Crisis Management Musts – Protecting Digital Assets

Sections of this topic

    Your social media presence is a valuable commodity, don’t leave it unguarded

    We’re at the point where some social media accounts are worth serious dough. Some for the rich communities built around them, some for their brand association, and some simply because they have a unique, hard-to-obtain handle. Because of that, just as we saw in the days when the ‘net, in general, was really starting to take off, there are virtual pirates looking to take what’s yours and either make it their own or hold it for ransom.

    A warning for security slackers

    The story of app developer Naoki Hiroshima, owner of the Twitter username, @N, should serve as motivation for anyone who’s slacking on their own web security – a critical part of personal crisis management in the digital age. Hiroshima owned the @N account, for which he says he’s been offered as much as $50,000 when a hacker decided to take it for himself. Hiroshima says he began receiving account reset emails from both PayPal and GoDaddy and through a series of events detailed in his Medium blog, lost control of the GoDaddy account altogether.

    In a scary twist, Hiroshima was actually emailed by his attacker, who extorted him into giving up control of the @N Twitter account by threatening to trash the data on the websites which he runs, all registered through GoDaddy. Hiroshima even managed to get directly connected with a GoDaddy exec at some point in the process, but they were unable to help secure his accounts before he felt forced to give up @N.

    Even worse, the hacker provided Hiroshima with information about how he took over control of much of his digital life, and, if he’s telling the truth, PayPal and GoDaddy failed miserably in protecting a customer’s data. A quote:

    I asked the attacker how my GoDaddy account was compromised and received this response:

    From: <[email protected]> SOCIAL MEDIA KING
    To: <*****@*****.***> Naoki Hiroshima
    Date: Mon, 20 Jan 2014 19:53:52 -0800
    Subject: RE: …hello

    – I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)

    – I called godaddy and told them I had lost the card but I remembered the last four, the agent then allowed me to try a range of numbers (00-09 in your case) I have not found a way to heighten godaddy account security, however if you’d like me to
    recommend a more secure registrar i recommend: NameCheap or eNom (not network solutions but enom.com)

    It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification. When asked about this, the attacker responded with this message:

    From: <[email protected]> SOCIAL MEDIA KING
    To: <*****@*****.***> Naoki Hiroshima
    Date: Mon, 20 Jan 2014 20:00:31 -0800
    Subject: RE: …hello

    Yes paypal told me them over the phone (I was acting as an employee) and godaddy let me “guess” for the first two digits of the card

    But guessing 2 digits correctly isn’t that easy, right?

    From: <[email protected]> SOCIAL MEDIA KING
    To: <*****@*****.***> Naoki Hiroshima
    Date: Mon, 20 Jan 2014 20:09:21 -0800
    Subject: RE: …hello

    I got it in the first call, most agents will just keep trying until they get it

    He was lucky that he only had to guess two numbers and was able to do it in a single call. The thing is, GoDaddy allowed him to keep trying until he nailed it. Insane. Sounds like I was dealing with a wannabe Kevin Mitnick—it’s as though companies have yet to learn from Mitnick’s exploits circa 1995.

    The bottom line here is that, although many organizations make a big stink about how secure they keep your data, the vast majority are easy prey for anyone with a bit of “dark side” know-how (how-to instructions for tactics like the ones used in this case are readily available through a quick Google search) and a silver tongue. When it comes to protecting digital assets, always assume the burden of protection lies on you.

    A happy ending, but not so fast…

    There is a happy ending to Hiroshima’s story, as, likely thanks to the massive amount of publicity his blog post on the hack attracted, he regained control of the @N account over a month after he lost it. If you’re even entertaining the thought that those consequences weren’t really so dire, consider the damage someone could do if they had hold of your Twitter account for a full month not only to your organization but also to your contacts and followers through things like phishing or malware attacks.

    A little more worried now?

    ——————————-
    For more resources, see the Free Management Library topic: Crisis Management
    ——————————-

    [Jonathan Bernstein is president of Bernstein Crisis Management, Inc., an international crisis management consultancy, and author of Manager’s Guide to Crisis Management and Keeping the Wolves at Bay – Media Training. Erik Bernstein is Social Media Manager for the firm, and also the editor of its newsletter, Crisis Manager]