>b) whether these specific attacks are still possible.
Why not? It's been proven over and over again that customer support can be manipulated easily. Most companies want their customer support to help the average user. The average user isn't being hacked but instead loses their passwords and access in a variety of ways. The cost of screwing over one customer compared to aiding the rest is nothing to them (because nobody has sued them for it yet and won)
One of the specific attacks was getting the last four digits of a credit card from one company's CSR and using it to authenticate to another company's CSR - I think that happened in a couple of other high-profile attacks around the same time frame and major companies decided that the last four digits wasn't actually a meaningful authenticator.
> The point of failure wasn't "using a non-gmail address," it was "using an untrustworthy registrar."
But wasn't his point that gmail.com is much less likely to have its MX record compromised than any domain you could possibly register? So using your gmail.com address removes the issue of registrar trustworthiness completely.
You're trading registrar trustworthiness for email provider trustworthiness. I'm not sure what is better.
I suppose I should start actually paying for email, and go with protonmail or somebody like that. If they have decent and competent customer service, that would reduce the chances of getting hacked.
Sim Hacking is now a thing to get around MFA but it wasn't as popular in 2014. Call up the telecom provider and use the same approach. Leverage Googleable info of the target person and use that as answers to the customer support reps questions.
SMS is not a second factor, despite many companies pretending that it is. I am alarmed at the number of large companies (especially banks!) that just blindly and stupidly follow the outdated advice of using SMS messages as 2FA.
So, MFA is great, if it is really multi-factor: TOTP through Authy or Google Authenticator, U2F or WebAuthn through a hardware key like a YubiKey.
I never had a good feeling with GoDaddy, their managment console is bad, they are spamming you constantly with offers and their pricing is not transparent. And now this story. What are good alternatives for Domain registration and DNS hosting?
They probably won't be the cheapest (most .com's are $12 a year), but they don't try to upsell much if at all, the pricing is really consistent and there are no surprises (no bullshit like the first year is $1 and the next year is $40 unless you remember to go do something), and their management UI is really nice.
I only have about 6 domains with them, so keep that in mind, but I've been extremely happy with the whole thing.
I'm also, like, 90% sure that when you are using your custom domain on Google, as a business user, the "recover my email via phone number" option goes away, because you are your own "administrator" and if your "users" lose their password they just have to go to you.
(Which closes that gaping hole in your email security.)
I'm not using the "Google Apps" part of their services, i'm just using their "domains" offering at domains.google.com
They can be the same thing if you want, but they don't have to be. You can use an externally hosted domain with google apps, and you can use Google domains without "google apps" (like I do).
Also, as of somewhat recently, I believe you can disable "recover by phone" as an option if you want for any google account.
Where are you from that you only have access to those few hosters? I think there are hundreds of hosters in Germany, at least somewhat like a dozen big ones which all do a pretty good job. Wonder why everybody seems to stick to GoDaddy, also in the tech scene.
For Germany, just for reference, there is Webhostlist [0], which gives me over 400 different hosting packages (obviously not 400 hosters) available with at least one domain and an included SSL certificate. Starting at 0.38 € per month (.de domain included) with a one-time setup of 0.99 €.
The (current, I've been told this is being worked on) problem with cloudflare's registrar is you MUST use their DNS if you buy a domain through them. Great if you already do and never intend to switch, useless if you don't or might need/want to switch in the future.
> I tried to log in to my GoDaddy account, but it didn’t work. I called GoDaddy and explained the situation. The representative asked me the last 6 digits of my credit card number as a method of verification. This didn’t work because the credit card information had already been changed by an attacker. In fact, all of my information had been changed. I had no way to prove I was the real owner of the domain name.
It's a little odd that GoDaddy didn't have the credit card number from before the change.
I can’t say enough negative things about GoDaddy, and that is even not considering anything in this story. Please don’t use GoDaddy. If you have domains you really care about, consider Gandi.
There MUST be some sort of ISO certification for support people.
Giving first line, poorly trained support people access to people's PII and the ability to change passwords is something that needs to be stopped. Social engineers are completely exploiting poorly trained, minimum wage workers for huge gains.
We need to have some sort of ISO certification so that front line support people must hand over any security information to highly trained second-tier staff. If EVERY company used the same subset of information to verify, under the guidance of well-trained staff with a consistent methodology across all companies, and didn't expose various bits and pieces of info (some use last for of SSN, some use credit card info, address, date of birth, etc) then it would extremely hard for social engineers to do hacks like this.
Yes. If there was some uniform standard on how support workers were trained, what data they have access to, then social engineering attacks would drop dramatically. The leaking of data would not be as prevalent and it would be standardized.
Assuming Twitter TOS prohibit trading in usernames, I'm not sure how you can value a username.
"Strangely, someone I don’t know sent me a Facebook message encouraging me to change my Twitter email address. I assumed this was sent from the attacker but I changed it regardless." – what?
Biggest lesson I learned here: Long-lived TTLs for MX records seem ideal to prevent an custom-domain email takeover.
The bigger risk these days is how easy it is to lose your phone number, which seems to be the trendy way to break into accounts. Using Google Voice for SMS 2FA seems like an OK workaround until companies get a clue that phone numbers are barely tied to their user if access to the user's account is desired.
Welp, I wish Cloudflare would add Yubikey support now too to make it easier to lock down account.
> however if you’d like me to recommend a more secure registrar i recommend: NameCheap
Please don't. NameCheap is horrible at security of your account and at customer support in general; I personally had a battle with my ex (who just happened to know my name and DOB, very easy to find online anyways) and she was able to start transfer of all my domains. I was able to get involved but it was he say / she say battle for days during which all my domains were suspended so no traffic and no sales online (loss of about $80,000). The big problem was to cut cost NameCheap hires cheap helpers from Eastern European block (just login to their chat you can quickly see by name of CS) and each helper was telling me (and her) different story. Eventually it got "solved" after about five days where my ex just agreed to cancel the transfer altogether. This was circa 2016, unsure if anything changed, but I gradually moved out most of my domains (I prefer NameSilo and DynaDot these days - much more robust verification process)
Edit: to clarify: the domains have stayed with my ex and that was final decision of NameCheap since she was the one to answer security questions correctly. As I indicated, what solved the issue is she eventually decided to drop it and return them to me. A change of heart if you will.
You sell about $80,000 every 5 days (nearly $6 million annually) and you registered your domain with NameCHEAP? And your surprised that NameCHEAP hires CHEAP eastern european help? And you didn't pick a registrar with token-based 2FA? Or any security beyond knowing your name and DOB to start transferring domains out (which I don't believe).
The domain was registered many years before, but I agree I should have never gone with NameCheap in the first place. Another one much more reliable registrar is Marcaria, which went down price-wise since just few years ago.
Anyone else's BS detector sounding off right now? This is certainly the most helpful "attacker" I've ever heard of, politely answering all kinds of detailed questions AFTER he got what he wanted. This story states the attacker was able to register a Twitter handle just minutes after the author changed his. Does Twitter actually allow this, it doesn't lock up the old handle for a period of time?Seems like a basic security measure for Twitter to implement.
And what does the Facebook account have to do with anything -- why would the attacker want it, and further, how did he steal that without already knowing the password (if the attacker couldn't receive Twitter's reset emails, he couldn't have received Facebook's either)? And if the attacker "was able to control my email" then how did the author continue to communicate, by email? There's just a lot to unravel here.
That's what's called "Self-justification". Helping your victim after victimizing them allows you to say "I'm not that bad, I'm helping make sure this doesn't happen again".
This is a terrible person doing bad things to other people. He could donate all the money he makes selling the user name to orphans and it still doesn't really justify the behavior.
If I steal some old lady's purse, is it "self-justification" if I find some medication in it and return it to her while keeping the purse?
I don't see any overt attempt at "justification" in these emails. The attacker wanted a very specific thing and, after he got it, he didn't do anything further. He even gave the victim some helpful information. That doesn't justify his actions but his behavior is clearly less reprehensible than it might have been.
You seem to be saying, somewhat paradoxically, that the perpetrator wouldn't have committed the crime at all if he had been more malicious because then he would have had to truly reckon with the consequences of his actions. Maybe. Maybe theft would be less common if all thieves were compelled by some magical force to kill their victims. But that's not realistic and, besides, people commit far more malicious crimes than this without being deterred by the damage they're doing.
>>If I steal some old lady's purse, is it "self-justification" if I find some medication in it and return it to her while keeping the purse?
Yes.
What I'm saying is trying to say "well at least he was nice enough to explain the security problems after extorting this man" isn't a helpful comment. It seems to imply that this isn't the worst thing this guy could have done. So what? Who cares? A bad thing was done and pointing out that a worse thing could have been done doesn't help anyone or anything. It's a bad take on the situation.
>>You seem to be saying...
No. IDK what that was, but that wasn't what I was saying at all. I don't think you really seem to be grasping the concept of what self-justification is, and how it's an enabling behavior to allow bad people to do bad things. The whole idea behind it is that the "clearly less reprehensible than it could have been" thought allows you to justify whatever bad things you do.
Um, I'm not sure people doing crimes need much additional self justification -- they are already heroes of their own stories, taking what is due to them, punishing the oppressor, harvesting from the marks, what have you.
From society's point of view, allowing some leniency of judgement is probably beneficial on the net -- you don't get much more purses stolen, but you do get more pill bottles returned. (this is an empirical question actually, maybe there are social studies on the topic?)
Consequences and intent matter. First because duh, second because it lets you predict (and therefore influence) the future.
Would love to see some studies on this if someone can pull them on that specific style of law.
>>Um, I'm not sure people doing crimes need much additional self justification...
It doesn't work this way. They do need the additional self-justification. It's a constant stream of reinforcement. "Yea, I don't feel bad that I stole this rich asshole's twitter account because I used the money to feed some orphans and told him how to fix these problems in the future" is the self-justification. It's a constant establishment of why you're good in a relative fashion.
It's something everyone does on all sorts of things, it's how everyone builds their worldview, and it's normal but that doesn't mean we should join in on it as outsiders and say things like "well at least he gave the guy some precautions for the future".
>>From society's point of view, allowing some leniency of judgement is probably beneficial on the net...
Maybe? I mean as a general statement, sure. But there are going to be specific situations where it isn't helpful. Also, there's a whole school of thought that says that it's more important that you minimize situations that would encourage criminal behavior rather than providing leniency in punishment after the fact. Better to eliminate the need to steal in order to provide for your family rather than create uneven enforcement by judges deciding where leniency should be exercised.
>> but that doesn't mean we should join in on it as outsiders and say things like "well at least he gave the guy some precautions for the future".
An extreme version of this, where social approval is expected by perpetrators (sometimes justifiably) is vigilantism. It is illegal, and society is worse off for it in a general sense, and yet...
Compare a blackhat who takes over all the routers and sells the botnet to organized crime ring vs a grayhat who does the same but instead patches the vulnerabilities on the devices or uses them to do internet census and puts the data in public domain. Both are illegal acts and both have victims (maybe some devices are bricked in the process), but one is definitely worse. And that is true even if in both scenarios all the devices got bricked so consequences are exactly the same.
>> rather than providing leniency in punishment after the fact
I meant judgement more in social disapproval sense. As for actual judges, they already have some leeway and often use it. There is a reason politicians who want to be seen as being tough on crime like to introduce mandatory minimums.
I agree that crimes are better prevented by reducing a need to commit them, but taking into account intent and mitigating circumstances is one of the ways to do that. Mandatory minimums just make sure criminals leave prisons with a Phd in crime instead of a mere Bachelor's.
Let's wind this back. I can come up with any sort of scenario to justify a philosophical point. But the discussion didn't start there. You've presumably read the article this thread is on, and saw the comment I was responding to.
Your blackhat vs grayhat is a false equivalency. We know that this is a bad actor, and the mitigating factor isn't what why he did what he did or what he did with his ill-gotten gains, it's (according to op) that after he did an objectively bad thing (extortion), he did an objectively good thing(pointed out security flaws). I feel that's cold comfort at best, and problematic thinking at worst.
This whole thread seems to be me misunderstanding people or people misunderstanding me and it isn't fun anymore. Wish you the best, we're not really having the same discussion though.
Unfortunately some domain registrars still don't work with less common TLDs. I'm stuck with GoDaddy unless someone knows a better registrar for .boston domains
I now also wonder if there's a domain registrar better than Godaddy, and better than Namecheap and Gandi. One where I can have a cryptographic guarantee of my control over domains.
I used to have a 7 digit ICQ number of mostly 3s, like 3335133 or something like that. It totally wasn't worth the hassle of random Russians trying to buy/scam it from me.
Same thing happened on a smaller scale when I had the apparently rare 'white earbuds' in my Steam account.
The easiest thing is just to give it away and find something better to do with your time.
Current owner of the messenger has always had open door policy for russian law enforcement organizations, so any changes since 2010 couldn't be counted as secure.
edit: Also, the recently published analysis of the data on available in-the-wild (authentication isn't supported! firewall rules were deleted due to requests for it of the end users! some of the data is on shodan.io!!!) mandatory for ISPs traffic tampers made "to help russian police with investigations" showed that it has client's IP - ICQ UIN mapping.
a) how the account got transferred back (did Twitter support do it)?
b) whether these specific attacks are still possible.