
Jb’s story about how he nearly lost his Twitter handle - robin_reala
http://d.pr/n/KUMK
======
da_n
It amazes me that this type of social hack still works so successfully, I can
understand Kevin Mitnick's success back when he was a hacker but surely the
industry should have learnt by now. Resetting a users credentials should be
treated like changing all the locks on their houses. If the user cannot verify
their account credentials and is crying over the phone at least implement a 7
day delay and grace period before the reset takes effect, send emails which
notifies the current email etc, or even send a pin to their postal address. I
know these are not ideal security either but at least there would be some
grace period.

~~~
sp332
Phone companies really have learned from Mitnick. For example, if you call an
operator, they absolutely will not tell you what number you called from.

~~~
imroot
That's not completely true.

If you're in an old Ameritech area in Ohio, pick up the phone, dial '0' and
when the Operator comes on, say:

"OBT-125, please read number on display."

You'll get the NPA-NXX-XXXX read out to you and she'll tell you to have a good
day. As of three years ago, you could call any of the embarq/sprint area
operators in Ohio/Kentucky and just say, "ID Me."

Phone phreaking is still alive, but, it's not as common as it once was.

~~~
ehPReth
What does 'OBT-125' signify/mean?

~~~
imroot
OBT stands for Ohio Bell Telephone, and "125" is the job/billing code for a
line splicing/Frame/Switch person.

------
dcaunt
I think a lot of it comes down to this:

"4\. Some of the biggest companies in the world have security that is only as
good as a minimum-wage phone support worker who has the power to reset your
account. And they have valid business reasons for giving them this power."

~~~
jtheory
It could be greatly mitigated by automating that power more.

E.g., "No problem, I can reset your password! The system will automatically
contact your registered phone number and email address -- if you confirm both,
it resets now, and if you can't, it will send the reset to your new email 3
days from now."

~~~
eric_the_read
Now all an attacker has to do is wait for me to go on a cruise, or camping
trip, or basically take any action which means I'm out of communication for a
week or more.

~~~
coldpie
It's a change from near-zero security like now, to having to know your
routine, travel, and communication plans. Perfect? No, but what is?

------
danso
> _He then called Amazon with what little information he had gained and cried
> that he had lost his password and didn’t have access to that email address
> anymore. The representative caved and reset the password over the phone
> giving him full access to my Amazon account. His plan was to then gain as
> much information he could with Amazon (last four of credit card numbers,
> current and previous addresses, etc…) and use that as ammunition to do the
> same thing with Apple. And it worked. He had an email in his gmail inbox
> with instructions on how to reset my iCloud account._

Whatever you think of the state of cybersecurity in terms of encryption,
implementation, and user-interface (including 2-factor authentication)...it
doesn't seem that the protections against social engineering have developed at
the same pace as the increasing ease of accessing public records

~~~
logicallee
>Whatever you think of the state of cybersecurity in terms of encryption,
implementation, and user-interface (including 2-factor authentication)...it
doesn't seem that the protections against social engineering have developed at
the same pace as the increasing ease of accessing public records

Yep. Around the same time I started using a randomly generated 24 digit
alphanumeric password generated with an offline computer, I noticed a twin
person who looked nearly the same as me nearly started living in my apartment,
and asking an awful lot of questions about our supposedly shared childhood,
wanting to "catch up".

It was certainly nice suddenly having a twin, but it wasn't until he suddenly
disappeared three years later that I realized I should have been just as wary
about social engineering as I was about my encryption.

~~~
lifeisstillgood
I am not sure I get this....

Did your brother move into your apartment? Did you imagine a friend? Are you
being sarcastic in a way I have missed?

~~~
logicallee
third (sarcasm). I don't think the bar with social engineering has moved
NEARLY as much as cyber security has. It's practically impossible to keep a
computer secure, but very easy not to be duped by strangers on a social level.

~~~
mcintyre1994
What if the people getting duped to give away your account are minimum wage
call centre workers who'd probably like you off the phone ASAP? You're a
genius who'd never get scammed like this, fine, but you're not the weakest
link here.

------
eik3_de
another bad habit are those "security questions". For me, the only proper way
to deal with this is to have your mother maiden or pet name be cy4nEp7UtNsz
and save that (along with the question title) in your (properly backed up!)
password safe.

~~~
privong
> and save that (along with the question title) in your (properly backed up!)
> password safe.

To be fair, this could render the security question useless. If you lose the
password (by losing the password safe), you've also lost the answer to the
security question. So a properly backed up password safe renders a security
question pointless (or the answers to the security question should be stored
in a separate, equally secure, location).

~~~
randallsquared
Security questions are already useless. What's my first pet's name? Depending
on the day, I might have any of three or four answers; I'm unlikely to
remember which pet was first, 30-35 years ago, _even if I think I can_ , since
if you ask me in a month, I might be just as confident the other way! Given
the uncertainty, I might well decide that the best answer is a later pet I
remember better, but then which one is that?

I remember the names of exactly two teachers from high school, today, but only
because I was discussing something about them with someone else who remembered
over Christmas. My mother's maiden name is spelled differently on her birth
certificate and death certificate, so I can't tell which one future me might
use after forgetting a password.

Recently, I've noticed a trend of having 6 or 8 fixed security questions to
choose 2 or 3 from, _none of which actually apply to me in a reliable way_.

There's really no other solution but to treat them as an additional password
field.

~~~
taeric
Strictly speaking, they do have one benefit. If someone steals your password,
there is really no way to know. If they reset your account with a security
question, you'll know as soon as you access.

Still pretty terrible, though.

------
steven2012
The problem is that different companies have different protocols on what
information they use to identify users, etc, and hackers are getting smart
enough to connect various partial information to get full information on a
user.

Every single customer-facing company needs to have STANDARDIZED
security/information protocols. This includes taking in same information, and
only giving out the same information. This should solve this problem.

~~~
erichurkman
Even with standardized security protocols, you will still have issues with
undertrained/underpaid customer support agents working to "help" one very
smooth talking hacker using social engineer tactics.

~~~
steven2012
Social engineering is always a problem, and I think first-level support should
NEVER have the ability to see any information or have the ability to make
changes to accounts. This should get escalated to second level support.

But regardless, a single account may get compromised, but at least you can't
feed partial data from one social engineering attempt into another company,
which is what apparently is happening more and more because of impedance
mismatches with what everyone uses.

------
Herald_MJ
Why are all these attacks targeting Twitter usernames? Do these really have
particularly significant resale value? It seems like much greater profit could
be made with access to someone's Amazon account, but these seem to be used as
merely a proxy in these attacks.

~~~
shornlacuna
I'd imagine that the illegality of fraudulently using an Amazon account would
be more clearcut and easier to prosecute.

------
uloweb
It seems that now you should not only use different passwords anywhere, but
also different logins and emails, different credit cards and may be even
different names, addresses and phone numbers. Just to be sure.

~~~
nfoz
I use different emails, for everything. I manage my own domain(s), so I have
anything @mydomain.tld. I'll usually give unique email addresses that
identify, to me, the organization or service that gets the address.
Occasionally an address becomes the target of spam, and I just kill off that
address.

~~~
Nilzor
That wouldn't really helped you in this case, would it? The attacker got the
account reset simply by phoning the customer service and making them send a
password reset link to a new email.

Also how do you manage said X number of emails? Do you log onto each one of
them, or do you forward all emails to one "master email"? If so, the master
email is still the single point of failure.

------
pasbesoin
We are going to have to learn to -- effectively -- use compartmentalization,
ourselves. (Us technophiles, certainly, but also the "greater masses".)

\- Separate, low-balance checking or similar bank account for "routine
payments". Larger balances held in other accounts that cannot be accessed /
drawn from through normal channels.

\- Separate contact address(es) for distinct and more public interfaces. E.g.
I and some friends already have P.O. boxes for this purpose.

\- There are other instances/examples, but this is enough while keeping this
comment brief.

AND HERE IS AN IMPORTANT POINT: Companies that _won 't_ let us do this, or
even just make it hard, will become anathema to our own best interests.

THERE ARE LEGITIMATE REASONS I _don 't_ want all my services and access
consolidated under a single user ID and password or other authentication.

Services that push towards "one true name" and "all services lumped together",
are -- from this security perspective -- _not in my best interest._

I learned years ago about the value of compartmentalization. It seems that
many companies have yet to learn that this is a legitimate concern and feature
for their customers.

In the age of electronic recordkeeping and processing, it really is a minimal
burden upon a business to support more than one account per customer.
Customers have legitimate reasons for doing this. Get over it, and give them
what they want and need.

------
wfunction
Why the hell can customer support agents see the credit card number? Why don't
they just have a box to type in and verify the four digits?

------
chris_wot
Here's what you do. Get a lawyer and sue them for all they're worth. Not just
for you, but for every other person their pathetic security has and may cause
problems for them in the future.

~~~
luser
No problem - got a spare €100,000 to pay for my lawyers?

~~~
prophet_
I don't know exactly where you are, but back home lawyers with pretty good
chances of winning a case like this would be jumping at this with a no-win no
fee.

~~~
brown9-2
How much damages do you expect to win for loss of a twitter username?

~~~
chris_wot
Depends. Is your name Ashton Kutcher?

------
duk
Amazon customer service folks should ask a caller to name some of items he/she
has purchased last few weeks or so.

------
biftek
Had this exact experience happen to one of my coworkers.

We started embedding a secondary “password” in some of our email addresses, by
leveraging googles username+tag feature. So something like johndoe@gmail.com
becomes johndoe+1bayjdh1x91nj12e@gmail.com

One less piece of guessable info.

------
at-fates-hands
One thing I've found handy is just to have little or no bio information on
your accounts. If you absolutely must have bio info on your account, make all
the information different from account to account.

This way, if a hacker gets your LinkedIn profile, the information there is
different than your Facebook info, which is different than your Twitter info,
which is different from your. .

Imagine a hacker with a handful of accounts and all the information is
completely inconsistent. How does he decide which one is real and which one's
are fake? It's essentially a dead end and will hopefully get them to move on
to an easier target.

~~~
jessedhillon
Have you been the target of hacking attempts? This sounds the opposite of
handy, so I'd be interested to know how well it actually works. Not sure how
well it would pay but I'd be interested in a service that attempts to steal
your identity in this way, and then tells you what you can do to plug the
vulnerabilities.

~~~
at-fates-hands
I have not been targeted, I just tend to think like a hacker so I take a lot
of precautions to protect my identity.

------
speshul
I thought I'd post to let some people know how I BELIEVE this is being done.

Kevin Mitnick always talks about how social engineering is the key usually,
ans it is. he used to make phone calls after dumpster diving and gaining
employee names. There's no need for that now, we have all our information on
the internet.

let me explain a little better. Take your facebook for example. Most people
have the email they use on their for everyone to see, same with linked in. Now
once a hacker finds who they want to target, just start googling the person
and collect as much data as possible through comments made by and towards
them. usually they'll comment on their pets name and all the other info they
usually use to reset passwords. adding the person on a fake account acting
like one of their friends with a new account is typical.

once they have all this info and the emails you use, time to take over what
emails they can with your information. security questions are usually the
route they go. once they have an email account, time to grab the others that
are usually linked to each other for password resets. once those emails are
taken over... it's all downhill from there.

best thing to do is make everything private and don't use the same username or
handle on everything because that makes it easier to link to you.

just my thought about how this is done. pretty simple if you have some time to
invest

------
mcgwiz
I would _love_ for there to be some regular program of independent security
auditing of major web companies focusing on social engineering attacks. It can
be government-funded or privately-funded (companies would pay to be audited in
order to be included in a certified registry). I'm not 100% sure how the
details would work (they'd have to maintain a huge number of dummy accounts
all over the place), but the value of such an effort would be tremendous.

The idea that these companies would rather cater to individuals who are
careless with their accounts than uphold the sanctity of the majority of their
users' identities is deeply troubling. The thought of a dispensable, minimum
wage worker being all that stands between me and total calamity is terrifying.

------
philliphaydon
These stories are starting to scare me...

I've already started using 1Password but I'm now considering closed some
accounts and calling some of these services to ensure they never give out my
information for password resets and such... Scary stuff...

~~~
robin_reala
It’s worth setting up two-factor authentication on any service that supports
it: Google, Facebook and Github spring to mind.

~~~
eik3_de
Dropbox and app.net also do 2FA.

If the service you're using doesn't support it, ask them to implement it. If
enough people did it..

~~~
girvo
I'm currently building a framework agnostic Authentication module for
PHP/Composer, that has 2FA baked in. I want to give everyone who's building
web apps in PHP no excuse for not having it. It's painful, but worth it IMO.

------
jotm
Damn, my passwords are crap (some are written in OneNote because forums make
me change them every half a year), but then again I don't have any precious
online properties besides some websites that I use stronger passwords for. Not
like it matters since it looks like social engineering is alive and kicking
(as they say, humans are always the weakest link in security).

These articles really make me want to set up an automated system that would
monitor any password reset events (and other suspicious activity) and
automatically change those passwords itself and/or notify me by sms...

~~~
drmarianus
It really is worth it. It is a pain to first set up and change every password
to some random string (which most vaults will generate for you), but after
that it's smooth sailing more or less. I recommend LastPass, it's free (unless
you want the Android app, but even then the premium account is super cheap).

------
Xdes
I'm gonna put an identity audit on my TODO list.

------
mrtron
2 factor auth anywhere that matters. Google and Amazon for me. It is
occasionally annoying, but worth it.

------
brown9-2
It would be useful if a date was given for this story.

~~~
lhgaghl
At the bottom in tiny text it says: "Published January 29, 2014"

Also, in the source:

    
    
      <meta property="article:published_time" content="2014-01-29T01:49:03.309Z">

~~~
brown9-2
That is when it was published, but the text gives no indication if the events
happened yesterday or 12 months ago. It's useful to know if these abysmal
practices are still current or not at Apple/Amazon/etc.

~~~
lhgaghl
oh right, i just assumed it happened recently

------
lhgaghl
Jesus fucking christ. Stop making websites accept anything other than a
username+password/token for authentication, and this kind of retarded shit
would never happen. It's somehow still the status quo to make backdoors to
recover your account incase you lock yourself out, which is why things like
this happen all the time. You get what you deserve.

~~~
jtheory
This is great in theory, but in practice your regular customers are going to
lose/mix up their usernames and passwords all the time.

They need _some_ kind of back door to recover their access (because honestly,
even for the responsible _and_ tech-savvy users, sometimes sh!t happens...
e.g., my password manager generated a new password but my laptop crashed
before I could save it), and they assume there will be a way to restore their
account.

I'm sure you _could_ tell your customers "you get what you deserve", but not
if you want them to remain customers.

~~~
lhgaghl
Gee, you're going to have a hard time with bitcoin, hidden tor services, etc.

A) Customers locking themselves out of accounts

B) Accounts being stolen by identity theft

Pick one.

> I'm sure you could tell your customers "you get what you deserve", but not
> if you want them to remain customers.

I kill people for a living. You can tell me I could stop killing people for a
living but then I'd stop having customers. Thus it's impractical to stop
killing people.

~~~
lhgaghl
Oh wait, I forgot this is HN, where conforming to retarded dogma is the only
way to be cool.

~~~
frou_dh
Please impart more wisdom in your lovely obnoxious raging nerd idealist way.
It's very unusual to find in tech circles!

~~~
lhgaghl
Ironically, HN itself so happens to do it right - it permits you to have only
a user/password. Reddit is the same, so is github, stackoverflow. I've never
heard of pervasive problems on either of these sites. I don't submit my email
to these sites, and they work fine.

Please continue to call common fucking sense idealism. Look how shit any other
site besides the 4 (and others like them) I mentioned are with their fancy
policies. How can anyone not rage when such stupidity is forced upon us?

~~~
frou_dh
Even if customers are scatterbrained and unwilling to accept responsibility
for themselves, it's still better to keep them on board and making money than
trying to teach them a lesson out of principle that probably won't even stick.

How well any policies are actually thought through is another matter.

~~~
lhgaghl
Yes, because users would hate so much to be told explicitly that all they need
to remember is a password. They much rather have 20 different pieces of
information, some combinations of which if they share, people can take over
their accounts on various services. </sarcasm>

The problem is not so much that the systems suck, the problem is there's no
way for people like me to take on the responsibility and "risk" of just having
a simple way to authenticate myself.

For example, in my bank I would opt into having all "suspicious transaction"
types of protections turned off, but if I went to my local branch and asked
for that, they'd just get confused and think I'm trying to commit fraud.

> it's still better to keep them on board and making money

Maybe better for you, assuming there would be a net loss from turning off the
bullshit policy. Definitely not better for customers, as it enables theft,
which has the same consequence as forgetting a password.

~~~
frou_dh
It doesn't have to be a mess of ill-thought-out questions. Just a traditional
password reset email is a good facility, as opposed to "forgotten password?
your account is forever locked, you cretin. don't even think about contacting
us".

I have a good backup system so it's not that I use such stuff personally
either.

