Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Paypal, Twitter, and GoDaddy.... A cautionary tale for everyone....

  • 29-01-2014 10:59AM
    #1
    AnCatDubh
    Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭


    Just had a read of this and thought it might interest some people here.

    via: the next web - http://thenextweb.com/socialmedia/2014/01/29/lost-50000-twitter-username/#!tLLQz

    Without any need for technical sophistication at all, but some know-how of how things work, some lax practices on behalf of service providers, and a bit of social engineering, the guys twitter a/c - valuable enough in this case @N (whatever yer havin yourself like).

    A take away in particular -
    Avoid Custom Domains for Your Login Email Address

    With my GoDaddy account restored, I was able to regain access to my email as well. I changed the email address I use at several web services to an @gmail.com address. Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised. If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.

    If you are using your Google Apps email address to log into various websites, I strongly suggest you stop doing so. Use an @gmail.com for logins. You can use the nicer custom domain email for messaging purposes, I still do.

    In addition, I also strongly suggest you to use a longer TTL for the MX record, just in case. It was 1 hour TTL in my case and that’s why I didn’t have enough time to keep receiving emails to the compromised domain after losing the DNS control. If it was a week-long TTL for example, I would have had a greater chance to recover the stolen accounts.

    Using two-factor authentication is a must. It’s probably what prevented the attacker from logging into my PayPal account. Though this situation illustrates that even two-factor authentication doesn’t help for everything.

    I'm not sure of the practicality of a very long TTL as i'm sure the rare occasion where you want to change your MX (or other) address, that you don't want to wait a week for it to happen - hmnnnnnn, can it be forced on dns? Not sure.

    After reading Mat Honan's experience also referred to in the next web's post, I had personally gotten into the habbit of removing credit card information after purchases are concluded, or opting out if the option was there but there are probably a few services that I need to go back on.

    Anyhow, I know a lot of people get attached at the hip to their custom email domains and I thought it would be worthy to raise it on the forum for awareness sake.


Comments

  • #2
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    That is nasty business. Nasty.

    I went on to set up two factor authentication with PayPal, but the option to use your phone isn't present. I wonder if that's just for Irish customers. Anyone know?


Advertisement