Members of national assemblies and governments of states; Members of international courts; University rectors; professors of social sciences, history, philosophy, law and theology; directors of peace research institutes and foreign policy institutes; Persons who have been awarded the Nobel Peace Prize; Board members of organizations that have been awarded the Nobel Peace Prize; Active and former members of the Norwegian Nobel Committee; Former advisers to the Norwegian Nobel Committee
Most of those are fairly small groups; but "Members of national assemblies and governments of states" is a pretty big chunk of people, and "professors of social sciences, history, philosophy, law and theology" is a simply enormous group of people.
As a result, nominations are very meaningless; any third rate history or sociology prof at some podunk community college can nominate someone if they have a mind to, and all sorts of people get nominated, often as a lark or to prove a point. I believe Bush was nominated repeatedly, for example. (Well...nominations are secret, but I know of people who have the ability to nominate, and claimed to have done so, and I don't see why they'd bother to lie, so...)
So yes, Snowden was nominated (well, unless these politicians are lying). Honestly, he was probably nominated dozens of times. This isn't news. Also, a couple of left-wing Norwegian politicians like Snowden. Also not news. :) The only real news here is if he wins...
Credit card numbers are not secure. Therefore, they should not ever be accepted as authentication. Especially only 6 digits of it! This is by far the most shocking part of this story. As if I needed another reason to despise GoDaddy.
[Edited to add] I would sure love to see a scarlet letter list of companies which allow such practices, so I can never use them.
Then I can come back here and post nasty comments about squatters.
PayPal gave the attacker the last four digits of my credit card number over the phone
That person should lose their job if it is not PayPal policy.
I really hope by some small chance the person that did this gets some serious prison time, if not for this then anything else prior or down the road. Then maybe one of those mornings they wake up in prison they can ponder if it was all worth it.
Is there any possible rational for Paypal to give the last four digits of his card number to "him" over the phone? Given that they're routinely used for verification, it's as if they've never heard of social engineering. It's simply inexcusable.
And it's almost as bad as the ridiculous "Log In Without Your PayPal Security Key" option that lets you bypass 2-factor auth and head straight to the ultra-secure world of the ridiculous security questions such as the ever-popular "what city were you born [that's also listed on Facebook]" and what not. I still can't believe they think that's a good idea.
I pay Twitter nothing, and yet the service is valuable to me. So instead of continuously crippling the service in the name of goodness knows what, why not actually charge users for a premium experience. Things like customer service that works, a gold member status flag, controls on swapping account ownership, analytics and so on. Offer 3 paid levels - personal, business and corporate, and obviously keep the free level forever. Once revenue comes from customers, then perhaps it will help in understanding that while other revenue night be larger, the true value of Twitter is derived from the community.
Anyhow, if any of them actually comply to ISO 9001, it is possible to audit previous data to establish the true identity of the owner in some arbitrary date before any of this happened.
Quite possibly, to avoid unnecessary user annoyance, these companies will only subject themselves to the effort of analyzing that data under court order, so it's fair to suppose there is need to open a judicial process. Therefore, I believe it's possible to regain access to everything that was supposedly stolen, even though it may take quite some time.
Also considering closing my paypal account now.
It still works if you find an expired domain name, register the domain name and then do the whole password-reset procedure. Might be cheaper to buy a 6 digit number on eBay though :)
It seems like if he'd had 2FA turned on with GoDaddy, this may not have happened. So rather than use @gmail.com addresses to register for things, as he recommends, just turn on 2FA with your provider. And if your provider doesn't support it, leave them and tell them why.
The admonition to use a @gmail.com address was annoying enough that I actually put up a response blog post just on this point: https://konklone.com/post/protect-your-domain-name-with-two-...
This kind of thing happened a lot in MMO games which is why they try to push account security into your hands so they don't have to attempt to arbitrate in deals that may or may not have happened outside of their sphere of control.
SighI use Google Apps exactly so that I have control over the domain and aren't subject to the good will of Google. I had never thought of this particular problem. Now I don't know what to do.
If that hadn't happened, he'd still have his twitter account.
>If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.
Just google and the NSA then. Also, Gmail has an exposed password reset and social-engineerable support. A server running Postfix/Exim doesn't.
I'd consider a domain with a good registrar far more secure than google.
Using an unusual/unknown address for account validation mails (maybe with forwarding of other communications) probably would make sense, though. And/or sites coming up with a better account-recovery procedure, perhaps outsourced to a startup.
There's probably a market for a super-secure email address for account login mails, but that isn't a free gmail account.
There doesn't appear to be any way to contact Twitter about this.
Shortly after, I received a second email "Welcome to Twitter, <username>"
Going to:https://support.twitter.com/forms/impersonation
..and selecting "Someone is using my email address without my permission." tells me to submit a general support ticket. That's fine except none of the general categories has anything to do with this problem and choosing "My issue is not in the list" simply redirects me immediately to the root support page. I submitted a ticket with a different topic and have not heard back from them in a week and expect I never will.
Focusing on the Twitter handle sale part: I have the twitter handle @jetsetter, and have been offered multiple thousands of dollars for it (guess who!).
Unfortunately, selling a twitter handle is against TOS. Only @israel has been officially allowed to transfer hands for money, that I'm aware of.
So trying to broker the sale of a twitter account can allow the buyer to report your 'behavior' to twitter. They can seize the account and make it so no one has it, which may be what the buyer prefers to you having it.
So no matter the price you could command, it isn't like you could just list @n up for sale and make it rain.
I've had two users offer to buy my username.
He might have been able to get it back if it was his trademark or even name that he lost and not some witty username.
The first few digits of card numbers refer to the provider (Visa, Amex, etc) [0]. Given that Paypal gave the last four digits of the card, I'm surprised they wouldn't give out the provider as well, so guessing this would be even easier.
[0] https://github.com/stripe/jquery.payment/blob/master/src/jqu...
http://www.fbi.gov/about-us/investigate/cyber
http://www.ic3.gov/default.aspx
"Not accepting an offer of $50K for a twitter username I didn't use" doesn't really count...
a) Two Factor should be mandatory and as soon as it is, any representative of the company MUST insist that a reset cannot be done over the phone. It should be highly suspicious if someone comes up and says "Hi, I lost my email account access AND my phone so could you please reset my password via phone now?"
b) If not Two Factor, the security questions should also be mandatory. No other "data" like past addresses or cc numbers should suffice to reset over the phone if the person doesn't know the answers to all security questions.
And, speaking of these questions, of course they should be stuff that you know and cannot be "guessed" by anyone who is able to read your facebook page or similar. Maybe even some non nonsensical thing like "Favorite Food" - "Horse Droppings". As long as you remember this, nobody should be able to "hack" that over the phone. Even if you go on and on on facebook about how you "could eat your way through a giant bowl of pasta you love it so much"
Makes me happy that companies are moving towards text authentication since emails are easy (or at least well practiced) to compromise.
Note: Time to change my Time To Lives on my MX records and up my security.
Also if account data is changed they MUST keep a log of what your data was before. At least anything beside passwords.
I've heard people go on about how Google (and I suppose other corporations) are evil, and how they are rolling their own custom mail solutions etc. It's times like these that people lose important things.
Also, I really don't understand why US companies must store credit card details. I understand the convenience, but there's been a lot of security compromises to let this practice continue. In South Africa online retailers don't store CC info, yet we aren't being brought to our knees by inconvenience.
At least the attacker mentioned his methods, so GoDaddy and PayPal can educate their staff better.
How we make sure that you don't lose your $50,000 Twitter username: http://ow.ly/t4yR8 $5.99 domain transfers with code BYEBYEGD
[1] https://twitter.com/Namecheap/status/428555697882935296
Follow us at @N on twitter.
Looks like a typo. Imparts zero cred since 99.999% of people will not take your ability to "possess" a short twitter account name as helpful for whatever else you may be trying to do.
As far as the "Sorry I am so technically gifted. Let me tell you what you should do to prevent me next time..." thing, what kind of cartoon caper is this?
... there has got to be a multi-stage process for authentication that does NOT use any CC or SSN. Of course, the responsibility lies with the account owner for maintaining passwords/authentication information.
If you lose the information, no way to recover it.
I say this because it seems (again, I'm not an expert) that these thieves use social engineering mostly in the "data recovery" stage of the process.
The only way to tighten that from my perspective is to put maximum responsibility on the account owner to keep their logins, passwords (again, for multi-stage authentication), and such on hand. Don't have a need to recover your info, and others can't use the recovery process to get to your account.
I guess it wouldn't be a perfect scenario but... this, or lose @N.
I am sorry to hear there are companies allowing these practices, though... sad.
Good Developers understand how critical it is to handle authentication and password storage well. It can be complicated thing and is very easy to screw up.
But all that goes out the window when somebody calls the support line. There needs to be just as much scrutiny placed on over the phone authentication as there is within an application. The problem is likely that those over the phone patterns/anti-patterns are not well documented and available.
That meant that anyone using SMS via AT&T for two-factor auth was vulnerable.
The extra layer of security is only enabled if you call AT&T and ask them to further protect your account from future changes.
He may say that he has left them alone, but you have no chance of knowing.
$50k is hardly worth such a bold crime with no exit strategy.
However. If someone were to steal a physical asset in order to extort something else out of me I would go immediately to the police. I'd have thought I'd do the same if the assets involved were digital.
I've no idea if a criminal offence was committed in what ever jurisdiction this happened. But I'd have thought extortion is illegal is many parts of the world?
Twitter added two-factor authentication back in May. If you're constantly being attacked that you ignore important emails, at least add phone authentication.
-
You might want to read the post before you comment. He willingly gave the twitter to the hacker.
btw, @! google search returns 0 results. interesting... hmm, twitter apparently allows alphanumeric handles only...
http://pastebin.com/g7R6Ren2
what sane person doesn't call the FBI when an attacker blatantly commits fraud against them, admits to it, and then commits extortion based on the successful fraud? Furthermore, what kind of attacker explains how they attacked? Thats ludicrous.
this has got to be some kind of roundabout way of advertising for the various competitors of godaddy mentioned in the post.