give-up that claim. They also offer a reasonably-priced enhanced security feature, though I feel it's unnecessary given the company's history. (And just checked, they still make the claim:

"Moniker is serious about security. In fact, in our history, we’ve never “lost” a domain. Not one."

https://www.moniker.com/domain... [moniker.com]

While they aren't under their original ownership neither policies, convenience, nor responsiveness seem to have suffered. (You can always get ahold of them on the phone when there is a problem.)

I don't have any affiliation with moniker, other than being a happy customer. Happy to use a professional registrar that doesn't have a name that makes people snicker.

Use Two-Factor Authentication On Gmail (2)

HangingChad (677530) | about 9 months ago | (#46100975)

This story reminds me why I don't use GoDaddy and, if you haven't already done so, activate two-factor authentication on your Gmail account.

It's not bulletproof (what is?) but it's an extra layer of security that keeps a hacker from getting control of your email account.

I can't picture the endgame here (1)

idontgno (624372) | about 9 months ago | (#46100989)

A social-engineering blackhat extorted a distinctive and notable, and thus allegedly valuable, Twitter handle from its legitimate registered user.

Why?

It's like stolen art: the thief can't display it without implicating himself. The thief can't sell it, because the fool that buys it can't display it without implicating himself, and the thief by association (and vulnerability to investigative back-tracking).

So.... why?

A lot of work to go to for the sole purpose of effectively destroying a Twitter handle.

Question (0)

Anonymous Coward | about 9 months ago | (#46100991)

Why, with this story and confirming emails and confirmations from both Go Daddy and Paypal, would Twitter allow the @N name to be used by the attacker anyways?

Twitter needs to step in and remove control from the attack and return it to its proper owner, GoDaddy needs to rip their security team a new one, and Paypal needs to find out who screwed up by giving out credit card info over the phone.

My question is this: While the Hacker was successful in using Social Engineering, what did he THINK would happen when the story broke? That he'd be allowed to retain control of the Twitter name? Is he that daft?

Windfall (1)

nitehawk214 (222219) | about 9 months ago | (#46101007)

The good news for him is that PayPal and GoDaddy and Twitter now owe him a hell of a lot more than $50,000.

It goes deeper than GoDaddy, unfortunately. (4, Interesting)

An Ominous Cow Erred (28892) | about 9 months ago | (#46101053)

Simply put -- consumers can't be trusted to be able to deal with complex secure authentication schemes. That's why there's so many easy-to-guess "What city did you grow up in?" password-reset functions. There are so many weak links in the chain of trust, it takes a concerted effort on the individual's part to secure it.

The CEO of Cloudflare fell victim to this when someone CONVINCED AT&T TO REROUTE HIS VOICEMAIL, starting a chain of events that wound up with the interloper having complete control over Cloudflare and the myriad of sites that use CF (and therefore trust it to send legitimate data).

It's a bit exciting/fascinating to read about the chain of events, (particularly the timeline):

http://blog.cloudflare.com/the... [cloudflare.com]

http://blog.cloudflare.com/pos... [cloudflare.com]

Multi-factor authentication on GoDaddy (5, Interesting)

marcgvky (949079) | about 9 months ago | (#46101063)

I am a GoDaddy customer and had a problem with my ex-partner: he tried to social engineer his way into grabbing control of our domains/email accounts, hosted by GoDaddy. Subsequently, I enabled a feature that GoDaddy offers. GoDaddy sends a text message that I must respond with. This extra factor is required for all changes, now. People should enable this feature, regardless of where you host your email. It makes it impossible to social engineer your way past a customer service rep.

stand alone email addresses? (1)

retech (1228598) | about 9 months ago | (#46101065)

I'm a strong believer in having individual email addresses for each important login. I don't think I have a single email address that is related to more than 3 logins max. This greatly limits the ability to have a single breech allow someone into the entire kingdom. While this may not be as convenient as having a single pass login.... I'm ok with that. I keep everything in a password wallet (locally, no cloud usage) to have it all organized.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?