The Moral of the Twitter-GoDaddy Breach: People Are the Easiest Thing to Hack
High-tech security measures fell before good, old-fashioned con artistry.
Fri, January 31, 2014
PC World — Of all the lessons to be learned from the hacking of Naoki Hiroshima and the loss of his coveted @N Twitter handle, the most troubling is the one which will ultimately be the most difficult to solve. In online security, weak passwords and poor encryption standards may be part of the problem, but the biggest problem of all remains ourselves.
Hiroshima outlined the events that led up to the loss of his Twitter handle, which he valued at $50,000 based on previously-received offers from would-be buyers, in a posting published on Medium on Wednesday. It wasn't sophisticated password cracking or a zero-day, code-based exploit that sealed the deal. In fact, all it really took was a telephone call or two.
The saga began on Jan. 20 when Hiroshima reported that someone was attempting to hack into his Paypal account. Hiroshima had two-factor authentication set up, and when the attacker attempted to reset his password, he received a text message requesting his approval for the change, which he ignored.
Unable to get through Paypal's gates, the attacker took a surprising next step, attacking Hiroshima's personal domain name through his registrar, GoDaddy. The hacker got through GoDaddy's security measures by calling a representative on the phone. The hacker claimed to be Hiroshima and said he was having trouble accessing his account. GoDaddy asked for the last six digits of his credit card number on file as proof of identity, which the hacker miraculously was able to provide.
How'd he do that? Again, via a simple phone call. That first volley at Paypal was no coincidence. According to Hiroshima, the hacker had also called Paypal's support staff and used social engineering tricks to get that representative to tell him the last four digits of the credit card he had on file. (While the details of this conversation have not been published, it isn't hard to imagine how it must have gone: "Hi, I lost my wallet and don't know which credit card I have linked to my Paypal account. Can you tell me the last four digits you have on file so I know if I need to change the card on my Paypal account?" Or something like that.)
The hacker then took those four digits and was--amazingly--able to parlay that into the last six digits. How? According to Hiroshima's narrative, the GoDaddy support agent simply let the hacker guess them, two by two, until he struck upon the right combination, unleashing the keys to the account. The hacker reported to Hiroshima that he told GoDaddy he'd lost his card, but remembered the last four digits, opening the door for the guesswork operation. The hacker got it all done in one call.