An interesting point made was to avoid using custom domains for the login emails, since a DNS takeover would compromise your accounts tied to that email.
Wonder how would you prevent or detect this hack attempt early. Are there services that monitor for DNS changes? Could you up the TTLs on the MX records so if you did notice a breach, you would have adequate time to resolve it?
This is quite frustrating. I don't use Gmail or Google Apps mail, so that I can't be compromised by a malicious insider (however unlikely) or a flaw in their authentication systems. Instead my security is exactly as weak as my registrar's authentication.
Yes. This seems like his final conclusion. Gave me something to think about.
Wild story coming out today because I was just setting up a couple domains/emails today on Google Apps. There's actually a section in the process in which they suggest setting the MX TTL to 1 Week.
The counterargument is that Google's notoriously poor customer care team could ignore your plea when they deny you access to your own gmail address for god-only-knows-what reason. But it's still probably safer to go the gmail two-factor authentication route.
I think that's missing the point a bit. Using gmail as your primary address will make you vulnerable to Google arbitrarily (or even justified) shutting down your access. We all heard stories about that.
What you should do, is make sure that you trust your registrar. Paypal sure have some questionable practises, but the real culprit in this story is clearly GoDaddy.
An interesting point made was to avoid using custom domains for the login emails
That's horrible advice. That sort of attitude taken to the extreme means we shouldn't be using DNS for anything ourselves and put everything in Google's (or Amazon's) big bag.
Should I redirect my customers to facebook.com/company as well in fear of someone taking over my DNS?
The lesson from this whole charade is to not trust something as crucial your DNS to untrustworthy companies like Godaddy. We've heard the horror stories before and we keep on hearing them again.
Relying on Google, a company with no direct end-user support and no emergency hotline to secure the most important thing you have, DNS, is even bigger madness. I've been locked out from a Gmail account before. It took me weeks to get it back, because Google has no support.
So yeah. Get a proper DNS-provider, and don't dig yourself deeper into the hellhole you're currently setting up.
Payment channel option is one reason. Linode/DigitalOcean for example are not available in India, due to restrictions on Debit Cards of Indian users. Credit cards are very uncommon here, compared to Debit Cards.
Btw, I personally use Bigrock instead. They have a very a good customer support.
Seems like Twitter could easily verify the story based on their own logs and then restore access to his N account. He doesn't mention pursuing that, though.
I'm a very casual and infrequent tweeter, and I can't fathom how that makes my username 'up for grabs'. Sorry you have such a twisted view of username ownership :/
Oh it definitely doesn't make your username 'up for grabs'. What happened to you totally sucks and I hope you manage to get your account back.
That being said if you're not actually going to use your account you might want to at least consider giving it to someone who would put it to more active use. Just a thought.
I've been actively using the account for other purpose than tweeting, and had a vague plan to start using it for tweeting again. Should I have mentioned the plan publicly so that the attacker would have refrained from blackmailing me? I don't think so.
Maybe google.com should have built their web site on kljasdklfjnaksdfn.com instead. That would have worked out just as well for them right? I haven't used the web very much.
While sympathetic - I'm also slightly amused at your twisted view about twitter name/account "ownership"…
Just how much of the "real world" law you're alluding to by using the term "ownership" do you suppose applies to Twitter handles? (or Gmail addresses, or Facebook pages, or even domain names?)
Well, OK, but a certain level of assured "ownership" is beneficial to everybody. Twitter handles, email addresses, mailing addresses, phone numbers, etc., would not be very useful if Twitter, ISP, postal service, telcos, etc. frequently exercised the right to deny access to previous users at any time.
Seeing how easily GoDaddy handed over the domain, it seems one can't even own a domain properly, and that is supposed to be a lot closer to an "ownership" right than Twitter handles.
The difference between some of those and twitter's namespace is that Twitter is not a public utility. It is a privately operated company with a defacto monopoly on short status updates (micro blogging).
We could look towards email and dns, though, as examples of a more fair distribution of namespace resources.
Organizations would do well to investigate what their options are to retain control over their namespace, lest it fall whim to a mishap such as this instance.
I don't think the user 'owns' it at all. I mean, it's pretty obvious that you're just laying claim to some set of bits in somebody else's system. I'm not confused about that :)
I just don't quite see how a username is 'owed' to other people who would use it more, either.
while it clearly doesn't, I wonder though if someone is using twitter so infrequently they would even care what their handle is. It's not like it has any intrinsic value or meaning. Why not just pick a random guid and use that as a handle (like I did) since I don't care one hoot what the handle is as I use twitter for exactly two things. Machine Learning datasets, and following a dozen or so people. I can do that from a guid as effectively as if I had @2600
No. But I'd feel less bad for that person than someone who drove their Mercedes every day and had it stolen.
Also, a Mercedes and a twitter handle (or domain name) aren't exactly the same thing as a twitter handle is a unique owner of a particular pice of the namespace.
A better analogy would be an owner of a valuable piece of property who wasn't putting it to good use.
I think you're deliberately not hearing what I'm saying. Here's a good analogy:
Some rich guy buys an amazing house on a beautiful California beachfront. But then never even bothers to stay there because he's got 3 other vacation homes. It just sits there empty all year long.
Would it be ok for someone to break in and start living there? No, of course not.
But you do have to kind of dislike that guy right? If he doesn't want to use this limited and valuable resource he should maybe give it up so someone else can get good use out of it.
So a minute ago you're saying that a Mercedes can't really compare to a unique Internet handle but somehow owning 4 houses is comparable? I'm really not following your analogy.
Twitter handles are free and multiple tweets are free.
There is no reason he should have to give up @H just because he isn't utilizing it enough. The person that got it better not send a single tweet shorter than the maximum to fit your logic.
No! We aren't talking about every property ever. Not your backyard, not your car and not your water bottles. Valuable properties. Nobody cares about @d7a8df74a98d or www.fe5461d77vvc.com. We're talking about crumbling buildings near a national monument, or in the technology field, m.com or @N. Domain squatting is awful. Is it genuinely that unintuitive to you?!
And if seizing it is too "communist" for you, then enormous taxes should be close enough to socialism.
If I own it, it's none of your or anyone else's business what I do with it. One should neither pass judgement on how I use it, why I use it, or if I use it, because it's mine (provided what I do with it isn't criminal in nature). Dislike != ok to take my shit.
I understand that you have not said that the situation the OP faced is deserved, but you don't feel too bad about it.
Unfortunately your defense does make it seem that you are not completely opposed to a framework that would take back "limited resources" not being used well. Most likely this is not your intention at all.
I often come across businesses/store locations and most importantly domain names that are not using even a small fraction of true potential. I do feel sorry for them, but I can't say I dislike them, they might dislike themselves if they knew what I knew.
The only way I can fathom the minutest possibility of disliking them is if they knew how to thrive and did not do anything, if it was common knowledge on how to do it right, but they chose not too.
Unfortunately most people don't know how to use potential or don't recognize it at all, can't dislike them for trying though.
What's funny about this discussion is that many states in the US have laws for this very purpose - known as Adverse Possession. If you occupy a piece of land unchallenged for a period of time (often long, like 10+ years), it becomes yours.
As far as I'm concerned, yes, it would be okay for someone to start living there, and some jurisdictions at some times have had squatting laws that recognize this. Land is essentially a public resource; unlike manufactured goods, I can't create land, and if I claim ownership of a piece thereof, I can only do so by denying use of it to everyone else; the "it's mine and I'll do anything I want with it" property rights that correctly apply to manufactured goods, don't entirely apply to land. A case could be made for saying the same thing of public namespaces.
I have a friend with family in Venezuela. A few years ago, Chavez decided that underutilized land is suddenly free for the poor to squat on. Their family member had bought the land after saving a long time, and was now saving for the funds to build a house on the land. Now the land is gone.
Land is a bit different; there is a fixed supply, and you are not sovereign over it (unless you're the prince of a principality). Depending on the legal system of the country you're in, your ownership isn't really ownership to do with as you see fit - you normally can't pollute on it, can't build without permission, often don't own it all the way to the core of the earth, almost never own all the space above it, etc.
"They paved paradise, put up a parking lot." Joni Mitchell
IANAL, but I have a hard time believing that a court of law is going to issue a judgement of adverse possession where the perpetrator used fraud/identity theft, extortion and blackmail to come into possession of it.
Good analogy. Another one is email. If you used an email address for personal conversations and commercial transactions, that should not entitle you to keep the email address. You should give your email address to another person that wants it.
For example, I used one email for most of my life. But recently, I stopped using that email address, and have used another one due to wanting to boycott that company. Since I no longer use that email address, I should have to give the password to another person. This is just the right thing to do in all cases.
That would FREE UP a lot of email addresses. If you have any email addresses that you do not need, you are obligated to give your password to another person. If you don't, then they can't use email.
Just make sure that if you use that email to sign in to other websites using that email and password combination, go to all of those websites and notify your friends that you are giving your email to someone else and you are not the same person if you see future comments using that name.
I'd have a hard problem going to every single website where I ever made an account and changing the email preferences.. Assuming I'm a normal human being, there are bound to be sites that I forget about and someone dedicated enough could then get access to my accounts on those sites.
Not a security risk I'm willing to take, when I could simply leave that email address dormant. There's not really a huge shortage of good email addresses if you're willing to pay $10 a year for your own domain.
Some email providers actually already free up dormant email addresses for the public to register again. This poses a problem for exactly the reasons you described. I believe hotmail does, for example.
harry works around people that pine for vanity usernames. vanity = big deal in those circles. who knows why. not bad in itself.
places like foursquare, people know people at twitter. if your outside the valley twitter won't even help you when the autosuspender mistakenly pops your account but valley/connected people call an investor or executive and get their vanity handle in hours. seen it happen twice.
it's all who you know and never forget it. when i dealt with twitter support as a normal the disparity between insider service and official was pretty amazing. they are the worst of the valley backscratchers.
bet they would have taken @n if the right person called. what would you do, sue?
Twitter never would have taken @n if the right person called.
Up until maybe 18-24 months ago if you knew the right folks you could generally get an inactive account released but even that is pretty much off the table at this point.
All industries have insiders. In some you can get a twitter handle, in others hard to get concert tickets, in others I bet it's early access to the latest in air ventilation equipment. It's not malicious. It's just personal relationships.
He tweeted pretty heavily previously. Was one of the small team who made @echofon. He'd reduced his tweeting, but was still using the account in other ways.
Twitter's official policy is that an account becomes inactive after 6 months - at that point, they reserve the right to release the account (in practice they rarely do this, though - there isn't an automated job releasing inactive accounts or anything)
He's definitely a squatter. If you own something and you don't use it, you're a squatter. I own an old original Nintendo that I haven't used all year. That's why if someone comes into my house and takes it, it's my own fault.
There's an agreement between Twitter and each user. And depending on the name used, Twitter users have own rights too, trade marks and of course domain names are examples.
In which case, once I return in the afternoon I will be entitled to shoot whomever is there for trying to steal my home. I'll be 'naturalisticaly' defending it. Sounds like a great way to run a society. I better make sure I have a bigger gun than the rest then. (edit-language)
Is shooting people your first go-to for defense? I prefer arguments and evidence presented to institutions who have both been given permission to shoot people and are willing to do it on my behalf pending their judgements of my arguments and evidence.
Of course, if the institution's judgement is that people can take things that I'm not using at that exact moment, and it is not interested in intervening, then it's not my 'right' to leave my house alone for the day.
Turns out my rights are entirely dependent on the amount of guns I can bring to bear vs. the amount of guns somebody challenging my claim can bring to bear.
When an armed intruder is breaking into my house? Yes shooting them is in fact my first go-to defense. When someone else is intending to do harm to me or someone I love I'm not going to wait around for the police to get there 30 minutes later. All the police are going to find is my dead body by then.
He was talking in a 'naturalistic' way so I responded in kind. In reality if I found someone has stolen my home I'd call the authorities unless of course I feel a danger to my life in which case, had I not lived in the UK where guns are illegal, yes - shooting them would have been the first course of action. That is nothing to do with law or ethics, and lots to do with survival instinct.
Actually, castle doctrine does give you the right shoot someone breaking into your home in almost every state. It is exactly the way our current society is run.
I understand it was a sarcasm, but there's one difference between the two. A Twitter handle or a domain name is something unique as opposed to a game console of which there were millions of copies.
Too bad then for the company named "N." They'll have to go with N_company or N_inc or N_co or get really creative if those are taken. There's probably only like 500 names they can choose from relating to "N."
So if I have a unique object that I don't use or look at or whatever one does with unique objects (say, a piece of art or something), I'm a squatter and its perfectly ok for someone to take it away from me?
Let's not confuse digital "property" with physical property. It's disingenuous at best, flat out wrong at worst. On top of that, you don't own a Twitter handle, or for that matter a domain, you rent it.
If he was trying to shake down someone who had a legitimate claim to it, yeah. Otherwise he's just a speculator, not a squatter. Or an opportunist maybe.
Not using something much is not the same as not using it at all, nor is it the same as not planning to use it in future.
It doesn't appear that he is trying to sell it, which is the usual behaviour of an account/name squatter.
I have several domains that I plan to use for little projects over the coming year (though given my lack of free time right now that may not happen like it didn't last year...). Am I a squatter for having paid for something I intend to use but have not got around to doing anything with yet? A couple of them are password/credentials related, for an example of a squatter talk to the person who owns password.net and sends me unsolicited email regularly trying to get me to offer to buy it as it will "help my brand" (the names I've got are the intended "brand", the generic short name is worth no more to me than standard registration fees - who slaps short names into their address bar instead of using a search engine these days?).
No. A squattor who takes over something that is abandoned or little used. Someone who does the abandoning or little uses the thing they own is the one being squatted upon.
I don't think you realize how unresponsive and poor Twitter's support is. I was once locked out of my Twitter account via anything but Tweetdeck (due to two-factor authentication suddenly breaking and not sending SMS') for four weeks before I wound up accidentally finding a PC that I hadn't signed out of previously and was able to disable. I logged a ticket on the first day it happened and never even received a response.
I can concur with their shitty support. I guess iOS 7 autoupdated my Vine app and somehow logged me out. I tried password resetting every email I could think of, I tried to connect via my social network. No dice. My account couldn't be found. I email their support team with my username asking them if they could provide me with my email, do a forgot password to the email. I even linked them to a few direct vines I had created and saved the URL to. Their response was unless I could provide them with the Vine ID number of my user account they could not locate my account.
Seems I emailed them back and forth six times and I kept getting this canned message from them. Needless to say, I've given up and deleted Vine from my phone.
"Unfortunately, we are unable to locate the Vine account in question. If you can still log in to your Vine account, go to your profile settings and select either "Invite via text" or "Invite via email." From there you will see your Vine account ID number. Can you reply to this message with the Vine ID number?
If you no longer have access to this account, but can see the account in Vine search, press the more icon (three dots) on the top right of the profile. After that, tap on "Share this profile" and from there you will see your Vine account ID number."
Man that sucks, sorry to hear it. I guess on the bright side, you didn't have your entire online identity destroyed which was possible given the attacker had your email.
Wow, this is both interesting and terrifying. I have a two character Twitter handle that I use actively and it makes me worry that one day I might be targeted too using a similar method, although so far I've had no problems.
Another reason to use Bitcoin. No credit card number to give away to the attacker and identity can be verified by signing a message with a private key instead of guessing at personal information.
Yes, did you? The Attacker got Paypal to give up the last 4 digits of the victim's credit card number. Then he called GoDaddy which allowed him to verify his identity by giving them the last 4 of his credit card number though the attacker said they would have let him guess multiple times.
If GoDaddy accepted Bitcoin PayPal wouldn't even be involved and GoDaddy instead of asking for information which is apparently easily pilfered could have requested the caller sign a message with their private key Bitcoin key corresponding to the public key from which they paid GoDaddy for the domain services to begin with.
> If GoDaddy accepted Bitcoin PayPal wouldn't even be involved and GoDaddy instead of asking for information which is apparently easily pilfered could have requested the caller sign a message with their private key
If GoDaddy separated authentication of requests from payment information and had any of a wide number of different authentication methods, this wouldn't have been an issue, either. Using PayPal -- or accepting credit card payments by other means -- does not imply (or normally involve) using the last four digits of CC number as if it were a PIN for authentication. (In fact, since CC numbers are widely exposed information, doing so is insane -- especially the last four digits, which are frequently used without the rest as a reference to identify a credit card to the owner of the card in contexts like receipts where the information is expected to be particularly public.)
Payment methods are really largely irrelevant here, GoDaddy could easily have adopted an equally stupid and brain dead authentication method if they took bitcoin as payment.
pretty freaky stuff. Also, what was the attacker so interested in the @N for anyways? future investment in case some big company/celeb comes along wanting the username? Seems so crazy to go after it...... if Twitter can't sort this out, can't we all just shame the acct into inactivity...
Is squatting on it worth all this Mitnick-attack-work?
Well, if this story is true ( I put the if because it seems silly to have that account be the target ) then access to the account is proof of a crime (this is why it seems silly)
If they sell it to someone I guess that is a reason to take it, but it also seems like some enterprising DA would want to use it as an example of receiving stolen property ( because News! Hacking! Fame!) So if anyone buys this name they might be in trouble at some unspecified point in the future.
Terms of service normally don't override law. So, if there is something unlawful about their behavior, it doesn't matter what they wrote in their TOS. At least in many countries, not sure about US.
Who are people's current favorite domain registrars? I've been with name.com for the last year or so and have been happy, but I'm always curios to hear from others.
Gandi's pretty good, except they have strange terms of service : "By accepting Our Contracts and using Our Services, You agree to abide to Our code of ethics which consists, in particular, of protecting and respecting minors, human dignity, public order and good moral standards [...]"
Wouldn't recommend them. I heard they have a "moral contract" you have to agree to. If they don't like what you're doing with your domains (even if it's legal), they can (I forget, seize or kick you out, but bad stuff).
I've heard good things about them from friends. This article was the last straw for me -- I just migrated my 90 domains off of GoDaddy. Actually, I didn't. I just told DNSimple to do all the work, via their (brilliant) concierge onboarding option: http://blog.dnsimple.com/2014/01/domain-transfer-concierge-s...
"Here's my credit card and GoDaddy creds, guys, and here's a technical note about my DNS settings that I want you to pay extra special attention to. Tell me when I should expect to start getting the GoDaddy confirmation emails. Other than that, have fun playing with DNS settings -- I never want to even think about them again."
This post is 5% "Here's my recommendation for a DNS service" and 95% "Notice how in return for an hour or two of grunt work a SaaS company just made it very easy for me to award them $2,000 of high-margin recurring revenue a year despite being twice as expensive as my pre-existing option by successfully overcoming my 'I would love to move off my existing solution but it requires grunt work so I think I'll punt on that decision for, oh, eight years' objection? That's a really good trade. You should consider offering it in your SaaS business, too, in any way that makes sense for it."
On the other hand, we're talking about security here, and, sadly, a company that has extra helpful support may be more easily socially engineered. The author's advice to use gmail.com addresses only works because Google basically has no customer support for gmail.com, so there's no one to social engineer!
This is, ironically, one of the reasons I feel more secure with their 3-man firm than with GoDaddy. GoDaddy has all the resources to put in place a well-architected ISOwhatever procedure with flow-charts, custom software, and government document review... and then fail at their one job. These guys, on the other hand, pretty much will be forced to having an actual human who knows me decide "Is this chap claiming to be Patrick really Patrick?" I feel really secure that a smart geek who has standing orders from me "I DON'T TRANSFER DOMAIN NAMES EVER." can reason out an ad hoc verification process which is much, much more likely to reject a fraudster than the GoDaddy CSR following the manual will be. (I mean, since they're two degrees of separation from me and our mutual friend is a business acquaintance well known to both of us, they could literally just call the friend and say "Someone is claiming to be Patrick and wants to transfer all his domains. You know that's a thermonuclear change since you're in this industry too. Call him and ask whether he knows about this. We'd both appreciate the favor. If he does we're good, if he doesn't, we're blocking this chump.")
Those are excellent points. Some of it only applies to you (being a large customer and having 2 degrees of separation), but I too would feel a lot more comfortable with 3 decent- and competent-sounding guys like them than with a larger company like GoDaddy.
GoDaddy has one job: making sure that, with regards to domain names I've purchased, people accessing them get sent to IPs which I control. GoDaddy just demonstrated that they're capable of failing at their one job if anyone applies a determined high schooler level of intelligence to defeating their security processes.
I run a business which collapses catastrophically if I lose control of my Internet presence, and I'm at least as Internet-exposed as "a guy who owns a desirable Twitter handle."
I don't care about elephant hunting. I put up with years of my intelligence getting insulted by SSL certificates being hawked by models. I can appreciate that the economics of the business mean that there need to be upsells to continue offering the low low prices. Fine. But if you cough up a domain, that's it, we're done. I care about that like Thomas cares about SSL CAs offering a CA=true cert to a third party.
I'm really surprised you were still on GoDaddy.. but good thing you moved away. And yes, sometimes small tasks like moving domains can feel like moving a mountain.
+1 DNSimple. 2FA and a truly simple interface. VERY easy templates for common things like blogs, email, etc. Really easy to get up and going on a domain there.
About a year ago I registered at DNSimple to check out their services, because I was frustrated with my current registrar/DNS host (1and1.) One of the owners must have noticed I registered but didn't buy anything, because he contacted me to ask if there was anything in particular I needed. I appreciated the courtesy and told him I'd switch over when my domain neared expiration... and when the time came, I did!
Honestly I don't have enough experience with them to really evaluate their services, but they seem trustworthy and competent, and I like working with people I know I can talk to.
+1 for Namecheap, I have 2 (going on 3 soon) domains with them and I've never had a problem. They also have a coupon code for pretty much anything you want to purchase for them.
How can you be sure their customer support can't also be socially engineered? I'm actually hesitant to use a service which requires 5 security questions to make a change, because I bet so many people forget their answers that their support is lax when it comes to bypassing them.
Because they ask questions only the user would know about the account and its history:
We will need to ask you questions to verify your identity. These questions will be different based upon your account and history with us. Please understand that these verification steps are for your protection.
If you have a lot of domains (or willing to pay a premium), I am a huge fan of Fabulous.com. Good support, good pricing, my impression is fairly secure. They have an executive lock feature:
Executive-lock (E-Lock) allows for the domain name to be frozen. This means that the domain name is:
1. Unable to be transferred out to another Registrar.
2. Unable to be pushed to another Fabulous account.
3. Unable to have changes to its nameservers.
4. Unable to have the registrar-lock status removed.
You can define whatever conditions you want and they manually do them if you want it unlocked. It could take many days to unlock your domain, but it definitely isn't going anywhere.
They are focused on large portfolio customers. That's kind of the caveat for their service. Many of those large customers also use their other services like domain parking too.
I'm using a small local regitrar, europeandomaincentre.com - I originally picked them because they can accommodate all sorts of international domains, and partially because they are within walking distance of my office. That way, if something goes wrong, I could go there and talk to them in person.
Their customer service has been really great since, so I'm staying. It's probably slightly more expensive than I could get elsewhere, but for the sense of security I get, it's completely worth it.
Point being- In this shitty business, where trust is everything - I prefer a small player who I can have a direct personal relation to, over some big nameless corporation.
My friends run sliqua.com, so I go through them. I haven't had any issues with them, their support is pretty good, and the price is good. I would definitely recommend them to other people.
I like http://www.gandi.net/
Not the cheapest registar around, but great service, allows me to edit the zone file directly, and also sells dirt-cheap PaaS.
Twitter added two-factor authentication back in May. If you're constantly being attacked that you ignore important emails, at least add phone authentication.
-
You might want to read the post before you comment. He willingly gave the twitter to the hacker.
GoDaddy added two-factor authentication in December...Twitter almost a year ago, Facebook in 2011. Like I said, if he was under attack frequently that he just ignored security emails, you think turning on two-factor authentication would have been a pretty good idea on any one of those. He did none and wants to grab attention about a $50k twitter handle. This is what happens when you run with scissors.
The guy has given a clear and convincing story of what happened. I'm sure that it would be pretty easy for someone on Twitter's security team (assuming that they have one) to verify that the username was taken when he said it was.
I don't know what I find more shocking -- that PayPal would actually give the last four digits of a credit-card number to a complete stranger, that GoDaddy would let someone guess a two-digit number, or that a credit-card number is all you need to identify yourself. (In Israel, it's common for companies to ask for the last four digits of your credit card number in addition to other details, but never on its own.)
Actually, I'm willing to believe just about anything about GoDaddy. But PayPal is known for being surprisingly harsh and paranoid about security, shutting down accounts and holding money when they suspect problems. It's sad and rather surprising to me that they're willing to give out such information so easily, unless you specifically ask them not to. Shouldn't it be the other way around, that they refuse to provide such details unless you allow them to?
I really hope that Twitter and PayPal apologize profusely to this author, and undo the damage they've done as best as possible.
Yes, I meant that GoDaddy and PayPal should apologize.
Twitter should look into what happened in this specific case, and somehow (if the posting is right) return the username to its original owner.
But there does seem to be something terribly broken here if it's possible for someone to get another person's Twitter account, and for it to take a full investigation to get it back to the original owner. And for not having better procedures in place, I think that an apology wouldn't be unreasonable.
In general, it seems to me that demonstrating empathy for your customers is a pretty reasonable strategy. Even if they didn't do anything wrong, and before they have finished this investigation, they can show that they care about the people using their system.
I don't think that Twitter could go wrong by saying, "We now see that we need to make it harder for scammers to switch the ownership of a Twitter account, and are looking into how to do so without hurting our legitimate users."
The Twitter account wasn't actually compromised. The guy was blackmailed to hand it over. It would be pretty nice of Twitter to hand it back, but it's really hard to fault them, and it's especially hard to fault them for not just reassigning the account without a very careful investigation - what if the writer of this article is actually the guy trying to steal the account from someone else, using this article to bully Twitter into a swift response?
It's not about his identity, it's about the legitimacy of his claim to the account.
Just for the record, I have no reason to believe he's saying anything less than the truth - but I can't fault Twitter for basically presuming malice until they have conclusively documented the opposite.
Perhaps he has something against GoDaddy (many do) and/or PayPal (again, many do) so took the opportunity to make them look bad by making sure that their effective complicity in the hack is well known.
The attacker was hired and once he finished the job he had no reason to be mean to the guy or not help him to improve his security. Maybe he even is a security expert that was in need of a bit extra cash and picked up this job.
I guess it's that "security researcher god complex" many security people show. They come around, fuck up your daily routine and expect you to be thankful for making your day hell.
The hacker sells it anonymously to someone who isn't aware of the controversy or who doesn't care. It will probably shrink the value of the username but I bet it's still worth something.
"that resulting shenanigans might be a little asymmetric.
" - What does this statement even mean? You should think before you just throw a load of cliches into a sentence.
As in the attacker would be able to pop up and attack the original user of @N at will for what might very well be a vicious attempt to take over or destroy as much of his digital holdings as possible.
The grandfather post is referencing asymmetric warfare[0] which would be a pretty decent name for what could happen. I don't think he just threw some cliches into a sentence.
Naoki has already made changes to prevent this type of attack from working again (e.g., removing credit cards from Paypal, moving his domains from GoDaddy, etc.)
The attacker never got access to the victim's email accounts. He changed dns records to point to a different server. So he would have gotten some new email emails during the time he had the MX records pointed at his server (and he could have used that time to gather additional information), but he couldn't get to any existing emails.
Where there is a will there is a way. It's easier for an attacker for find a way in than it is for you to secure everything. The point is the attacker has the edge when the name of the game is, for lack of a better word, terrorism.
I believe that it is ISO 9001 (quality assurance) that states that a company must be able to audit any stored data and data changes dating back some time. Judging by Paypal (specially for being a financial company), Twitter (for being an open capital company), and GoDaddy's size they may all comply to ISO 9001, but I'm just guessing.
Anyhow, if any of them actually comply to ISO 9001, it is possible to audit previous data to establish the true identity of the owner in some arbitrary date before any of this happened.
Quite possibly, to avoid unnecessary user annoyance, these companies will only subject themselves to the effort of analyzing that data under court order, so it's fair to suppose there is need to open a judicial process. Therefore, I believe it's possible to regain access to everything that was supposedly stolen, even though it may take quite some time.
And we all know how this would end. GoDaddy and Paypal will try to make this right because of the negative publicity. Why does it always take a post like this to call for help?
GoDaddy and Paypal have every incentive to bury their shoddy security practices and deny everything that the OP is claiming, to avoid a PR disaster. They might quietly return to the issue later and perhaps address some of their security issues... maybe.
It has a lot of value for brands like Nike, Nokia, Netflix, Nordstrom...
Or a News channel - @N is very attractive to advertise. I don't see any trouble selling it for more than that.
It's worth what people are willing to pay for it. If people are willing to pay $50k then it is worth $50k. Of course it might have gone down in value since the offer.
Focusing on the Twitter handle sale part: I have the twitter handle @jetsetter, and have been offered multiple thousands of dollars for it (guess who!).
Unfortunately, selling a twitter handle is against TOS. Only @israel has been officially allowed to transfer hands for money, that I'm aware of.
So trying to broker the sale of a twitter account can allow the buyer to report your 'behavior' to twitter. They can seize the account and make it so no one has it, which may be what the buyer prefers to you having it.
So no matter the price you could command, it isn't like you could just list @n up for sale and make it rain.
actually several twitter handles have been "sold" although the transaction was done in such a way that it was not as straightforward to get around the TOS
at the bottom a twitter representative is quoted as saying that as long as they give you permission to sell/buy a handle they won't block/lock the account.
I wrote in 2009 describing the situation and asked for approval. I was turned down. Reviewing the support ticket now, I think I could have handled the sale more professionally. Maybe that's why.
One thing that people should realize in why Twitter may not respond to these kinds of issues, or may be slow to respond, is that it's probably true that lots of people buy and sell Twitter accounts, and people may report them stolen when in fact they've already sold them to someone.
This kind of thing happened a lot in MMO games which is why they try to push account security into your hands so they don't have to attempt to arbitrate in deals that may or may not have happened outside of their sphere of control.
So what? If Twitter returned control of a handle if someone could prove that they had recently controlled the handle, that would quickly make the handles market dry up.
Heads really ought to start rolling at PayPal. Their general approach to security is, quite frankly, appalling.
Is there any possible rational for Paypal to give the last four digits of his card number to "him" over the phone? Given that they're routinely used for verification, it's as if they've never heard of social engineering. It's simply inexcusable.
And it's almost as bad as the ridiculous "Log In Without Your PayPal Security Key" option that lets you bypass 2-factor auth and head straight to the ultra-secure world of the ridiculous security questions such as the ever-popular "what city were you born [that's also listed on Facebook]" and what not. I still can't believe they think that's a good idea.
The attacker was posing as a PayPal employee, not the card owner. Of course, PayPal still needs better security, but posing as an employee of the same company is a classic social engineering exploit.
And that part was never really answered either. How can he pose as an employee calling in from an outside line? Does PayPal not tell you when an extension from PayPal is calling you?
Who cares what number the call was coming from. Security 101 for these phone techs should say something like "don't give out any information over the phone, even if the CEO calls and threatens to fire you if you don't." Or better yet, have much stricter protocols that deny the phone tech access to the information, so even if the caller threatens the tech personally, the information is safe.
The founder's interview [1] describe the beginning as a constant race against fraud, which no other bank was willing to compete in: "You're going to go bankrupt when the chargebacks start".
The was a locked room with a screen-and-keyboard-only computer where you could research about transactions and find suspicious and fraudulent ones. According to the founder, it became PayPal's core asset.
[1] in the book Founders At Work, which I recommend.
Just a side note here, GoDaddy has been under new management for a little under two years. There's a lot internal changes happening specifically aimed at improving usability and infrastructure.
PayPal is the only way I can get paid by my American client (in Canada) other than waiting a week for a cheque to mail, walking to the bank to deposit it, then another week or two for it to clear.
My custom domain address was stolen with the Dropbox data leak, got so much spam that I set my Gmail to pull my mails via POP3. Then I changed everything to use my Gmail, and locked down my Gmail account.
I've heard people go on about how Google (and I suppose other corporations) are evil, and how they are rolling their own custom mail solutions etc. It's times like these that people lose important things.
Also, I really don't understand why US companies must store credit card details. I understand the convenience, but there's been a lot of security compromises to let this practice continue. In South Africa online retailers don't store CC info, yet we aren't being brought to our knees by inconvenience.
At least the attacker mentioned his methods, so GoDaddy and PayPal can educate their staff better.
A custom domain address can also be used with a custom mail server configuration that includes spamassassin. You can even setup IMAP folders for you to drag and drop mail into to be learned automatically as spam, ham, or forgotten. You can also setup fairly sophisticated rules with procmail or sieve. A good mail provider will also have this implemented for you.
Aside from mining your data for marketing purposes, Google is evil because they continue to store your e-mails even after you delete them. Custom mail solutions are markedly superior if you know what you're doing, like anything else in life that you assume your own direct control over rather than leaving it to someone else.
Interesting that GoDaddy does not keep an audit trail for account detail changes that might help detect malicious activity. I guess they'll rather lose customers and reputation than do this.
393 comments
[ 5.0 ms ] story [ 366 ms ] threadWild story coming out today because I was just setting up a couple domains/emails today on Google Apps. There's actually a section in the process in which they suggest setting the MX TTL to 1 Week.
What you should do, is make sure that you trust your registrar. Paypal sure have some questionable practises, but the real culprit in this story is clearly GoDaddy.
That's horrible advice. That sort of attitude taken to the extreme means we shouldn't be using DNS for anything ourselves and put everything in Google's (or Amazon's) big bag.
Should I redirect my customers to facebook.com/company as well in fear of someone taking over my DNS?
The lesson from this whole charade is to not trust something as crucial your DNS to untrustworthy companies like Godaddy. We've heard the horror stories before and we keep on hearing them again.
Relying on Google, a company with no direct end-user support and no emergency hotline to secure the most important thing you have, DNS, is even bigger madness. I've been locked out from a Gmail account before. It took me weeks to get it back, because Google has no support.
So yeah. Get a proper DNS-provider, and don't dig yourself deeper into the hellhole you're currently setting up.
Btw, I personally use Bigrock instead. They have a very a good customer support.
http://rikacomet.blogspot.in/2013/12/quick-comparison-betwee...
https://support.twitter.com/articles/18311-the-twitter-rules
Abuse and Spam > Selling usernames: You may not buy or sell Twitter usernames.
The rules only say:
"If such permission is not granted, there is no (zero) market value or worth to this account."
If you walk away, cash in hand, are you liable for any punishment other than the banhammer from Twitter?
That being said if you're not actually going to use your account you might want to at least consider giving it to someone who would put it to more active use. Just a thought.
Just how much of the "real world" law you're alluding to by using the term "ownership" do you suppose applies to Twitter handles? (or Gmail addresses, or Facebook pages, or even domain names?)
Seeing how easily GoDaddy handed over the domain, it seems one can't even own a domain properly, and that is supposed to be a lot closer to an "ownership" right than Twitter handles.
We could look towards email and dns, though, as examples of a more fair distribution of namespace resources.
Organizations would do well to investigate what their options are to retain control over their namespace, lest it fall whim to a mishap such as this instance.
I just don't quite see how a username is 'owed' to other people who would use it more, either.
Also, a Mercedes and a twitter handle (or domain name) aren't exactly the same thing as a twitter handle is a unique owner of a particular pice of the namespace.
A better analogy would be an owner of a valuable piece of property who wasn't putting it to good use.
So if you were not putting your backyard to good use you would not feel too bad if your neighbors decided to encroach on it?
Some rich guy buys an amazing house on a beautiful California beachfront. But then never even bothers to stay there because he's got 3 other vacation homes. It just sits there empty all year long.
Would it be ok for someone to break in and start living there? No, of course not.
But you do have to kind of dislike that guy right? If he doesn't want to use this limited and valuable resource he should maybe give it up so someone else can get good use out of it.
There is no reason he should have to give up @H just because he isn't utilizing it enough. The person that got it better not send a single tweet shorter than the maximum to fit your logic.
You mean Communism?
There's nothing wrong with advocating the concept of sharing when a person obviously has more resources than he could actually use.
And if seizing it is too "communist" for you, then enormous taxes should be close enough to socialism.
"Would it be ok for someone to break in and start living there? No, of course not."
Dislike != ok to take my shit but it's still dislike.
Somebody just moved in and started living in his house. And just tossed all of his personal belongings out.
To be honest, I kind of disliked my friend for a while.
I understand that you have not said that the situation the OP faced is deserved, but you don't feel too bad about it.
Unfortunately your defense does make it seem that you are not completely opposed to a framework that would take back "limited resources" not being used well. Most likely this is not your intention at all.
I often come across businesses/store locations and most importantly domain names that are not using even a small fraction of true potential. I do feel sorry for them, but I can't say I dislike them, they might dislike themselves if they knew what I knew.
The only way I can fathom the minutest possibility of disliking them is if they knew how to thrive and did not do anything, if it was common knowledge on how to do it right, but they chose not too.
Unfortunately most people don't know how to use potential or don't recognize it at all, can't dislike them for trying though.
The GP's analogy is extremely weak.
Land should not remain unused.
"They paved paradise, put up a parking lot." Joni Mitchell
IANAL, but I have a hard time believing that a court of law is going to issue a judgement of adverse possession where the perpetrator used fraud/identity theft, extortion and blackmail to come into possession of it.
For example, I used one email for most of my life. But recently, I stopped using that email address, and have used another one due to wanting to boycott that company. Since I no longer use that email address, I should have to give the password to another person. This is just the right thing to do in all cases.
That would FREE UP a lot of email addresses. If you have any email addresses that you do not need, you are obligated to give your password to another person. If you don't, then they can't use email.
Just make sure that if you use that email to sign in to other websites using that email and password combination, go to all of those websites and notify your friends that you are giving your email to someone else and you are not the same person if you see future comments using that name.
Poe's law and all that.
Not a security risk I'm willing to take, when I could simply leave that email address dormant. There's not really a huge shortage of good email addresses if you're willing to pay $10 a year for your own domain.
Or is it just vaguely notable?
shrug
places like foursquare, people know people at twitter. if your outside the valley twitter won't even help you when the autosuspender mistakenly pops your account but valley/connected people call an investor or executive and get their vanity handle in hours. seen it happen twice.
it's all who you know and never forget it. when i dealt with twitter support as a normal the disparity between insider service and official was pretty amazing. they are the worst of the valley backscratchers.
bet they would have taken @n if the right person called. what would you do, sue?
Up until maybe 18-24 months ago if you knew the right folks you could generally get an inactive account released but even that is pretty much off the table at this point.
All industries have insiders. In some you can get a twitter handle, in others hard to get concert tickets, in others I bet it's early access to the latest in air ventilation equipment. It's not malicious. It's just personal relationships.
https://support.twitter.com/articles/15362-inactive-account-...
@N (now @N_is_stolen)'s last post was 4 months ago, so he is still technically considered an active user.
Less than 10 tweets in 3 years and all I do is read other tweets
The right of ownership includes to right to use what you own in your own way.
Of course, if the institution's judgement is that people can take things that I'm not using at that exact moment, and it is not interested in intervening, then it's not my 'right' to leave my house alone for the day.
Turns out my rights are entirely dependent on the amount of guns I can bring to bear vs. the amount of guns somebody challenging my claim can bring to bear.
It doesn't appear that he is trying to sell it, which is the usual behaviour of an account/name squatter.
I have several domains that I plan to use for little projects over the coming year (though given my lack of free time right now that may not happen like it didn't last year...). Am I a squatter for having paid for something I intend to use but have not got around to doing anything with yet? A couple of them are password/credentials related, for an example of a squatter talk to the person who owns password.net and sends me unsolicited email regularly trying to get me to offer to buy it as it will "help my brand" (the names I've got are the intended "brand", the generic short name is worth no more to me than standard registration fees - who slaps short names into their address bar instead of using a search engine these days?).
Now I reread that, it sounds a little... sexual.
I think something is in the works...
Seems I emailed them back and forth six times and I kept getting this canned message from them. Needless to say, I've given up and deleted Vine from my phone.
"Unfortunately, we are unable to locate the Vine account in question. If you can still log in to your Vine account, go to your profile settings and select either "Invite via text" or "Invite via email." From there you will see your Vine account ID number. Can you reply to this message with the Vine ID number?
If you no longer have access to this account, but can see the account in Vine search, press the more icon (three dots) on the top right of the profile. After that, tap on "Share this profile" and from there you will see your Vine account ID number."
If GoDaddy accepted Bitcoin PayPal wouldn't even be involved and GoDaddy instead of asking for information which is apparently easily pilfered could have requested the caller sign a message with their private key Bitcoin key corresponding to the public key from which they paid GoDaddy for the domain services to begin with.
If GoDaddy separated authentication of requests from payment information and had any of a wide number of different authentication methods, this wouldn't have been an issue, either. Using PayPal -- or accepting credit card payments by other means -- does not imply (or normally involve) using the last four digits of CC number as if it were a PIN for authentication. (In fact, since CC numbers are widely exposed information, doing so is insane -- especially the last four digits, which are frequently used without the rest as a reference to identify a credit card to the owner of the card in contexts like receipts where the information is expected to be particularly public.)
Payment methods are really largely irrelevant here, GoDaddy could easily have adopted an equally stupid and brain dead authentication method if they took bitcoin as payment.
If they sell it to someone I guess that is a reason to take it, but it also seems like some enterprising DA would want to use it as an example of receiving stolen property ( because News! Hacking! Fame!) So if anyone buys this name they might be in trouble at some unspecified point in the future.
https://www.gandi.net/static/contracts/en/g2/pdf/MSA-1.0-EN....
"Here's my credit card and GoDaddy creds, guys, and here's a technical note about my DNS settings that I want you to pay extra special attention to. Tell me when I should expect to start getting the GoDaddy confirmation emails. Other than that, have fun playing with DNS settings -- I never want to even think about them again."
This post is 5% "Here's my recommendation for a DNS service" and 95% "Notice how in return for an hour or two of grunt work a SaaS company just made it very easy for me to award them $2,000 of high-margin recurring revenue a year despite being twice as expensive as my pre-existing option by successfully overcoming my 'I would love to move off my existing solution but it requires grunt work so I think I'll punt on that decision for, oh, eight years' objection? That's a really good trade. You should consider offering it in your SaaS business, too, in any way that makes sense for it."
On the other hand, we're talking about security here, and, sadly, a company that has extra helpful support may be more easily socially engineered. The author's advice to use gmail.com addresses only works because Google basically has no customer support for gmail.com, so there's no one to social engineer!
I run a business which collapses catastrophically if I lose control of my Internet presence, and I'm at least as Internet-exposed as "a guy who owns a desirable Twitter handle."
I don't care about elephant hunting. I put up with years of my intelligence getting insulted by SSL certificates being hawked by models. I can appreciate that the economics of the business mean that there need to be upsells to continue offering the low low prices. Fine. But if you cough up a domain, that's it, we're done. I care about that like Thomas cares about SSL CAs offering a CA=true cert to a third party.
Referral link, gets both of us 1 month free service: https://dnsimple.com/r/96a980397648e9
Also everything patio11 said above. :)
Honestly I don't have enough experience with them to really evaluate their services, but they seem trustworthy and competent, and I like working with people I know I can talk to.
[2] http://namecheap.com [2] http://iwantmyname.com
* 2 factor authentication
* 5 security Q/A's before you can make an account change!
http://www.namesilo.com/Support/Domain-Defender
there is no WAY this guy would have had an issue if he was with namesilo and had both protections enabled
(I'm just a happy client and in no other way related to them)
Except their customer support has a process to bypass those 5 security questions:
http://www.namesilo.com/Support/Forgot-Domain-Defender-Answe...
How can you be sure their customer support can't also be socially engineered? I'm actually hesitant to use a service which requires 5 security questions to make a change, because I bet so many people forget their answers that their support is lax when it comes to bypassing them.
We will need to ask you questions to verify your identity. These questions will be different based upon your account and history with us. Please understand that these verification steps are for your protection.
Executive-lock (E-Lock) allows for the domain name to be frozen. This means that the domain name is:
1. Unable to be transferred out to another Registrar.
2. Unable to be pushed to another Fabulous account.
3. Unable to have changes to its nameservers.
4. Unable to have the registrar-lock status removed.
You can define whatever conditions you want and they manually do them if you want it unlocked. It could take many days to unlock your domain, but it definitely isn't going anywhere.
"If your portfolio generates US$750 a month or you are willing to transfer 750+ domains to Fabulous, please complete the form below."
That's a little out of my range though I'd be willing to pay a premium (how much of a premium?).
They are focused on large portfolio customers. That's kind of the caveat for their service. Many of those large customers also use their other services like domain parking too.
Their customer service has been really great since, so I'm staying. It's probably slightly more expensive than I could get elsewhere, but for the sense of security I get, it's completely worth it.
Point being- In this shitty business, where trust is everything - I prefer a small player who I can have a direct personal relation to, over some big nameless corporation.
Have been using them since 2006 both personally and at work. They do have 2 factor auth.
(As well as not putting any important stuff there)
Twitter added two-factor authentication back in May. If you're constantly being attacked that you ignore important emails, at least add phone authentication.
-
You might want to read the post before you comment. He willingly gave the twitter to the hacker.
Then I can come back here and post nasty comments about squatters.
The guy has given a clear and convincing story of what happened. I'm sure that it would be pretty easy for someone on Twitter's security team (assuming that they have one) to verify that the username was taken when he said it was.
I don't know what I find more shocking -- that PayPal would actually give the last four digits of a credit-card number to a complete stranger, that GoDaddy would let someone guess a two-digit number, or that a credit-card number is all you need to identify yourself. (In Israel, it's common for companies to ask for the last four digits of your credit card number in addition to other details, but never on its own.)
Actually, I'm willing to believe just about anything about GoDaddy. But PayPal is known for being surprisingly harsh and paranoid about security, shutting down accounts and holding money when they suspect problems. It's sad and rather surprising to me that they're willing to give out such information so easily, unless you specifically ask them not to. Shouldn't it be the other way around, that they refuse to provide such details unless you allow them to?
I really hope that Twitter and PayPal apologize profusely to this author, and undo the damage they've done as best as possible.
Twitter should look into what happened in this specific case, and somehow (if the posting is right) return the username to its original owner.
But there does seem to be something terribly broken here if it's possible for someone to get another person's Twitter account, and for it to take a full investigation to get it back to the original owner. And for not having better procedures in place, I think that an apology wouldn't be unreasonable.
In general, it seems to me that demonstrating empathy for your customers is a pretty reasonable strategy. Even if they didn't do anything wrong, and before they have finished this investigation, they can show that they care about the people using their system.
I don't think that Twitter could go wrong by saying, "We now see that we need to make it harder for scammers to switch the ownership of a Twitter account, and are looking into how to do so without hurting our legitimate users."
Just for the record, I have no reason to believe he's saying anything less than the truth - but I can't fault Twitter for basically presuming malice until they have conclusively documented the opposite.
Perhaps he has something against GoDaddy (many do) and/or PayPal (again, many do) so took the opportunity to make them look bad by making sure that their effective complicity in the hack is well known.
http://www.youtube.com/watch?v=hG-_tz5YuZE
The grandfather post is referencing asymmetric warfare[0] which would be a pretty decent name for what could happen. I don't think he just threw some cliches into a sentence.
[0] http://en.wikipedia.org/wiki/Assymetrical_warfare
Anyhow, if any of them actually comply to ISO 9001, it is possible to audit previous data to establish the true identity of the owner in some arbitrary date before any of this happened.
Quite possibly, to avoid unnecessary user annoyance, these companies will only subject themselves to the effort of analyzing that data under court order, so it's fair to suppose there is need to open a judicial process. Therefore, I believe it's possible to regain access to everything that was supposedly stolen, even though it may take quite some time.
"Not accepting an offer of $50K for a twitter username I didn't use" doesn't really count...
Much closer than saying "I would sell this if I received a 50k offer."
Focusing on the Twitter handle sale part: I have the twitter handle @jetsetter, and have been offered multiple thousands of dollars for it (guess who!).
Unfortunately, selling a twitter handle is against TOS. Only @israel has been officially allowed to transfer hands for money, that I'm aware of.
So trying to broker the sale of a twitter account can allow the buyer to report your 'behavior' to twitter. They can seize the account and make it so no one has it, which may be what the buyer prefers to you having it.
So no matter the price you could command, it isn't like you could just list @n up for sale and make it rain.
If not I could just make fake email logs and report you.
the most famous is the CNNbrk handle
Twitter: "I'm sorry, you can't do that."
Israel: "What are you, some kind of Anti-semite!?!"
Twitter: "OK, OK, go ahead and do what you want. See, we're not anti-semite :)"
at the bottom a twitter representative is quoted as saying that as long as they give you permission to sell/buy a handle they won't block/lock the account.
Also apparently CNN also purchased a handle[1].
[1] http://www.businessinsider.com/cnn-acquires-cnnbrk-twitter-a...
This kind of thing happened a lot in MMO games which is why they try to push account security into your hands so they don't have to attempt to arbitrate in deals that may or may not have happened outside of their sphere of control.
Is there any possible rational for Paypal to give the last four digits of his card number to "him" over the phone? Given that they're routinely used for verification, it's as if they've never heard of social engineering. It's simply inexcusable.
And it's almost as bad as the ridiculous "Log In Without Your PayPal Security Key" option that lets you bypass 2-factor auth and head straight to the ultra-secure world of the ridiculous security questions such as the ever-popular "what city were you born [that's also listed on Facebook]" and what not. I still can't believe they think that's a good idea.
The founder's interview [1] describe the beginning as a constant race against fraud, which no other bank was willing to compete in: "You're going to go bankrupt when the chargebacks start".
The was a locked room with a screen-and-keyboard-only computer where you could research about transactions and find suspicious and fraudulent ones. According to the founder, it became PayPal's core asset.
[1] in the book Founders At Work, which I recommend.
Also considering closing my paypal account now.
PayPal is the only way I can get paid by my American client (in Canada) other than waiting a week for a cheque to mail, walking to the bank to deposit it, then another week or two for it to clear.
I've heard people go on about how Google (and I suppose other corporations) are evil, and how they are rolling their own custom mail solutions etc. It's times like these that people lose important things.
Also, I really don't understand why US companies must store credit card details. I understand the convenience, but there's been a lot of security compromises to let this practice continue. In South Africa online retailers don't store CC info, yet we aren't being brought to our knees by inconvenience.
At least the attacker mentioned his methods, so GoDaddy and PayPal can educate their staff better.
Some people noticed they got e-mail through unique non-disclosed e-mail addresses.
[1]: http://lifehacker.com/5930706/dropbox-confirms-user-email-le...
Aside from mining your data for marketing purposes, Google is evil because they continue to store your e-mails even after you delete them. Custom mail solutions are markedly superior if you know what you're doing, like anything else in life that you assume your own direct control over rather than leaving it to someone else.