Skip Links

The moral of the Twitter-GoDaddy breach: People are the easiest thing to hack

High-tech security measures fell before good, old-fashioned con artistry.

By Christopher Null, PC World
January 31, 2014 10:11 AM ET

PC World - Of all the lessons to be learned from the hacking of Naoki Hiroshima and the loss of his coveted @N Twitter handle, the most troubling is the one which will ultimately be the most difficult to solve. In online security, weak passwords and poor encryption standards may be part of the problem, but the biggest problem of all remains ourselves.

Hiroshima outlined the events that led up to the loss of his Twitter handle, which he valued at $50,000 based on previously-received offers from would-be buyers, in a posting published on Medium on Wednesday. It wasn't sophisticated password cracking or a zero-day, code-based exploit that sealed the deal. In fact, all it really took was a telephone call or two.

The saga began on Jan. 20 when Hiroshima reported that someone was attempting to hack into his Paypal account. Hiroshima had two-factor authentication set up, and when the attacker attempted to reset his password, he received a text message requesting his approval for the change, which he ignored.

+ ALSO ON NETWORK WORLD The worst data breaches of 2013 +

Unable to get through Paypal's gates, the attacker took a surprising next step, attacking Hiroshima's personal domain name through his registrar, GoDaddy. The hacker got through GoDaddy's security measures by calling a representative on the phone. The hacker claimed to be Hiroshima and said he was having trouble accessing his account. GoDaddy asked for the last six digits of his credit card number on file as proof of identity, which the hacker miraculously was able to provide.

How'd he do that? Again, via a simple phone call. That first volley at Paypal was no coincidence. According to Hiroshima, the hacker had also called Paypal's support staff and used social engineering tricks to get that representative to tell him the last four digits of the credit card he had on file. (While the details of this conversation have not been published, it isn't hard to imagine how it must have gone: "Hi, I lost my wallet and don't know which credit card I have linked to my Paypal account. Can you tell me the last four digits you have on file so I know if I need to change the card on my Paypal account?" Or something like that.)

The hacker then took those four digits and was--amazingly--able to parlay that into the last six digits. How? According to Hiroshima's narrative, the GoDaddy support agent simply let the hacker guess them, two by two, until he struck upon the right combination, unleashing the keys to the account. The hacker reported to Hiroshima that he told GoDaddy he'd lost his card, but remembered the last four digits, opening the door for the guesswork operation. The hacker got it all done in one call.

All of this was prologue to the hacker's ultimate goal. With his GoDaddy account in hand, the hacker extorted Hiroshima to hand over the @n handle, which he did. A variety of investigations are now ongoing, but @n is now in the hands of one "Badal_NEWS."

Social engineering still works... and works well

What went wrong? It's easy to say Paypal and GoDaddy share the blame, but the common denominator in both cases is simple human nature. To really understand how social engineering like this works, put yourself in the shoes of the company that receives the phone call from the hacker. A panicked user calls you, asking for your help with a problem. He's been the victim of a crime or an accident, and the standard security systems available on the Web aren't helping him. A company like Paypal probably receives thousands of calls like this every day, and the vast majority are likely totally legitimate--real people in real crisis.

Originally published on www.pcworld.com. Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News