@N Twitter Extortion Attack: GoDaddy Admits Hacker’s Social Engineering Led It To Grant Account Access

@N Twitter Extortion Attack: GoDaddy Admits Hacker’s Social Engineering Led It To Grant Account Access

screen-shot-2014-01-29-at-3-30-23-pmThere’s been a recent story circling the web regarding an extortion scheme engineered by a hacker against the owner of a highly sought after Twitter hande @N; a Twitter handle that has gotten its owner, Naoki Hiroshima, offerings of as much as $50,000. Hiroshima originally wrote a post on Medium that described the attack in great detail, leading to the eventual conclusion that a hacker had extorted him for control of the handle by taking control of his GoDaddy account.

The hacker claims to have accomplished this via social engineering on phone calls to PayPal to learn Hiroshimi’s personal information and GoDaddy to acquire control of the hosted websites. Paypal has since denied that they gave out the personal information, while GoDaddy admitted that they allowed Hiroshimi’s account to be reset via phone even though the attacker only knew “a large portion” of the normally required information.

While there’s no way to verify all of the details of how the hack was done, the fact that Hiroshima was successfully targeted via some form of social engineering attack seems clear. This is all too common and it’s appalling how easy it is to gain access to your information or digital accounts with a simple phone call to these companies. Most companies’ security precautions are only as strong as the call center worker who has the ability to access, reset, or change your account. Given how often this has happened and the amount of publicity involved, you would think companies would put greater safeguards on how accounts can be accessed over the phone.

One of the themes I think will be big this year is in privacy/security. While it’s hard to see how problems like this one can be solved without the affected companies themselves beefing up their security procedures, there may be opportunities here. I can see services such as easy one-time-card generation services, (real or physical) address forwarding/anonymizers, or even something as simple as an app that assists with making use of the best existing security features at each of your major accounts having a role to play here.