Partner Article
What the @N attack tells us about business tech security
In January 2014, an online attacker dissolved Naoki Hiroshima’s online identity in just under an hour.
Through a mixture of social engineering and hacking, he lost his seven year old Twitter account, @N, as well as a string of other account details.
Through the chronology below, a number of insights can be drawn for security and IT professionals, as well as for all of us with our own social accounts.
1. The victim received a text message from PayPal for a one-time validation code – the hacker was trying to take over his PayPal account.
2 factor authentication and mobile identification saved the PayPal account in this instance – phew.
2. The victim later went to check his email, which uses a personal domain name through Google Apps.
3. The last email in his account was about “Account Settings Change Confirmation” – the hacker now had control of personal domain name. To circumvent Google’s sophisticated authentication settings, the attacker targeted the victim’s personal domain account instead.
Most websites use email as a method of verification. If that email account is compromised, an attacker can easily reset your password on the gamut of other, linked websites and social properties.
Unfortunately, the domain provider only verified identity through email rather than through other more reliable channels, such as mobile phone numbers like the PayPal account.
4. The hacker had called PayPal and used very simple social engineering tactics to obtain the last four digits of the victim’s credit card. He then called the domain host, GoDaddy, and told them he had lost the card but I remembered the last four digits to verify his identity.
The least secure part of any system is the human dimension – make sure you have mitigated against these issues as much as possible.
5. The victim tried to log into his GoDaddy account, but it wasn’t working - modifications were made without his consent and he was asked to log in to his account and update his security settings.
6. Unfortunately, by this time the hacker had modified his domain name account settings, and his was access denied.
7. At this point a worried victim called GoDaddy, whose representative requested the last 6 digits of his credit card number as a method of verification.
8. However, the hacker had gone so far as to change his credit card information - using the last four digits of his credit card to change all of the victim’s domain name account details. He had no way of proving he owned the domain.
9. Luckily, the victim had recently changed the email address aligned with his Twitter handle – despite numerous attempts to reset the Twitter password, the time it took for the change of domain’s MX record meant the attacker didn’t receive any of the reset emails.
Email should always be supplemented by other forms of authentication, especially when accounts are often daisy-chained together.
10. The true target of the attack, the @N handle, was now clear – somewhat fortunately, the hacker didn’t continue to attack other accounts like financial details.
11. The attacker opened an issue at Twitter’s Zendesk support page, requesting password reset to be sent manually – but after Twitter requested more information attacker gave up on this route.
12. Then the extortion began. The hacker compromised the victim’s Facebook page and went on to email him directly – threatening the loss of all domain data if the @N handle wasn’t handed over. The victim handed over the Twitter account, which was abused and is now inactive.
Systems like two factor authentication are not invincible, but they do put significant obstacles in the way of determined hackers. For consumers, we recommend that every person reviews their online life – and how secure each and every account is, especially when they are closely linked to one another.
For businesses, we recommend rethinking the notion of identity. New innovations in mobile identity link an individual’s information to their one unique identifier, their mobile number.
Verification should never take in email addresses alone – consumers and brands alike should also demand SMS notifications each time critical account settings are changed.
This was posted in Bdaily's Members' News section by TeleSign .
Our Partners
Industrial Strategy 'can be game-changer we need'
Driving skills forward with near £100,000 boost
What pension rule changes could mean for you
North East can't be an afterthought in AI future
Understanding the impact of the Procurement Act
Is the UK losing ground in life sciences investment?
Construction workforce growth can't be a quick fix
Why it is time to give care work a makeover
B Corp is a commitment, not a one-time win
Government must get in gear on vehicle transition
Growing a biotech business in the North East
A legacy in stone and spirit