Less is more? It turns out that both in Twitter accounts names and security breaches it is true. Recent post by Naoki Hiroshima gained already a lot if attention equally because of quite daring reveals of the attacker and utter incompetence on the side of PayPal and GoDaddy security and client data protection policies. As Naoki presents the case, it all started with a message from GoDaddy informing about change in account information. Unfortunately due to changes made by attacker it was already impossible to log into the account, furthermore because of changed credit card number customer service was unable to positively verify Naoki and failed to return the account. The attacker then tried to reset twitter password which failed, due to time required to update mail exchange record. Finally he contacted Naoki informing about his interest in @N account and threatened with making GoDaddy retake domain. Soon after GoDaddy replied to earlier filled case report. However they were not able to help, due to the fact that domain registrant have to be verified in order to proceed (you can almost see how things are getting sillier with every step). As a result Naoki decide to comply to the demands and release the @N address.
This is where things begin to get really interesting as attacker offered to disclose method of the attack. To put it in bullet point:
- last four digits of the credit card were obtained from PayPal with ‘simple social engineering’
- two digits left were guessed when contacting GoDaddy (yes, guessed as in he was able to ‘brute force’ the customer support)
It is hard to say which would be more shocking if these ‘exploits’ will turn out to be true. PayPal almost immediately denied providing information to the attacker. According to PP there was indeed attempt to steal mention info, however non of the data were leaked. Unfortunately company does not release recordings of the phone calls so whether employee followed security policy is really unknown. On the other hand GoDaddy admitted partial responsibility for the breach. GD has stated that partial information combined with social engineering were used to gain complete access to the account.
Whether PP and GD employees really did helped with the breach or not, it is obvious that social engineering attacks are in many ways more efficient and ‘cleaner’ than cyber attacks. Even though conversations with customer support are almost universally recorded, chance of getting caught, and more importantly convicted, based on such evidence is minuscule. Even proving that it could constitute a crime is difficult in many jurisdictions. The same cannot be said about computer exploitation. Getting caught while trying to get access or afterwards is almost guaranteed conviction. Even if punishment won’t be severe, often harshest part is the very fact of becoming a convict – pretty much barring from many career paths. What’s troubling however is that kind of attacks like presented in this case are supposed to be relics of past. Reading about attacker guessing two digits of credit card gives almost Kevin-Mitnick-early-days vibe. I’ve observed similar situation myself when replacing my faulty kindle. During the verification process I was asked about last four digits of credit card and delivery address of the original order. The catch is that I accessed chat through orders menu in my account – and if I have access to the account I have access to both original address and credit card’s last digits. On the contrary if chat is entered after logging in what’s the point of such verification. Such gaps in security exists for many reasons – from badly written policies to employees applying them to loosely. The latter point often stems from nothing more than common kindness. Even if it is part of your job it’s often hard to say ‘no’ to someone who (in this case with malevolent intent) is kind to us. Most likely that was the case with GD employee – after all why wouldn’t you give basic data to someone who might need your help.
PS I contacted Amazon about the credit card/address verification, but unfortunately did not receive anything more than ‘duly noted’ letter.