Today’s cyber-security horror story comes from Naoki Hiroshima, whose rare Twitter handle was stolen from him by an extortionist. The thief used social engineering to obtain information from Paypal, which allowed him to reset passwords on Hiroshima’s domains to take ownership of those domains. The thief then essentially held Hiroshima’s websites to ransom in exchange for the coveted handle.
Analysis of the problem
So what went wrong? Both GoDaddy and Paypal seem to have dropped the ball dramatically here. Paypal released confidential information to someone claiming to be the account owner. GoDaddy then accepted partial (and easily obtainable) information as proof of identity, after which their ‘security’ procedures swung in to block the legitimate owner from fixing the problem.
From the account, it appears that GoDaddy accepted the last four digits of Hiroshima’s credit card, plus the first two, as proof of identity. The last four digits are relatively easily obtainable — even if Paypal hadn’t happily handed them over, it’s common practice for businesses to send out paper or electronic invoices that refer to “your credit card XXXX-XXXX-XXXX-1234”. So now the attacker only had to guess the first two. But the first two digits of a card are part of the Issuer Identification Number. If the attacker knew who had issued the card (or even the type of the card), it would only take them a few guesses to get the right first two digits. And according to the attacker, the GoDaddy customer service representative was willing to let them go on guessing as long as they liked.
So GoDaddy’s ‘security check’ offered no real security at all, but the problems didn’t end there.
Once the attacker had changed Hiroshima’s account settings, GoDaddy notified him with a message that said that the change had been made. He wasn’t asked to confirm that he wanted to make that change: he was told that the change had been made, and he needed to act if he wanted to undo it. That’s an ‘opt-out’ rather than an ‘opt-in’. Moreover, undoing it turned out not to be an option, because GoDaddy’s subsequent checks stonewalled Hiroshima’s attempts to regain control.
To use an analogy, it’s as if a thief broke into your house, changed all the locks, and the police refused to allow you to get back in because your key didn’t fit the new locks. The difference here is that while the police can’t compare your key to the old locks, GoDaddy should have been able to confirm that Hiroshima’s credentials matched the previous settings on the account. If GoDaddy’s procedures offered real security, that should have been sufficient grounds to revert the account to the previous settings and lock it pending resolution of the issue. But apparently that’s not how they do things.
There are possible problems with prioritizing prior account information. An unscrupulous domain owner might, for example, sell a domain to someone else and then reclaim it by claiming theft. Nevertheless, the potential risks seem smaller than a system that essentially favors thieves.
Reading between the lines, it sounds as if GoDaddy’s procedures are designed not for security, but for customer support. Their system is set up to help the customer who calls up and says "Oh, I’ve forgotten everything, can you get me back into my account?" And with a claimed 6.5 million customers, many of whom are probably not technically savvy, it’s easy to see why GoDaddy might take this approach — which minimizes support time and probably makes most of their customers happy — rather than offering stronger security.
What can be done?
Hiroshima offers various suggestions for increased security (aside from not trusting Paypal or GoDaddy with anything). One is to increase the TTL on your domains — the thief’s initial attempt to gain control of the Twitter handle failed because delays in DNS propagation meant that emails sent to an address at Hiroshima’s domain still went to his own mailserver rather than the thief’s.
Another is not to use email addresses at your own domains for registration of anything valuable. If an attacker can gain control of the domain — and Hiroshima isn’t the first person to lose control of a domain registration in this way — then they control the email address, and if they control the email address, they control anything registered with it.
That’s sound advice, although I’m unconvinced by his recommendation to use Gmail instead. I’m not prepared to assume that passwords for webmail services such as Gmail, Yahoo or Hotmail are immune to theft. I’ve certainly seen plenty of stolen webmail accounts over the years, probably the result of phishing or keylogger attacks. Better security might come from ensuring that anything you want to protect isn’t registered with a publicly-known email. If the attacker doesn’t know which email they need to control in order to take possession of an asset, their task becomes harder. In the case of domain names, that’s an argument for taking advantage of any ‘private registration’ service offered by your registrar, and setting it to auto-renew.
In Hiroshima’s case, that wouldn’t have saved him. The attacker’s attempt to obtain the asset (his Twitter handle) via his email address failed, so he switched to plan B, which was simply to bargain one asset (Hiroshima’s domains) against another (the Twitter handle). GoDaddy had given the thief leverage over the first asset; Hiroshima weighed up the risks and concluded that he had no option but to hand over the other, less valuable asset.
Things that we own online have real value. The value can come from rarity (such as a Twitter handle consisting of a single letter) or from the potential to exchange for hard cash (Bitcoins, in-game currency or virtual artifacts), or because they’re crucial to your business. Loss of control, even temporary, over a domain could be badly damaging to a small business, exposing it to anything from loss of revenue or customers to theft of secret information. Loss of an email account can have similar consequences: if you depend on an email address at a service such as Gmail to send and receive essential communications, you’re hostage to anyone who can take control of it.
The weak link
The deeper bottom line is that our security is in the hands of others. You can use multiple email addresses and multiple dissimilar passwords (and you should) so that an attacker who gets hold of one of your assets doesn’t get the set. You can store your access codes in an encrypted password safe rather than writing them on a Post-It note. You can use secure connections and shredders. But at the end of the day, if you share that information with someone else, then your security is only as good as their security procedures. And if their security procedures involve storing your password in plaintext, or letting malware run riot on their PoS terminals, or handing over your credentials to anyone who asks, you’re essentially screwed.