Attackers do not always need an advanced knowledge of technology, networks, coding and malware to get what they want – sometimes all it takes is a little intuitive social engineering. Just ask Naoki Hiroshima, the creator of the Cocoyon app and developer for the Echofon Twitter client application.
Hiroshima recently relinquished to an attacker a prized possession that he owned since 2007: a very rare Twitter username – @N – so coveted that not only have people tried to steal it before, but one person even offered $50,000 for it.
However, it was not Hiroshima who was fooled by social engineering into giving up the goods. That honor may very well go to GoDaddy (which hosted domains belonging to Hiroshima that he used for email purposes, among other reasons) and PayPal, since it was a lapse in information security on their part that allowed the attacker to gain some leverage over Hiroshima.
All it took was some simple social engineering tactics – such as pretending to be a PayPal employee – and the attacker was eventually able to compromise Hiroshima's GoDaddy web domains, as well as his Facebook account. In the end, that attacker obtained the Twitter username from Hiroshima through extortion.
Hiroshima was presented with a deal. He could do nothing and run the risk of never seeing his accounts again, or he could give up the Twitter handle and get his accounts back untouched, as well as find out exactly how the attackers were able to carry out the elaborate scheme and what to do to prevent it from happening again.
“I called [PayPal] and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling [PayPal] and asking the agent to add a note to your account to not release any details via phone),” the attacker wrote to Hiroshima.
The attacker continued, “I called [GoDaddy] and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten [GoDaddy] account security, however if you'd like me to recommend a more secure registrar [I] recommend: NameCheap or eNom (not network solutions but enom.com).”
In a post outlining the entire incident that began for Hiroshima on Jan. 20, Hiroshima said he found it appalling that PayPal would give card information over the phone and that GoDaddy would allow the attacker numerous attempts to guess two numbers to verify the account.
“[Entities such as GoDaddy and PayPal] should stop using credit card numbers to verify users,” Hiroshima told SCMagazine.com on Wednesday. “And also, if somebody tries to revert to the last update immediately after the change has happened, it should be taken as a security signal and revert immediately.”
Johannes Ullrich, Dean of Research with the SANS Technology Institute, and Lance Spitzner, an instructor with the SANS Institute, both told SCMagazine.com on Wednesday that there was very little that Hiroshima could actively have done to prevent the incident from happening.
Entities, such as GoDaddy and PayPal, should not use public information, such as the last four digits of a card number, as verification, Ullrich said.
“The authentication of an account is only as secure as the least secure system it depends on,” Ullrich said. “Overcoming two-factor authentication via password reset procedures – that don't require two factor authentication – is a common problem and hard to avoid due to user acceptance and cost.”
Hiroshima said that while he hopes Twitter is investigating the issue, for now, his beloved Twitter username is gone.