Tuesday, February 25, 2014

Interview: Naoki Hiroshima, or How One Social Engineer Used the Phone as a Weapon

It didn’t take long for Naoki Hiroshima’s story to take Twitter by storm when he posted his article on Medium on January 29. After all, no one likes it when a social engineer wins—especially when his target is smart, tech-savvy, and prepared.

Here’s the story in a bright, colorful nutshell:

phone fraud, pretexting, social engineering

Share this Image On Your Site

So, Naoki lost his Twitter handle and the thief got away. Grrr.

That’s what makes this story such a model for the danger of social engineering. In fact, the details of Naoki’s story were so frustrating that we sat down with him last week for a little more detail.

What Went Wrong? Bad Authentication.

There’s no doubt that PayPal’s and GoDaddy’s weak authentication procedures made this possible, and Naoki agrees. “GoDaddy should not allow the attacker to reset my password until they could confirm it was me,” he says. “They could've asked my driver's license or such.”

Unfortunately, remote verification is a real problem for companies these days for a number of reasons—most notably, that the average call center employee who answers the phone does not have the tools to properly authenticate each caller. Authentication cannot be based on one or two authentication questions with easily discoverable answers. Weak policy and weak authentication mean weak security.

After engaging the social engineer by email, Naoki was shocked to discover that both companies offered the attacker all the information he wanted on a silver platter.

“I was astonished by his answers that PayPal and GoDaddy facilitated the attack, he said. “I took [the attacker’s] advice.”

How To Win: Advice from a Victim and a Social Engineer

Even more shocking, Naoki received sound advice on how to better secure his accounts in the future. The attacker suggested two things:

1) Call PayPal and add a personal note to the account that bans any employee from releasing credit card details over the phone.
2) Drop GoDaddy like a hot potato and find a more secure location for his domain. The attacker even recommended a couple of options.

That’s good advice for anyone. All of us use companies that house our personal, sensitive, or financial information. Insurance companies, banks, online stores, schools, and places of employment all know an awful lot about us—but we have the right to demand that details about ourselves and our lives be protected with an extra layer of security.

And Naoki has his own set of advice for PayPal and GoDaddy. First, he cautions against of the use of personal domain names.

“Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised,” he says. “If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.”

And through our interview, he had even more to say.

“PayPal should employ a bank-level security practice. At a bank, employees are not allowed to talk over the phone until they recognize each other using one-time identification key that you cannot have unless you are at the bank and employee account to log in the system,” he says. “[And] GoDaddy should simply revert the previous change when one claims it was false. What's the chance that a legit user changes something and an attacker tries to revert the change immediately after, and the opposite case.”

Is there a bright side to this story? Maybe. As his story spreads across the Internet, the value of @N will hopefully diminish.

“The person who currently owns @N will keep it until somebody will pay for it. It became useless for ordinary people or companies but some may not care.”

Ultimately, though, Naoki would like justice.

“Well, I'd say, whether I gave [@N] up or he stole it might be arguable in the eye of the law. [But] it's clear that it was under duress and I want it back,” he says. “And after millions of people have read my post and the attacker still has it, it simply suggests that it was OK for Twitter. I really wish Twitter was on the good guys side, and did the right thing so that attackers couldn't win. Twitter could've used this case to make public that you can't blackmail to take a username.

We’d love to see Naoki’s attacker lose, and we’re doing our part to get the word out. But unfortunately, sometimes, the good guys don’t always win. Yet, stories like these can at least be used as teaching tools.

“I hope people realize this could happen to anyone, and choose and rely on right companies to deal with,” says Naoki.

Do your part in the fight against social engineering. Choose your vendors wisely, and train your employees on safe call center practices, the dangers of social engineers, and the best ways to defend sensitive information.