The Last Line of Security

Naoki Hiroshima tells the incredible story about how he was extorted out of his one-character Twitter handle.  Take it with a grain of salt — nothing here is substantiated — but I’m inclined to believe it.  And note the cognitive dissonance that ensues when his attacker is, by a considerable margin, the most helpful person he communicates with.

The executive summary is that the attacker gained control of Hiroshima’s websites by calling Paypal and convincing them to give him the last 4 digits of Hiroshima’s credit cards, and then calling GoDaddy and using the last 4 digits (plus, incredibly, they allowed him to guess another two digits, over and over) to reset Hiroshima’s GoDaddy password, and then using GoDaddy’s board to repoint Hiroshima’s MX domain to the attacker’s email, and then used that email to change all of Hiroshima’s other passwords (to detangle that last bit:  Hiroshima had a private email domain, like or something like that.  But he actually used GMail to read his email.  An MX record allows you to basically forward mail that is addressed to to an email provider like GMail.  So the attacker changed the forwarding address).

There are a few important lessons here.  The first is the crucial importance of protecting your main email.  Basically everyone under the sun uses your email to control password resets, so if someone can compromise your email, they can probably compromise everything else you have.  Even if you ordinarily think whatever, I don’t need to be very security conscious, you should use a strong, and very unique, password for your email.  If you have any actually important digital assets, as Hiroshima did, you should consider using a special email for foreign accounts (or valuable foreign accounts) that is on bare GMail (to prevent the attack that Hiroshima suffered with the MX record), and which is to the extent possible only used for dealing with your account updates (this may be complicated by your accounts wanting to use the email you provide them for more routine communications as well).

The second lesson is that you are probably highly vulnerable to people calling up your account providers and talking on the phone with them.  This is partly, as Hiroshima notes, because people like PayPal and GoDaddy made some appalling security decisions.  But it’s also because this kind of last-ditch security is hard.  People want to be able to call into their providers and regain control of their accounts.  So the providers try to find some kind of compromise between security and customer service.  And they end up asking you for insecure, terrible things like digits from your credit card or, worse, your mother’s maiden name (which is a “security” question that has to die in a fire).

You can take some control over this security.  In general, your providers will be willing to issue you a password that you can use instead of their typical security questions.  Of course, then you have to remember that password, and it needs to be something you can give on the phone.

Most people don’t even consider this level of security.  In all fairness, it’s only really necessary to think about it if you’re the victim of a targeted attack — calling on the phone isn’t something that you can do to a million random victims.  But if you do have any kind of identity that people might want to particularly steal, if your life is in some way not terribly banal, you should consider this and actively manage this kind of security in just the same way you should actively manage your normal digital security.

Edit:  Another story of being targeted for a short twitter handle is here.


One thought on “The Last Line of Security

  1. Pingback: Sensitive-Data Email Header (a proposal/question) | Sandor at the Zoo

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s