Guest User


a guest
Jan 29th, 2014
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Hi Naoki,
  3. Just read your story about how your Twitter username was stolen. Sadly, the story was all to familiar to me, and mine has a couple implications that are far worse. Just thought I’d share the story in case you were interested.
  5. I’m @jb on both Twitter and Instagram. So you can imagine my username is a very heavy target. It used to be primarily because of the Jonas Brothers but of course now it’s all related to Justin Bieber. As you can imagine, with the marketing power behind his name, there’s thousands if not more companies/hackers/etc… who’d love to get their grubby hands on it for profit.
  7. It started when I received a forgot password email from Amazon. Forgot password emails are regular for me, because of my @jb username, but this was the first I had ever received from Amazon. “Why in the world would someone want that?” Twitter released feature awhile back ago that turns off the forgot password feature unless you have some specific information about the person. This was a godsend. Unfortunately Instagram has yet to implement something similar.
  9. I of course ignored the first email from Amazon like I normally do with any forgot password emails I get that I didn’t initiate. Imagine my surprise when I received a second email about an hour later saying that my password had been successfully changed! I also had 3 fresh forgot password emails from Apple. It was clear I was being targeted.
  11. I got lucky. I still had access to my Amazon account because I was able to do an automated forgot password request and reset it myself. I had caught everything just in time —the limbo between when the attacker had gained access to Amazon but had yet to gain access to my email. After I changed my password through their website, I called Amazon, found out that they had given access over the phone, and then asked them to lock my account and make a note not to allow any requests to change it again over the phone.
  13. My next step was to call iCloud support and ask them if they had given out any of my information. Sure enough, I finally was able to talk to a representative who was able to tell me that there had been 4 support calls in the last hour regarding my account. The attacker was calling Apple, pretending to be me by giving them any information he had about me, and trying to gain access. I gave them the same instructions I gave Amazon, that this was not me and to please not allow any requests over the phone.
  15. As I was on the phone with them, I received an email from iCloud support with instructions on how to reset my password. It was clearly an email from a representative and not an automated message. And what stood out to me was that the email was “To” a random gmail address and my email address was only CC’d. That was it, I had the email the attacker was using. I quickly sent an email to the attacker, assuming I would never hear a response. But I did get a reply a few minutes later.
  17. The attacker was very open about what he was doing. He was after my Twitter username, @jb. He explained that he first started by doing a little research and learning every piece of information he could find on me through public records. My Twitter profile linked to my website, my website had WHOIS information. I use a very very old address on all my public WHOIS records, but it happens to be the address of my parents, and since I’ve shipped gifts to my parents through Amazon, they had that address on file.
  19. He then called Amazon with what little information he had gained and cried that he had lost his password and didn’t have access to that email address anymore. The representative caved and reset the password over the phone giving him full access to my Amazon account. His plan was to then gain as much information he could with Amazon (last four of credit card numbers, current and previous addresses, etc…) and use that as ammunition to do the same thing with Apple. And it worked. He had an email in his gmail inbox with instructions on how to reset my iCloud account.
  21. Luckily I had been online when all this was happening and was able to call Amazon and Apple respectively to lock my accounts and prevent access. Had I been even 5 minutes later, well…
  23. The scary thing was that I only thought of the true implications of this attack days later. As I was contemplating what had happened and how I could prevent it in the future, a very frightening thought occurred to me. This attacker started with Amazon because he knew that an commerce shopping site’s customer support would be relatively easy to convince and gain access. However, that same site offers cloud services that many startups (including mine) rely on to host their data. Droplr, the startup that I am a founder of, is completely based on Amazon’s stack, from using EC2 servers where we host all of our technology to S3 which we use for file storage. This attacker had access to all of it. I was extremely lucky that in his rush to gain access to @jb, he didn’t think to check if my account had anything under AWS.
  25. I was obviously infuriated with Amazon. I spoke to someone high up on the phone and they promised that it was a priority for them to train their representatives better. There were a couple other very public cases of this happening around the same time so they were just at the beginning of a PR fallout from their lack of security.
  27. So what did I learn?
  29. 1. Even though Amazon encourages you to only have one identity, don’t. Use completely separate accounts for your AWS services and your shopping account.
  31. 2. Always use a private WHOIS service with domains that you own.
  33. 3. Naoki’s thesis was that you shouldn’t use personally owned domain-based email addresses for your logins to these services. Unfortunately, this isn’t a guarantee. The problem is, all the big email providers like Gmail and iCloud are so big that they deal with thousands of requests on a daily basis from people who have genuinely forgot their password, and the only way they have to grant them access again is “verifying” their identity over the phone. If someone can fake being “you” over the phone, they’re even more likely to succeed with these large providers.
  35. 4. Some of the biggest companies in the world have security that is only as good as a minimum-wage phone support worker who has the power to reset your account. And they have valid business reasons for giving them this power.
RAW Paste Data Copied