If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Next Web)   How poor security practices at PayPal and GoDaddy enabled a man to be hacked for his Twitter account   (thenextweb.com) divider line 49
    More: Strange, Paypal, Twitter, Twitter account, Echofon, Facebook Messages, Google Apps, customer support, godaddy  
•       •       •

1540 clicks; posted to Geek » on 29 Jan 2014 at 1:17 PM (23 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



49 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2014-01-29 11:56:49 AM
Probably because PayPal and GoDaddy are both terrible companies.
 
2014-01-29 11:59:46 AM

change1211: Probably because PayPal and GoDaddy are both terrible companies.


I have nothing to add beyond this. GoDaddy in particular could give two sh*ts about your security. PayPal only cares because they want to maintain some public semblance of a secure bank.
 
2014-01-29 12:56:15 PM
I can think of about a million places where the last 4 digits of a persons credit card number can be retrieved.
I'd hesitate to blame Paypal for giving that info out. Godaddy are the ones who screwed up by taking it as verification.
 
2014-01-29 12:58:51 PM
Some drunk asshole keeps getting into my PayPal account and sponsoring Liters for TF
 
2014-01-29 01:21:53 PM
I don't see any dramatically compelling reasons why Twitter couldn't just step in and fix this.
 
2014-01-29 01:30:17 PM
They both failed but Godaddy's transgression was the worse of the two by far.  There is a very rigid formula for the first 8 digits of a credit card number and so a combination of last four + first two shouldn't be considered enough to validate a customer.  The whole thing would have been stopped dead if someone at Godaddy was doing their job and asked the hacker for the full CC number.
 
2014-01-29 01:35:16 PM
Hell, it would even have been resolved if Godaddy kept records of major account information changes over the past 48 hours.  They seriously suck for being a large company whose sole responsibility is to protect the electronic property of their customers.
 
2014-01-29 01:38:28 PM
What I want to know is why there is not a user enabled option for a double or even triple verification process when logging in. I imagine the folks who have a lot of followers/a lot at stake, would gladly embrace this higher level of security.
 
2014-01-29 01:39:21 PM

serial_crusher: I can think of about a million places where the last 4 digits of a persons credit card number can be retrieved.
I'd hesitate to blame Paypal for giving that info out. Godaddy are the ones who screwed up by taking it as verification.


You should blame Paypal heavily.  This should be the number 1 rule taught to EVERYONE.  Don't give info out over the phone unless you initiated the call.

The last 4 digits of your credit card (or SSN) are actually the most unique, hard to figure out parts of either number.  It should not be used so easily.....and I don't know why farking Comcast and other companies require it for a simple call to pay your bill or tell them your cable is out.

Now I tell companies like that I don't have a SSN.

Also, was the obvious tags identity stolen too?
 
2014-01-29 01:47:46 PM

gfid: serial_crusher: I can think of about a million places where the last 4 digits of a persons credit card number can be retrieved.
I'd hesitate to blame Paypal for giving that info out. Godaddy are the ones who screwed up by taking it as verification.

You should blame Paypal heavily.  This should be the number 1 rule taught to EVERYONE.  Don't give info out over the phone unless you initiated the call.

The last 4 digits of your credit card (or SSN) are actually the most unique, hard to figure out parts of either number.  It should not be used so easily ever.


It's idiotic that we're still using last-4 of either as a verification mechanism.  While you're correct in that those are the most unique, they're still simply not private enough to suffice as a verification mechanism. 

The last 4 of my CC  are shown on every email my CC company sends me.  Crack my email password (highly unlikely in my case), you have that information.  Snag a gas station receipt left in the machine?  Hey, there it is again.  That number is farking  everywhere.  They may as well use the last 4 of your phone number.
 
2014-01-29 01:48:41 PM
Because People in power are Stupid: I have nothing to add beyond this. GoDaddy in particular could give two sh*ts about your security.

They care about your security, especially when you're trying to transfer a domain to another registrar.
 
2014-01-29 01:49:31 PM
So the moral of the story is don't make your password password.
 
2014-01-29 01:53:16 PM
I read that as "even though email accounts are free, I use the same one for everything I do online.  So once that's compromised everything I have ever touched is up shiat creek"

Don't rely on others to provide you security.   Use lots of accounts and lots of different passwords.  This is the same shiat that happened to Mat Honan.

Look wired even made a handy chart article that this dude failed to follow:

http://www.wired.com/threatlevel/2012/08/how-not-to-become-mat-honan /

No two factor, linked accounts, and stored CC's  he hit on 3 of the 9 "don't do these things".
 
2014-01-29 01:59:59 PM
DoBeDoBeDo: Look wired even made a handy chart article that this dude failed to follow:

Two things I noted.

2. Use SSL or a VPN with Public Wifi ... When logging into accounts from public WiFis,

Don't log into your accounts from public wifi! At all, ever.

6. Get Creative With Security Questions

Don't use security questions.

// answers security questions with gibberish ... because I don't forget my passwords.
 
2014-01-29 02:09:15 PM

DoBeDoBeDo: No two factor,


Would not have made an iota of difference.  The entire attack was social engineering.  Once you've got the GoDaddy employee punching the keys for you, the only factors that matter are the ones he asks for.  If he'll settle for last-4 (which, as previously noted, is frequently very easy to get), gg no re.
 
2014-01-29 02:12:04 PM
well, you should have sold that account for $50k.
 
2014-01-29 02:29:12 PM
This is why I don't use GoDaddy for anything.
I'm not an animal rights nutter but I'm not going to pay for this jackasses 'safari'.
 
2014-01-29 02:50:16 PM
Huh. I was just thinking of the under-appreciated feature CC companies offer where you can get one-time card numbers to burn and not have to worry about jackholes keeping your card number on file. Went to fetch a few and see:

Unfortunately, the technology on which secure online account numbers are based is no longer available to Discover. Thus, we are unable to continue to offer it to cardmembers. Therefore, please note that effective February 6th, 2014, you will no longer be able to create new Secure Online Account Numbers, and effective March 15, 2014 all existing numbers will no longer be active.

Hello. What the monkey fark is this?!
Apparently Citibank still offers it so I have a card that can use these handy doodads for untrustworthy transactions, but they're assholes so I don't like giving them business if I can help it.
 
2014-01-29 03:03:11 PM

China White Tea: I don't see any dramatically compelling reasons why Twitter couldn't just step in and fix this.


Because twitter doesnt actually do anything?
 
2014-01-29 03:14:14 PM

lordargent: // answers security questions with gibberish ... because I don't forget my passwords.


I assume you never made a MyPay password for the military.  That shiat is nuts.  Every 60 days you have to change it, has to be like 18 characters.... here it has to be seen to be believed.

Must be 15 to 30 characters in length
Contain at least two UPPERCASE letters
Contain at least two lowercase letters
Contain at least two numbers (0-9)
Contain at least two of the following special characters:
# (pound or number sign)]
@ (at sign)
$ (dollar sign)
= (equal sign)
+ (plus sign)
% (percent sign)
^ (caret)
! (exclamation)
* (asterisk)
_ (underline/underscore)
Must NOT include any spaces

Additionally, passwords will now expire every 60 days. This will require users to change their passwords. Each updated password must change at least four characters from the previous password. It also must not be one of your last 10 passwords.

I mean you are asking for people to write it down.  With what you wrote you better hope you don't forget the password or your SOL.
 
2014-01-29 03:22:36 PM

TNel: lordargent: // answers security questions with gibberish ... because I don't forget my passwords.

I assume you never made a MyPay password for the military.  That shiat is nuts.  Every 60 days you have to change it, has to be like 18 characters.... here it has to be seen to be believed.

Must be 15 to 30 characters in length
Contain at least two UPPERCASE letters
Contain at least two lowercase letters
Contain at least two numbers (0-9)
Contain at least two of the following special characters:
# (pound or number sign)]
@ (at sign)
$ (dollar sign)
= (equal sign)
+ (plus sign)
% (percent sign)
^ (caret)
! (exclamation)
* (asterisk)
_ (underline/underscore)
Must NOT include any spaces

Additionally, passwords will now expire every 60 days. This will require users to change their passwords. Each updated password must change at least four characters from the previous password. It also must not be one of your last 10 passwords.

I mean you are asking for people to write it down.  With what you wrote you better hope you don't forget the password or your SOL.


You address works surprisingly well.
 
2014-01-29 03:37:18 PM
I just don't get why he didn't take the $50k for his Twitter name long ago, especially since it didn't seem to really be doing anything with the account, since @N is showing 154 followers right now. I'm not sure if it dropped after the story went out, or he lost followers during the change, but it's not like he had a big brand he was promoting. Seems kind of silly to leave money on the table like that. If he hadn't been holding on to the name like a Beanie Baby, he'd have been $50k richer and this would have been someone else's problem.
 
2014-01-29 03:42:27 PM

Mad_Radhu: I just don't get why he didn't take the $50k for his Twitter name long ago, especially since it didn't seem to really be doing anything with the account, since @N is showing 154 followers right now. I'm not sure if it dropped after the story went out, or he lost followers during the change, but it's not like he had a big brand he was promoting. Seems kind of silly to leave money on the table like that. If he hadn't been holding on to the name like a Beanie Baby, he'd have been $50k richer and this would have been someone else's problem.


No, he's very active.  Twitter handles are not Twitter accounts.  His current handle is @N_is_stolen.  That's the same *account* he always had.  The other guy simply took the handle.
 
2014-01-29 03:45:41 PM

TNel: I assume you never made a MyPay password for the military. That shiat is nuts. Every 60 days you have to change it, has to be like 18 characters.... here it has to be seen to be believed.


It's no better in the private sector.

Here's one of our AIX systems:

3004-602 The required password characteristics are:
a maximum of 2 repeated characters.
a minimum of 3 characters not found in old password.
a minimum of 5 alphabetic characters.
a minimum of 1 lower case alphabetic characters.
a minimum of 1 upper case alphabetic characters.
a minimum of 2 non-alphabetic characters.
a minimum of 8 characters in length.

Those expire every 42 days. Gotta change them all tomorrow.

And then the contract company's passwords expire every 30 days and have the same nonsense with them. That's just stupid.
 
2014-01-29 03:49:20 PM

TNel: lordargent: // answers security questions with gibberish ... because I don't forget my passwords.

I assume you never made a MyPay password for the military.  That shiat is nuts.  Every 60 days you have to change it, has to be like 18 characters.... here it has to be seen to be believed.

Must be 15 to 30 characters in length
Contain at least two UPPERCASE letters
Contain at least two lowercase letters
Contain at least two numbers (0-9)
Contain at least two of the following special characters:
# (pound or number sign)]
@ (at sign)
$ (dollar sign)
= (equal sign)
+ (plus sign)
% (percent sign)
^ (caret)
! (exclamation)
* (asterisk)
_ (underline/underscore)
Must NOT include any spaces

Additionally, passwords will now expire every 60 days. This will require users to change their passwords. Each updated password must change at least four characters from the previous password. It also must not be one of your last 10 passwords.

I mean you are asking for people to write it down.  With what you wrote you better hope you don't forget the password or your SOL.


Wow what a load of worthless shiat.

!!!January_2014 and so on.
 
2014-01-29 03:50:32 PM

DoBeDoBeDo: I read that as "even though email accounts are free, I use the same one for everything I do online. So once that's compromised everything I have ever touched is up shiat creek"


His domain name was taken over to get to his e-mail. Even if he had several addresses for various accounts, as long as they were all from his own domain he'd still be in the same situation.
 
2014-01-29 03:55:40 PM

Shazam999: Wow what a load of worthless shiat.

!!!January_2014 and so on.


You did miss the 2nd capital but I wonder if myPay would take that.
 
2014-01-29 03:57:52 PM

TNel: Shazam999: Wow what a load of worthless shiat.

!!!January_2014 and so on.

You did miss the 2nd capital but I wonder if myPay would take that.


Yup it does, made a slight change and added the 2nd Upper and it does work.
 
2014-01-29 04:01:16 PM

TNel: Shazam999: Wow what a load of worthless shiat.

!!!January_2014 and so on.

You did miss the 2nd capital but I wonder if myPay would take that.


!!!JanuarY_2014
!!!FebruarY_2014

I used to work at a place that had a similar restrictive password policy, dollars to doughnuts most users' passwords ended up being something like "July1998".
 
2014-01-29 04:02:38 PM
Also a very popular PIN is 2431 (christmas eve, new year's eve)
 
2014-01-29 04:10:20 PM
Another security trick I tell people: when you sign up for ANY website, sign up with the bare minimum password they allow, even using "password". Then, as soon as you have your account, immediately follow their "lost/forgot password" procedures. If they send you your password via email, this makes it obvious that they aren't following best practices of password security and are storing it in either an easily decrypted format or plain text...both are bad.
 
2014-01-29 04:18:37 PM

Usurper4: Another security trick I tell people: when you sign up for ANY website, sign up with the bare minimum password they allow, even using "password". Then, as soon as you have your account, immediately follow their "lost/forgot password" procedures. If they send you your password via email, this makes it obvious that they aren't following best practices of password security and are storing it in either an easily decrypted format or plain text...both are bad.


I have a VERY common gmail account, basically m­yn­ame­[nospam-﹫-backwards]l­ia­mg*com  I get all kinds of match.com signups.  Match always sends your username and full password in your signup email.  I go in an change peoples stuff all the time.
 
2014-01-29 04:27:37 PM
And all those fancy password rules get defeated by the keylogger employee john x got when he went to that porn site at home and then logged into his email.
 
2014-01-29 04:28:38 PM
Nothing of value was lost.
 
2014-01-29 05:14:06 PM

TNel: lordargent: // answers security questions with gibberish ... because I don't forget my passwords.

I assume you never made a MyPay password for the military.  That shiat is nuts.  Every 60 days you have to change it, has to be like 18 characters.... here it has to be seen to be believed.


I assume you guys have issues cause the CAC works perfect, so fark the password
 
2014-01-29 05:20:04 PM
I would be on the phone with godaddy and raising a shiat storm.
You GAVE AWAY my domain?

Well prepare to GIVE AWAY a ton of money in the form of a lawsuit.
 
2014-01-29 05:24:59 PM
"You farked up.  You trusted us."

-Joint statement from GoDaddy and PayPal
 
2014-01-29 05:29:42 PM

Honest Bender: I would be on the phone with godaddy and raising a shiat storm.
You GAVE AWAY my domain?

Well prepare to GIVE AWAY a ton of money in the form of a lawsuit.


And they would laugh and ask you what day you're free for an arbitration in front of their hand-picked arbitrator, since you gave up your right to sue as part of agreeing to their T&C/EULA.

"Tuesday. Is Tuesday a good day for you?"
 
2014-01-29 05:42:44 PM

change1211: Probably because PayPal and GoDaddy are both terrible companies.


Done in one.
 
2014-01-29 06:06:20 PM

theresnothinglft: And all those fancy password rules get defeated by the keylogger employee john x got when he went to that porn site at home and then logged into his email.


Also ignores the fact that websites get hacked.  Passwords by themselves are lousy security controls.  And forcing someone to change their password every x days just encourages bad password management.
 
2014-01-29 06:08:46 PM

TNel: Usurper4: Another security trick I tell people: when you sign up for ANY website, sign up with the bare minimum password they allow, even using "password". Then, as soon as you have your account, immediately follow their "lost/forgot password" procedures. If they send you your password via email, this makes it obvious that they aren't following best practices of password security and are storing it in either an easily decrypted format or plain text...both are bad.

I have a VERY common gmail account, basically myname[[nospam-﹫-backwards] image 7x13]liamg[* image 7x13]com  I get all kinds of match.com signups.  Match always sends your username and full password in your signup email.  I go in an change peoples stuff all the time.


One of my junk accounts is on Apple's icloud service that uses a very common japanese name.  Not only do I get a password reset requests every couple of days - I get signups for every damn thing that involves tentacles.
 
2014-01-29 06:48:06 PM
Go Daddy is awful. If you use them I don't feel bad for your heartache.
 
2014-01-29 07:21:04 PM

China White Tea: I don't see any dramatically compelling reasons why Twitter couldn't just step in and fix this.


Well for one... for all you know, the author of the article the hacker, not the hackee.... just because someone says his info was stolen doesn't mean its true.
 
2014-01-29 07:36:29 PM

T.rex: China White Tea: I don't see any dramatically compelling reasons why Twitter couldn't just step in and fix this.

Well for one... for all you know, the author of the article the hacker, not the hackee.... just because someone says his info was stolen doesn't mean its true.


True, I didn't think of that.

It's too bad that like.. the author isn't an extremely well known user with 10s of thousands of followers, and that Twitter doesn't keep any logs of who has had what handle and such.
 
2014-01-29 07:40:43 PM
And all sarcasm aside, the fact that the @N account has since been disabled makes my original comment that very likely final outcome of this scenario.

Twitter can trivially verify the story and the notion that someone might try to "hack" a Twitter account, publicly, using his real and verifiable real-world identity is uh...well, y'know.  

Most likely they'll do some due diligence to cover their asses and revert the theft.
 
2014-01-29 09:50:59 PM
You'd be amazed at what you can get by calling up almost any customer service line with the last four of a social.

If it's a business, and you figure out their federal EIN, you can get access to any of their merchant accounts, if you have the address and DBA.
 
2014-01-29 10:04:05 PM
Sounds like the sex.com fiasco all over again only this time it's GoDaddy who screwed the pooch instead of Network Solutions.  NetSol wound up losing the subsequent lawsuit to the tune of millions of dollars.  Perhaps a similar lawsuit against GoDaddy would cause them to sit up and take notice.
 
2014-01-29 10:17:40 PM

TNel: Usurper4: Another security trick I tell people: when you sign up for ANY website, sign up with the bare minimum password they allow, even using "password". Then, as soon as you have your account, immediately follow their "lost/forgot password" procedures. If they send you your password via email, this makes it obvious that they aren't following best practices of password security and are storing it in either an easily decrypted format or plain text...both are bad.

I have a VERY common gmail account, basically myname[[nospam-﹫-backwards] image 7x13]liamg[* image 7x13]com  I get all kinds of match.com signups.  Match always sends your username and full password in your signup email.  I go in an change peoples stuff all the time.


holy crap, i have a gmail account with a dictionary word which i dont use too often, and yeah, i just checked and there's a ton of match.com email in "promotions"

looks like i might have some fun when time permits a bit later!
 
2014-01-29 11:04:41 PM

TNel: lordargent: // answers security questions with gibberish ... because I don't forget my passwords.

I assume you never made a MyPay password for the military.  That shiat is nuts.  Every 60 days you have to change it, has to be like 18 characters.... here it has to be seen to be believed.

Must be 15 to 30 characters in length
Contain at least two UPPERCASE letters
Contain at least two lowercase letters
Contain at least two numbers (0-9)
Contain at least two of the following special characters:
# (pound or number sign)]
@ (at sign)
$ (dollar sign)
= (equal sign)
+ (plus sign)
% (percent sign)
^ (caret)
! (exclamation)
* (asterisk)
_ (underline/underscore)
Must NOT include any spaces

Additionally, passwords will now expire every 60 days. This will require users to change their passwords. Each updated password must change at least four characters from the previous password. It also must not be one of your last 10 passwords.

I mean you are asking for people to write it down.  With what you wrote you better hope you don't forget the password or your SOL.


Christ, this x1000. I'm so glad I don't have to use that system anymore, but I still fall back to the creation method when a website complains that my lowest level passwords are too weak. I'm like 'Fine, fark you, have fun brute hacking this one'.

arcas: Sounds like the sex.com fiasco all over again only this time it's GoDaddy who screwed the pooch instead of Network Solutions.  NetSol wound up losing the subsequent lawsuit to the tune of millions of dollars.  Perhaps a similar lawsuit against GoDaddy would cause them to sit up and take notice.


... There is not a phrase which conveys how strongly I wish that would happen to GoDaddy. They bought Outright (the accounting app I use for my business) and it went from 'somewhat buggy in beta but with amazing customer service' to 'still just as buggy at full price and holy shiat you call this customer service'?

Plus it's a stupid name for a company and their ads are just trash.

/yes, I am bitter
//you would be too for the failure of accounting...
 
Displayed 49 of 49 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report