
GoDaddy Updates Its User Protection Policies - derpenxyne
http://techcrunch.com/2014/02/01/godaddy-updates-its-user-protection-policies-in-wake-of-infamous-twitter-account-extortion/
======
aspensmonster
If account ownership verification is your concern, then the digits of a credit
card offer relatively little assurance. Fun story: I used to work for a
company that utilized the last four of a CC on file for verification. They
also let anyone pay an outstanding balance without needing to otherwise
verify, and kept the last four of the card on file. So...

------
rhizome
Oh heck, let's just verify on the whole card number. Apparently GoDaddy's CSRs
have access to it such that management can just arbitrarily increase the
number of digits to check.

Not reported: whether PayPal will also increase the number of digits they hand
out via social engineering.

~~~
Zenst
That is not only a valid point, but a major one upon many levels. I would of
thought storing the credit card in full (double eek if they also store the 3
digit security code) would be against the PCI compliance guidlines.

I'm aware if the customer gives permision (repeat customer) is an exception.
Though in these situations if it is proven that access was your companies
fault then you are liable. Which in this situation, whilst no charge to the
credit card (we are aware of) was made. The lapse of security did have
financial reprocusions.

------
Zenst
Fair play for GoDaddy addressing this issue, though I do wonder if the issue
was not as vocalised publicly how ling it would of taken to address. We may
never know, and it changes nothing in the past.

What I don't know is how this effects the original user who lost there @N
twitter account.

    
    
        Did he get it back?
        Had GoDaddy now respectfuly owning up to there oversight made any offer to restore things and/or compensation?
    

So far so good, but still missing the happy ending we all want to see for the
user.

~~~
JAFTEM
He hasn't gotten it back, but the attacker is no longer in possession of that
handle having deleted the account. The handle was then apparently unavailable
to take [0], but some time later Twitter allowed some random user to pick up
the handle as you can see by visiting @N now.

[0]
[https://twitter.com/N_is_stolen/statuses/428679789491138560](https://twitter.com/N_is_stolen/statuses/428679789491138560)

~~~
Zenst
Seems ball in Twitters court now.

Nice update from GoDaddy linked there:
[http://uk.godaddy.com/news/article/godaddy-statement-re-n-
is...](http://uk.godaddy.com/news/article/godaddy-statement-re-n-
issue.aspx?7348443=1)

Much respect to GoDaddy, certianly handerling it well and being honest and
upfront.

