Graffiti 2.0
Creative Commons License photo credit: quinn.anya

I find Naoki Hiroshima’s story to be depressing. It paints a rather bleak picture for web security and if it leaves you feeling helpless, you aren’t alone.

If you haven’t read it, I recommend doing so. To sum it up briefly, Hiroshima was the holder of the @N account on Twitter. Someone wanted it. They couldn’t hack into the account itself, so they instead manipulated their way into his GoDaddy account. The attacker said that they were able to convince PayPal to give them the last four digits of a credit card on file (PayPal denies this) and then they used that as a means to help convince a GoDaddy customer service rep that they were the account holder.

Once they had access to his GoDaddy account, they essentially controlled Hiroshima’s domain names. The attacker contacted him and said that the domain names would disappear if he didn’t hand over the Twitter account. Hiroshima says that GoDaddy refused to help him, so he made the exchange and, as of this moment, he still doesn’t have his @N account.

Social Engineering

When these things happen, people always say “well, he should have done this.” You can always spend more time and money on security. But the fact is, from his description, Hiroshima did more to secure his accounts than most people reading this and more than nearly all users of the internet. And it failed, due to social engineering.

Social engineering is about tricking people (rather than machines) into giving you information you shouldn’t otherwise have. In this case, the attacker (allegedly) calls PayPal with a sob story. Customer service wants to please people. If you match a sympathetic enough representative with a convincing enough story, you may well get the information that you are after. In other words, you can have long, complex passwords and two-factor authentication as much as you want, but it can all be side-stepped by a persistent enough attacker connecting with the right person who is aiming to satisfy their customer.

Community Members and Their Accounts

It got me to thinking about members who are locked out of their accounts on my online community and what I attempt to do to help them. Accounts on my community don’t provide access to credit cards or domain names or anything like that. But they can still have value. For example, an attacker might want access to the username, to private messages or to an influential account so that they can inject a link into the member’s signature.

I’ve always been pretty sensitive about this. We have one primary way to tie an account to an individual and that is their email address, which we confirm. This is why it is so important to keep your email address up to date. That’s the only thing we ask of you. We don’t make people give us other contact information or identifying details, so if you lose the email address, you could be out of luck. If you have access to the email address, awesome, then you can use our lost password form and you will be able to come back.

If someone tells me that they no longer have access the email address on their profile, that is when things become tricky. It doesn’t mean they are completely out of luck, though. I do try to work with people, if there is something to work with. I look at what else is on their profile. Did they list a personal website? What does their signature say? Have they provided other contact methods in their profile or in their posts? I look at these and see if there is a reasonable way to verify who they are.

This is not without weakness. For example, if they list instant messenger names on their profile. Those could, potentially, be hacked. And then if I used them to verify the person, it wouldn’t matter. That said, if it is current profile information, that is what the member has provided to us and that does carry weight. I try to weigh all information carefully.

I do take into consideration the story that the member presents and also the account they are trying to gain access to. If they are trying to get access to an account with an obscure username that has never made a post, I consider that differently from them trying to gain access to an account with 1,000 posts. If the member and I have had a private conversation in the past, that can be helpful because I can ask them about their conversation and see if they can confirm various details about it that only they would know.

My Goal Isn’t Their Happiness

Here is the important thing to keep in mind, though: at this stage, I am trying to find a method (or multiple methods) that will permit me to confidently provide them with access to their account. I am not trying to satisfy them or make them happy. That is an important difference. Though community manager can sometimes be a customer service role, it is first and foremost about the integrity of the community and so, if I am to give access to an account, I am the one who really needs to know this is the right person.

There is always the possibility that I could be socially engineered, but I am not giving people information. I am not going to tell someone what email address is on the account. Email addresses are private on our site, so no one (outside of me and the account holder) knows what email address is on each account. If someone emails me and says, “hey, I forgot the email address on my account,” I am not telling them the address. I am not giving them a target to try and hack. I might give them some sort of generally harmless hint (“it starts with h”), but nothing that would give them the address if they did not already know it.

I am absolutely not inclined to give them access. I am ready to say no. Better yet, I am predisposed to say no. Not only do I need to find a way to verify them from a hard data perspective, but I also need to feel right about it. If I feel uneasy, it’s a no.

Community managers must balance the desire to be helpful with the responsibility of protecting member accounts.