A harrowing tale has emerged about how Twitter user Naoki Hiroshima lost his Twitter account @N.
In a detailed and dramatic post on blogging site Medium, Hiroshima explains how an attacker was able to steal the @N Twitter handle from him. The attack wasn’t a simple one-layer exploitation; there was no hacker guessing that Hiroshima’s Twitter password was “123456.” Rather, this was a sophisticated multilayer attack that only worked because of human failure.
What happened is an attacker was able to get control of Hiroshima’s domain name where he received his email. Many Web services use email as a way to verify users as well as the way in which passwords can be reset if lost or forgotten.
Twitter, to its credit, did not send the password reset via email to Hiroshima’s compromised email address, but the long story short is that he still lost the @N account. Hiroshima was forced to negotiate with his attacker and ended up giving up the @N account in order to get back his domain names.
The most interesting part of the story is what comes next. Hiroshima actually got his attacker to explain how the domain compromise happened. The gist of the story is that the attacker was able to trick Hiroshima’s domain registrar GoDaddy.
GoDaddy’s phone representatives allegedly asked for Hiroshima’s credit card information as a form of verification. How the attacker got the credit card information is truly shocking. First, the attacker was able to get the last four digits from PayPal. Then the attacker was allowed to guess the first two digits of the credit card with the GoDaddy phone representative, which got the attacker access.
So what really happened here?
This is somewhat reminiscent of the attack in 2012 against Wired writer Mat Honan’s iCloud account. In that attack, social engineering by way of phone calls was able to get an attacker access to an Apple account.
In this case, once again human verification is the weak link, and it was a human who was tricked into giving up information. The fact that an attacker was allowed to guess a credit card number is simply inexcusable.
On Twitter, the official @GoDaddy account tweeted: “Thanks to all of you who alerted us to an issue that’s affected @N_is_stolen. We take this very seriously & are looking into the situation.”
While I’m a strong advocate of two-factor authentication and end-to-end encryption, this case is terrifying because the truth is that those technologies would not have saved @N. The domain is a key form of identification online today, and if a domain registrar can be tricked, users will be at risk.
One possible solution that the Hiroshima story highlights is to use a public email provider such as Google Gmail (with two-factor authentication) instead of using a custom domain. Attackers are less likely to get control of a domain from Google.
The larger question here is, what constitutes a proper form of identification in the modern era that can’t easily be guessed or socially engineered by an attacker? In this case, a credit card guess was used, but should domain registrars require other information that is unique and not shared on multiple sites? Perhaps a driver’s license on one or even just something that the user chooses as a personal token. The bottom line is there needs to be more rigor in verifying user identity.
Just as was the case after the Honan incident in 2012, I suspect that GoDaddy and other domain registrars will re-evaluate their phone policies to reduce risk. The simple reality, though, is that humans will always be fallible, and the need for reset mechanisms will also always be there too.
Incidents like this, however, help us all recognize the weakest links in our online security, and that’s a good thing. I see the @N story as a cautionary tale to us all, and hopefully it will also serve as a driver for vendors to re-enforce the human element as much as possible.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.