a) how the account got transferred back (did Twitter support do it)?
b) whether these specific attacks are still possible.
Why not? It's been proven over and over again that customer support can be manipulated easily. Most companies want their customer support to help the average user. The average user isn't being hacked but instead loses their passwords and access in a variety of ways. The cost of screwing over one customer compared to aiding the rest is nothing to them (because nobody has sued them for it yet and won)
The verge article:
This strikes me as bad advice. Getting access to a hijacked Google account is about as hopeless as everything else he got put through.
The point of failure wasn't "using a non-gmail address," it was "using an untrustworthy registrar."
And I know it's not a silver bullet, but it's unclear from the article that he was using MFA for his GoDaddy account.
But wasn't his point that gmail.com is much less likely to have its MX record compromised than any domain you could possibly register? So using your gmail.com address removes the issue of registrar trustworthiness completely.
I suppose I should start actually paying for email, and go with protonmail or somebody like that. If they have decent and competent customer service, that would reduce the chances of getting hacked.
Sim Hacking is now a thing to get around MFA but it wasn't as popular in 2014. Call up the telecom provider and use the same approach. Leverage Googleable info of the target person and use that as answers to the customer support reps questions.
SMS is not a second factor, despite many companies pretending that it is. I am alarmed at the number of large companies (especially banks!) that just blindly and stupidly follow the outdated advice of using SMS messages as 2FA.
So, MFA is great, if it is really multi-factor: TOTP through Authy or Google Authenticator, U2F or WebAuthn through a hardware key like a YubiKey.
For Germany, just for reference, there is Webhostlist , which gives me over 400 different hosting packages (obviously not 400 hosters) available with at least one domain and an included SSL certificate. Starting at 0.38 € per month (.de domain included) with a one-time setup of 0.99 €.
They probably won't be the cheapest (most .com's are $12 a year), but they don't try to upsell much if at all, the pricing is really consistent and there are no surprises (no bullshit like the first year is $1 and the next year is $40 unless you remember to go do something), and their management UI is really nice.
I only have about 6 domains with them, so keep that in mind, but I've been extremely happy with the whole thing.
(Which closes that gaping hole in your email security.)
They can be the same thing if you want, but they don't have to be. You can use an externally hosted domain with google apps, and you can use Google domains without "google apps" (like I do).
Also, as of somewhat recently, I believe you can disable "recover by phone" as an option if you want for any google account.
The article reads "As of today, I no longer control @N. I was extorted into giving it up." I see he controls it again https://twitter.com/N
It's a little odd that GoDaddy didn't have the credit card number from before the change.
Giving first line, poorly trained support people access to people's PII and the ability to change passwords is something that needs to be stopped. Social engineers are completely exploiting poorly trained, minimum wage workers for huge gains.
We need to have some sort of ISO certification so that front line support people must hand over any security information to highly trained second-tier staff. If EVERY company used the same subset of information to verify, under the guidance of well-trained staff with a consistent methodology across all companies, and didn't expose various bits and pieces of info (some use last for of SSN, some use credit card info, address, date of birth, etc) then it would extremely hard for social engineers to do hacks like this.
Would it matter if there was?
You have to pay money to even read what the ISO standards say. The lack of ISO certification is not an impediment for most people or businesses.
"Strangely, someone I don’t know sent me a Facebook message encouraging me to change my Twitter email address. I assumed this was sent from the attacker but I changed it regardless." – what?
The bigger risk these days is how easy it is to lose your phone number, which seems to be the trendy way to break into accounts. Using Google Voice for SMS 2FA seems like an OK workaround until companies get a clue that phone numbers are barely tied to their user if access to the user's account is desired.
Welp, I wish Cloudflare would add Yubikey support now too to make it easier to lock down account.
Please don't. NameCheap is horrible at security of your account and at customer support in general; I personally had a battle with my ex (who just happened to know my name and DOB, very easy to find online anyways) and she was able to start transfer of all my domains. I was able to get involved but it was he say / she say battle for days during which all my domains were suspended so no traffic and no sales online (loss of about $80,000). The big problem was to cut cost NameCheap hires cheap helpers from Eastern European block (just login to their chat you can quickly see by name of CS) and each helper was telling me (and her) different story. Eventually it got "solved" after about five days where my ex just agreed to cancel the transfer altogether. This was circa 2016, unsure if anything changed, but I gradually moved out most of my domains (I prefer NameSilo and DynaDot these days - much more robust verification process)
Edit: to clarify: the domains have stayed with my ex and that was final decision of NameCheap since she was the one to answer security questions correctly. As I indicated, what solved the issue is she eventually decided to drop it and return them to me. A change of heart if you will.
You had a motivated attacker who knew all of your most personal details and you were able to resolve the issue in 5 days.
I use NameCheap for a few domains and have always found their customer service to be excellent.
And what does the Facebook account have to do with anything -- why would the attacker want it, and further, how did he steal that without already knowing the password (if the attacker couldn't receive Twitter's reset emails, he couldn't have received Facebook's either)? And if the attacker "was able to control my email" then how did the author continue to communicate, by email? There's just a lot to unravel here.
That's what's called "Self-justification". Helping your victim after victimizing them allows you to say "I'm not that bad, I'm helping make sure this doesn't happen again".
This is a terrible person doing bad things to other people. He could donate all the money he makes selling the user name to orphans and it still doesn't really justify the behavior.
I don't see any overt attempt at "justification" in these emails. The attacker wanted a very specific thing and, after he got it, he didn't do anything further. He even gave the victim some helpful information. That doesn't justify his actions but his behavior is clearly less reprehensible than it might have been.
You seem to be saying, somewhat paradoxically, that the perpetrator wouldn't have committed the crime at all if he had been more malicious because then he would have had to truly reckon with the consequences of his actions. Maybe. Maybe theft would be less common if all thieves were compelled by some magical force to kill their victims. But that's not realistic and, besides, people commit far more malicious crimes than this without being deterred by the damage they're doing.
What I'm saying is trying to say "well at least he was nice enough to explain the security problems after extorting this man" isn't a helpful comment. It seems to imply that this isn't the worst thing this guy could have done. So what? Who cares? A bad thing was done and pointing out that a worse thing could have been done doesn't help anyone or anything. It's a bad take on the situation.
>>You seem to be saying...
No. IDK what that was, but that wasn't what I was saying at all. I don't think you really seem to be grasping the concept of what self-justification is, and how it's an enabling behavior to allow bad people to do bad things. The whole idea behind it is that the "clearly less reprehensible than it could have been" thought allows you to justify whatever bad things you do.
From society's point of view, allowing some leniency of judgement is probably beneficial on the net -- you don't get much more purses stolen, but you do get more pill bottles returned. (this is an empirical question actually, maybe there are social studies on the topic?)
Consequences and intent matter. First because duh, second because it lets you predict (and therefore influence) the future.
>>Um, I'm not sure people doing crimes need much additional self justification...
It doesn't work this way. They do need the additional self-justification. It's a constant stream of reinforcement. "Yea, I don't feel bad that I stole this rich asshole's twitter account because I used the money to feed some orphans and told him how to fix these problems in the future" is the self-justification. It's a constant establishment of why you're good in a relative fashion.
It's something everyone does on all sorts of things, it's how everyone builds their worldview, and it's normal but that doesn't mean we should join in on it as outsiders and say things like "well at least he gave the guy some precautions for the future".
>>From society's point of view, allowing some leniency of judgement is probably beneficial on the net...
Maybe? I mean as a general statement, sure. But there are going to be specific situations where it isn't helpful. Also, there's a whole school of thought that says that it's more important that you minimize situations that would encourage criminal behavior rather than providing leniency in punishment after the fact. Better to eliminate the need to steal in order to provide for your family rather than create uneven enforcement by judges deciding where leniency should be exercised.
An extreme version of this, where social approval is expected by perpetrators (sometimes justifiably) is vigilantism. It is illegal, and society is worse off for it in a general sense, and yet...
Compare a blackhat who takes over all the routers and sells the botnet to organized crime ring vs a grayhat who does the same but instead patches the vulnerabilities on the devices or uses them to do internet census and puts the data in public domain. Both are illegal acts and both have victims (maybe some devices are bricked in the process), but one is definitely worse. And that is true even if in both scenarios all the devices got bricked so consequences are exactly the same.
>> rather than providing leniency in punishment after the fact
I meant judgement more in social disapproval sense. As for actual judges, they already have some leeway and often use it. There is a reason politicians who want to be seen as being tough on crime like to introduce mandatory minimums.
I agree that crimes are better prevented by reducing a need to commit them, but taking into account intent and mitigating circumstances is one of the ways to do that. Mandatory minimums just make sure criminals leave prisons with a Phd in crime instead of a mere Bachelor's.
Your blackhat vs grayhat is a false equivalency. We know that this is a bad actor, and the mitigating factor isn't what why he did what he did or what he did with his ill-gotten gains, it's (according to op) that after he did an objectively bad thing (extortion), he did an objectively good thing(pointed out security flaws). I feel that's cold comfort at best, and problematic thinking at worst.
This whole thread seems to be me misunderstanding people or people misunderstanding me and it isn't fun anymore. Wish you the best, we're not really having the same discussion though.
I don't think you seem to be grasping your own argument very well and I'll leave it at that.
I've used NameSilo and had no complaints. They offer 2FA. And they are a lot cheaper than GoDaddy.
What was he doing with it that it wasn't worth taking the money?
Same thing happened on a smaller scale when I had the apparently rare 'white earbuds' in my Steam account.
The easiest thing is just to give it away and find something better to do with your time.
I reached out to ICQ support and they sent me an email saying "Thanks for reaching out, your current password is:
Have a nice day!"
Gave up after that. lol.
I had a <1M Twitter UserID# and lost the account after self-suspending it and someone squatted the name.
As for account protection, S in ICQ stands for security.
edit: Also, the recently published analysis of the data on available in-the-wild (authentication isn't supported! firewall rules were deleted due to requests for it of the end users! some of the data is on shodan.io!!!) mandatory for ISPs traffic tampers made "to help russian police with investigations" showed that it has client's IP - ICQ UIN mapping.