I kept reading the How I Lost My $50,000 Twitter Username story over and over again since it got published. It’s infuriating in so many ways it takes time to digest every bit of it. At the same time, there’s no surprise and we can very well imagine it could happen to every one of us. I’m not even blaming GoDaddy and Paypal. They’re unprofessional and unethical in so many ways (Why? GoDaddy / Paypal) this is just one more evidence you should ditch them completely.
Sure, high DNS TTLs matter when you’re not in an active migration phase. Sure, using 100+ characters passwords (why?) and enabling 2-step verification will prevent most troubles in the long run. There are also many different initiatives to try and improve your online security. But none of this will help with employees giving away your private data because they don’t have or don’t follow basic security procedures.
Did you know that Paypal charges $29,95 USD if you prefer having a credit-card size PayPal Security Key over mobile phone verification? Why should we pay for systems they have the responsibility to secure? Wouldn’t transaction fees be enough for them to justify financing those security devices in the first place? There’s no small profit, is it?
I’d like to share a previous experience I recently had with a banking system. Before being able to open an account with them, I had to fill in a very boring and very detailed online form. Then, they requested me to scan at least 2 personal identification proofs. I thought I could scan my ID and Passport and that would work. Nope, they required that I provide them with this, but also a recent water bill or anything to justify that I lived where I claimed I was. Hmm. Okay. Then, I got a call from a representative asking me to answer several personal questions that I had entered online to validate their routine security check. With this, I was able to open the account as they had verified my ID, home address, phone and security questions. Yay.
Then, 2 weeks later, I received a credit-card size security key (for free, of course) with 200+ security numbers. Each number corresponds to 3 letters/numbers. I need to enter a combination of 2 security numbers each time I log in. To give you an example, if the challenge requests numbers 15 and 213, I’ll have to enter S8M + 1FR. So, if my username and passwords are valid AND my security numbers are approved, I’m in.
But the best part comes now. At some point, I managed to got myself locked out and my account got deactivated (I guess after 3 failed attempts). Obviously there’s no email recovery for passwords and no other way to reactivate the account than calling the customer service. First, you talk to someone who’s trying to determine if you failed at entering a valid password or the security challenge. Oh, and that person will ask you to answer 3 security questions + your birthdate before you’re given the chance to talk about your problem. After that, this representative will tell you that you’re gonna be transferred to another department for security purposes. That other person will also ask you to answer security questions again and will give you a temporary code to get in. Then, you’ll have to follow a very specific procedure to fully recover your account and re-activate your security key.
If Paypal would do things this way, what are the odds compromised accounts would significantly decrease? Any idea? ‘Cause I sure do!
UPDATE (2014-02-02): GoDaddy modifies account policies in response to ‘$50,000 Twitter username’ hack