Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Paypal, Twitter, and GoDaddy.... A cautionary tale for everyone....

  • 29-01-2014 9:59am
    #1
    AnCatDubh
    Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭


    Just had a read of this and thought it might interest some people here.

    via: the next web - http://thenextweb.com/socialmedia/2014/01/29/lost-50000-twitter-username/#!tLLQz

    Without any need for technical sophistication at all, but some know-how of how things work, some lax practices on behalf of service providers, and a bit of social engineering, the guys twitter a/c - valuable enough in this case @N (whatever yer havin yourself like).

    A take away in particular -
    Avoid Custom Domains for Your Login Email Address

    With my GoDaddy account restored, I was able to regain access to my email as well. I changed the email address I use at several web services to an @gmail.com address. Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised. If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.

    If you are using your Google Apps email address to log into various websites, I strongly suggest you stop doing so. Use an @gmail.com for logins. You can use the nicer custom domain email for messaging purposes, I still do.

    In addition, I also strongly suggest you to use a longer TTL for the MX record, just in case. It was 1 hour TTL in my case and that’s why I didn’t have enough time to keep receiving emails to the compromised domain after losing the DNS control. If it was a week-long TTL for example, I would have had a greater chance to recover the stolen accounts.

    Using two-factor authentication is a must. It’s probably what prevented the attacker from logging into my PayPal account. Though this situation illustrates that even two-factor authentication doesn’t help for everything.

    I'm not sure of the practicality of a very long TTL as i'm sure the rare occasion where you want to change your MX (or other) address, that you don't want to wait a week for it to happen - hmnnnnnn, can it be forced on dns? Not sure.

    After reading Mat Honan's experience also referred to in the next web's post, I had personally gotten into the habbit of removing credit card information after purchases are concluded, or opting out if the option was there but there are probably a few services that I need to go back on.

    Anyhow, I know a lot of people get attached at the hip to their custom email domains and I thought it would be worthy to raise it on the forum for awareness sake.


Comments

  • #2
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    That is nasty business. Nasty.

    I went on to set up two factor authentication with PayPal, but the option to use your phone isn't present. I wonder if that's just for Irish customers. Anyone know?


Advertisement