How I Lost My $50,000 Twitter Username(medium.com) |
How I Lost My $50,000 Twitter Username(medium.com) |
what sane person doesn't call the FBI when an attacker blatantly commits fraud against them, admits to it, and then commits extortion based on the successful fraud? Furthermore, what kind of attacker explains how they attacked? Thats ludicrous.
this has got to be some kind of roundabout way of advertising for the various competitors of godaddy mentioned in the post.
If GoDaddy accepted Bitcoin PayPal wouldn't even be involved and GoDaddy instead of asking for information which is apparently easily pilfered could have requested the caller sign a message with their private key Bitcoin key corresponding to the public key from which they paid GoDaddy for the domain services to begin with.
If GoDaddy separated authentication of requests from payment information and had any of a wide number of different authentication methods, this wouldn't have been an issue, either. Using PayPal -- or accepting credit card payments by other means -- does not imply (or normally involve) using the last four digits of CC number as if it were a PIN for authentication. (In fact, since CC numbers are widely exposed information, doing so is insane -- especially the last four digits, which are frequently used without the rest as a reference to identify a credit card to the owner of the card in contexts like receipts where the information is expected to be particularly public.)
Payment methods are really largely irrelevant here, GoDaddy could easily have adopted an equally stupid and brain dead authentication method if they took bitcoin as payment.
Makes me happy that companies are moving towards text authentication since emails are easy (or at least well practiced) to compromise.
Note: Time to change my Time To Lives on my MX records and up my security.
However. If someone were to steal a physical asset in order to extort something else out of me I would go immediately to the police. I'd have thought I'd do the same if the assets involved were digital.
I've no idea if a criminal offence was committed in what ever jurisdiction this happened. But I'd have thought extortion is illegal is many parts of the world?
I'm not really sure I understand the psychology behind it and whether it's a juvenile attempt to demonstrate relative power (e.g. "I did this to you, ergo I'm more powerful/smarter/whatever") or something else entirely.
Follow us at @N on twitter.
Looks like a typo. Imparts zero cred since 99.999% of people will not take your ability to "possess" a short twitter account name as helpful for whatever else you may be trying to do.
As far as the "Sorry I am so technically gifted. Let me tell you what you should do to prevent me next time..." thing, what kind of cartoon caper is this?
If they sell it to someone I guess that is a reason to take it, but it also seems like some enterprising DA would want to use it as an example of receiving stolen property ( because News! Hacking! Fame!) So if anyone buys this name they might be in trouble at some unspecified point in the future.
$50k is hardly worth such a bold crime with no exit strategy.
He may say that he has left them alone, but you have no chance of knowing.
btw, @! google search returns 0 results. interesting... hmm, twitter apparently allows alphanumeric handles only...
"Here's my credit card and GoDaddy creds, guys, and here's a technical note about my DNS settings that I want you to pay extra special attention to. Tell me when I should expect to start getting the GoDaddy confirmation emails. Other than that, have fun playing with DNS settings -- I never want to even think about them again."
This post is 5% "Here's my recommendation for a DNS service" and 95% "Notice how in return for an hour or two of grunt work a SaaS company just made it very easy for me to award them $2,000 of high-margin recurring revenue a year despite being twice as expensive as my pre-existing option by successfully overcoming my 'I would love to move off my existing solution but it requires grunt work so I think I'll punt on that decision for, oh, eight years' objection? That's a really good trade. You should consider offering it in your SaaS business, too, in any way that makes sense for it."
Referral link, gets both of us 1 month free service: https://dnsimple.com/r/96a980397648e9
Also everything patio11 said above. :)
Honestly I don't have enough experience with them to really evaluate their services, but they seem trustworthy and competent, and I like working with people I know I can talk to.
Their customer service has been really great since, so I'm staying. It's probably slightly more expensive than I could get elsewhere, but for the sense of security I get, it's completely worth it.
Point being- In this shitty business, where trust is everything - I prefer a small player who I can have a direct personal relation to, over some big nameless corporation.
Executive-lock (E-Lock) allows for the domain name to be frozen. This means that the domain name is:
1. Unable to be transferred out to another Registrar.
2. Unable to be pushed to another Fabulous account.
3. Unable to have changes to its nameservers.
4. Unable to have the registrar-lock status removed.
You can define whatever conditions you want and they manually do them if you want it unlocked. It could take many days to unlock your domain, but it definitely isn't going anywhere.
"If your portfolio generates US$750 a month or you are willing to transfer 750+ domains to Fabulous, please complete the form below."
That's a little out of my range though I'd be willing to pay a premium (how much of a premium?).
* 2 factor authentication
* 5 security Q/A's before you can make an account change!
http://www.namesilo.com/Support/Domain-Defender
there is no WAY this guy would have had an issue if he was with namesilo and had both protections enabled
(I'm just a happy client and in no other way related to them)
Except their customer support has a process to bypass those 5 security questions:
http://www.namesilo.com/Support/Forgot-Domain-Defender-Answe...
How can you be sure their customer support can't also be socially engineered? I'm actually hesitant to use a service which requires 5 security questions to make a change, because I bet so many people forget their answers that their support is lax when it comes to bypassing them.
Have been using them since 2006 both personally and at work. They do have 2 factor auth.
Seems I emailed them back and forth six times and I kept getting this canned message from them. Needless to say, I've given up and deleted Vine from my phone.
"Unfortunately, we are unable to locate the Vine account in question. If you can still log in to your Vine account, go to your profile settings and select either "Invite via text" or "Invite via email." From there you will see your Vine account ID number. Can you reply to this message with the Vine ID number?
If you no longer have access to this account, but can see the account in Vine search, press the more icon (three dots) on the top right of the profile. After that, tap on "Share this profile" and from there you will see your Vine account ID number."
You think the hacker who tricked Paypal and Godaddy is in the right here to steal it? I can't believe it.
I've heard people go on about how Google (and I suppose other corporations) are evil, and how they are rolling their own custom mail solutions etc. It's times like these that people lose important things.
Also, I really don't understand why US companies must store credit card details. I understand the convenience, but there's been a lot of security compromises to let this practice continue. In South Africa online retailers don't store CC info, yet we aren't being brought to our knees by inconvenience.
At least the attacker mentioned his methods, so GoDaddy and PayPal can educate their staff better.
Aside from mining your data for marketing purposes, Google is evil because they continue to store your e-mails even after you delete them. Custom mail solutions are markedly superior if you know what you're doing, like anything else in life that you assume your own direct control over rather than leaving it to someone else.
Some people noticed they got e-mail through unique non-disclosed e-mail addresses.
[1]: http://lifehacker.com/5930706/dropbox-confirms-user-email-le...
(As well as not putting any important stuff there)
I've had two users offer to buy my username.
"Not accepting an offer of $50K for a twitter username I didn't use" doesn't really count...
Much closer than saying "I would sell this if I received a 50k offer."
The first few digits of card numbers refer to the provider (Visa, Amex, etc) [0]. Given that Paypal gave the last four digits of the card, I'm surprised they wouldn't give out the provider as well, so guessing this would be even easier.
[0] https://github.com/stripe/jquery.payment/blob/master/src/jqu...
Using an unusual/unknown address for account validation mails (maybe with forwarding of other communications) probably would make sense, though. And/or sites coming up with a better account-recovery procedure, perhaps outsourced to a startup.
There's probably a market for a super-secure email address for account login mails, but that isn't a free gmail account.
How we make sure that you don't lose your $50,000 Twitter username: http://ow.ly/t4yR8 $5.99 domain transfers with code BYEBYEGD
a) Two Factor should be mandatory and as soon as it is, any representative of the company MUST insist that a reset cannot be done over the phone. It should be highly suspicious if someone comes up and says "Hi, I lost my email account access AND my phone so could you please reset my password via phone now?"
b) If not Two Factor, the security questions should also be mandatory. No other "data" like past addresses or cc numbers should suffice to reset over the phone if the person doesn't know the answers to all security questions.
And, speaking of these questions, of course they should be stuff that you know and cannot be "guessed" by anyone who is able to read your facebook page or similar. Maybe even some non nonsensical thing like "Favorite Food" - "Horse Droppings". As long as you remember this, nobody should be able to "hack" that over the phone. Even if you go on and on on facebook about how you "could eat your way through a giant bowl of pasta you love it so much"
I would NEVER remember this. EVER.
... there has got to be a multi-stage process for authentication that does NOT use any CC or SSN. Of course, the responsibility lies with the account owner for maintaining passwords/authentication information.
If you lose the information, no way to recover it.
I say this because it seems (again, I'm not an expert) that these thieves use social engineering mostly in the "data recovery" stage of the process.
The only way to tighten that from my perspective is to put maximum responsibility on the account owner to keep their logins, passwords (again, for multi-stage authentication), and such on hand. Don't have a need to recover your info, and others can't use the recovery process to get to your account.
I guess it wouldn't be a perfect scenario but... this, or lose @N.
I am sorry to hear there are companies allowing these practices, though... sad.
Also if account data is changed they MUST keep a log of what your data was before. At least anything beside passwords.
High chance the story will be quickly forgotten and the account will be re-used.
This sounds like pretty normal automated monitoring for what looks like compromised account behaviour.
That meant that anyone using SMS via AT&T for two-factor auth was vulnerable.
The extra layer of security is only enabled if you call AT&T and ask them to further protect your account from future changes.
Good Developers understand how critical it is to handle authentication and password storage well. It can be complicated thing and is very easy to screw up.
But all that goes out the window when somebody calls the support line. There needs to be just as much scrutiny placed on over the phone authentication as there is within an application. The problem is likely that those over the phone patterns/anti-patterns are not well documented and available.
http://wiki.gandi.net/en/contacts/login/2-factor-activation
(note to self: activate 2FA)
They are focused on large portfolio customers. That's kind of the caveat for their service. Many of those large customers also use their other services like domain parking too.
We will need to ask you questions to verify your identity. These questions will be different based upon your account and history with us. Please understand that these verification steps are for your protection.
https://www.gandi.net/static/contracts/en/g2/pdf/MSA-1.0-EN....
On the other hand, we're talking about security here, and, sadly, a company that has extra helpful support may be more easily socially engineered. The author's advice to use gmail.com addresses only works because Google basically has no customer support for gmail.com, so there's no one to social engineer!
I run a business which collapses catastrophically if I lose control of my Internet presence, and I'm at least as Internet-exposed as "a guy who owns a desirable Twitter handle."
I don't care about elephant hunting. I put up with years of my intelligence getting insulted by SSL certificates being hawked by models. I can appreciate that the economics of the business mean that there need to be upsells to continue offering the low low prices. Fine. But if you cough up a domain, that's it, we're done. I care about that like Thomas cares about SSL CAs offering a CA=true cert to a third party.
Credit card numbers are not secure. Therefore, they should not ever be accepted as authentication. Especially only 6 digits of it! This is by far the most shocking part of this story. As if I needed another reason to despise GoDaddy.
[Edited to add] I would sure love to see a scarlet letter list of companies which allow such practices, so I can never use them.
I don't work in that department, but I'll forward the page to the CEO and make sure it gets read and addressed.
Edit: I see you got a new CEO since I and so many other customers left in disgust about your company's support of SOPA and all those other issues. I'm sure you still have binders full of scantily clad women to decorate your booths at trade shows. Your company is permanently tainted, one of the worst examples of what's wrong with the computer industry, and I'm never coming back.
Isn't the solution more around recovering from when the break-ins inevitably happen?
https://www.namecheap.com/ accepts bitcoin as payment to avoid this situation.
Then I can come back here and post nasty comments about squatters.
Is there any possible rational for Paypal to give the last four digits of his card number to "him" over the phone? Given that they're routinely used for verification, it's as if they've never heard of social engineering. It's simply inexcusable.
And it's almost as bad as the ridiculous "Log In Without Your PayPal Security Key" option that lets you bypass 2-factor auth and head straight to the ultra-secure world of the ridiculous security questions such as the ever-popular "what city were you born [that's also listed on Facebook]" and what not. I still can't believe they think that's a good idea.
The founder's interview [1] describe the beginning as a constant race against fraud, which no other bank was willing to compete in: "You're going to go bankrupt when the chargebacks start".
The was a locked room with a screen-and-keyboard-only computer where you could research about transactions and find suspicious and fraudulent ones. According to the founder, it became PayPal's core asset.
[1] in the book Founders At Work, which I recommend.
PayPal gave the attacker the last four digits of my credit card number over the phone
That person should lose their job if it is not PayPal policy.
I really hope by some small chance the person that did this gets some serious prison time, if not for this then anything else prior or down the road. Then maybe one of those mornings they wake up in prison they can ponder if it was all worth it.
Anyhow, if any of them actually comply to ISO 9001, it is possible to audit previous data to establish the true identity of the owner in some arbitrary date before any of this happened.
Quite possibly, to avoid unnecessary user annoyance, these companies will only subject themselves to the effort of analyzing that data under court order, so it's fair to suppose there is need to open a judicial process. Therefore, I believe it's possible to regain access to everything that was supposedly stolen, even though it may take quite some time.
I pay Twitter nothing, and yet the service is valuable to me. So instead of continuously crippling the service in the name of goodness knows what, why not actually charge users for a premium experience. Things like customer service that works, a gold member status flag, controls on swapping account ownership, analytics and so on. Offer 3 paid levels - personal, business and corporate, and obviously keep the free level forever. Once revenue comes from customers, then perhaps it will help in understanding that while other revenue night be larger, the true value of Twitter is derived from the community.
Because then they couldn't justify their $50 Billion valuation. They'd "just" be a $1 billion company or something.
Sites like Twitter or Facebook could be perfectly fine profitable ventures that worked in their users' interests. But instead they got unobtainable market values, so they have to look like they're on track to meet them, and the easiest way to do that is to exploit their users.
Just today I got a notification from Facebook saying that videos are going to play silently automatically in my feed on my phone, meaning that if I'm on mobile data, my cap will be used quicker. This is the kind of thing I'd like to be able to pay to avoid.
Trying to win a market that way. If only one popular site starts to use it, -- you might be getting some network effect out of it.
I think it was a better level to work on. Let others help with the network.
What you should do, is make sure that you trust your registrar. Paypal sure have some questionable practises, but the real culprit in this story is clearly GoDaddy.
That's horrible advice. That sort of attitude taken to the extreme means we shouldn't be using DNS for anything ourselves and put everything in Google's (or Amazon's) big bag.
Should I redirect my customers to facebook.com/company as well in fear of someone taking over my DNS?
The lesson from this whole charade is to not trust something as crucial your DNS to untrustworthy companies like Godaddy. We've heard the horror stories before and we keep on hearing them again.
Relying on Google, a company with no direct end-user support and no emergency hotline to secure the most important thing you have, DNS, is even bigger madness. I've been locked out from a Gmail account before. It took me weeks to get it back, because Google has no support.
So yeah. Get a proper DNS-provider, and don't dig yourself deeper into the hellhole you're currently setting up.
Also considering closing my paypal account now.
This kind of thing happened a lot in MMO games which is why they try to push account security into your hands so they don't have to attempt to arbitrate in deals that may or may not have happened outside of their sphere of control.
Btw, I personally use Bigrock instead. They have a very a good customer support.
http://rikacomet.blogspot.in/2013/12/quick-comparison-betwee...
https://support.twitter.com/articles/18311-the-twitter-rules
Abuse and Spam > Selling usernames: You may not buy or sell Twitter usernames.
There doesn't appear to be any way to contact Twitter about this.
Shortly after, I received a second email "Welcome to Twitter, <username>"
Going to: https://support.twitter.com/forms/impersonation
..and selecting "Someone is using my email address without my permission." tells me to submit a general support ticket. That's fine except none of the general categories has anything to do with this problem and choosing "My issue is not in the list" simply redirects me immediately to the root support page. I submitted a ticket with a different topic and have not heard back from them in a week and expect I never will.
If that hadn't happened, he'd still have his twitter account.
>If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.
Just google and the NSA then. Also, Gmail has an exposed password reset and social-engineerable support. A server running Postfix/Exim doesn't.
I'd consider a domain with a good registrar far more secure than google.
It seems like if he'd had 2FA turned on with GoDaddy, this may not have happened. So rather than use @gmail.com addresses to register for things, as he recommends, just turn on 2FA with your provider. And if your provider doesn't support it, leave them and tell them why.
The admonition to use a @gmail.com address was annoying enough that I actually put up a response blog post just on this point: https://konklone.com/post/protect-your-domain-name-with-two-...
Sigh I use Google Apps exactly so that I have control over the domain and aren't subject to the good will of Google. I had never thought of this particular problem. Now I don't know what to do.
The admonition to use a @gmail.com address was annoying enough to me that I responded with a blog post: https://konklone.com/post/protect-your-domain-name-with-two-...
It still works if you find an expired domain name, register the domain name and then do the whole password-reset procedure. Might be cheaper to buy a 6 digit number on eBay though :)
In times of 9 digit numbers, 6 digit numbers were still sufficiently unique :)
Focusing on the Twitter handle sale part: I have the twitter handle @jetsetter, and have been offered multiple thousands of dollars for it (guess who!).
Unfortunately, selling a twitter handle is against TOS. Only @israel has been officially allowed to transfer hands for money, that I'm aware of.
So trying to broker the sale of a twitter account can allow the buyer to report your 'behavior' to twitter. They can seize the account and make it so no one has it, which may be what the buyer prefers to you having it.
So no matter the price you could command, it isn't like you could just list @n up for sale and make it rain.
Twitter: "I'm sorry, you can't do that."
Israel: "What are you, some kind of Anti-semite!?!"
Twitter: "OK, OK, go ahead and do what you want. See, we're not anti-semite :)"
at the bottom a twitter representative is quoted as saying that as long as they give you permission to sell/buy a handle they won't block/lock the account.
Also apparently CNN also purchased a handle[1].
[1] http://www.businessinsider.com/cnn-acquires-cnnbrk-twitter-a...
If not I could just make fake email logs and report you.
the most famous is the CNNbrk handle
He might have been able to get it back if it was his trademark or even name that he lost and not some witty username.
Let's see if this story hits real news headlines and affects Twitters stock before closing bell tomorrow and action will happen.
The guy has given a clear and convincing story of what happened. I'm sure that it would be pretty easy for someone on Twitter's security team (assuming that they have one) to verify that the username was taken when he said it was.
I don't know what I find more shocking -- that PayPal would actually give the last four digits of a credit-card number to a complete stranger, that GoDaddy would let someone guess a two-digit number, or that a credit-card number is all you need to identify yourself. (In Israel, it's common for companies to ask for the last four digits of your credit card number in addition to other details, but never on its own.)
Actually, I'm willing to believe just about anything about GoDaddy. But PayPal is known for being surprisingly harsh and paranoid about security, shutting down accounts and holding money when they suspect problems. It's sad and rather surprising to me that they're willing to give out such information so easily, unless you specifically ask them not to. Shouldn't it be the other way around, that they refuse to provide such details unless you allow them to?
I really hope that Twitter and PayPal apologize profusely to this author, and undo the damage they've done as best as possible.
I think something is in the works...
https://support.twitter.com/articles/15362-inactive-account-...
@N (now @N_is_stolen)'s last post was 4 months ago, so he is still technically considered an active user.
It doesn't appear that he is trying to sell it, which is the usual behaviour of an account/name squatter.
I have several domains that I plan to use for little projects over the coming year (though given my lack of free time right now that may not happen like it didn't last year...). Am I a squatter for having paid for something I intend to use but have not got around to doing anything with yet? A couple of them are password/credentials related, for an example of a squatter talk to the person who owns password.net and sends me unsolicited email regularly trying to get me to offer to buy it as it will "help my brand" (the names I've got are the intended "brand", the generic short name is worth no more to me than standard registration fees - who slaps short names into their address bar instead of using a search engine these days?).
Now I reread that, it sounds a little... sexual.
GoDaddy should not use the 4 last digits as a way to confirm identity, exactly for the reason I mentioned above
It would be one thing if this was a spouse or someone intercepting their physical mail. It's not. It's someone out of the blue who called PayPal to get the last four of a complete stranger.
GoDaddy's verification is bad too but at least they had some kind of attempt.
I find their TV Commercials the worst and makes us as a community go back to the 1950s stereo types????
Love it when I help churches with their websites and it has a GoDaddy account :(
This is a systemic fault of PayPal and firing a lowly phone-jockey will not solve that. There are computer system protections that were clearly not in place (the representative was able to see this data on the screen, rather than having to enter it blind and have it validated - or, if they did, they had infinite re-tries which is also bad. Three wrong attempts, and the account should be locked and have to be escalated) but there are also culture/training problems: Until otherwise satisfactorily proven, anyone calling must be assumed to be in bad faith when they call. A representative with this mindset would not let a caller start guessing the "password".
Now they laxed the security somewhat and people give them sheet for that... There's no winning for them, is there?
But really, the employees should not give away any user information, ever. It should be a one way street here. That would have stopped the attacker in this case, as well, I believe...
Wild story coming out today because I was just setting up a couple domains/emails today on Google Apps. There's actually a section in the process in which they suggest setting the MX TTL to 1 Week.
If I was the cio at oh, say an org in the public realm (generic government agency for example), I'd rather have control over the publishing and namespace of its tweet-like messages rather than putting every egg into the single-basket solution. Who knows if twitter will be around 20 years from now?
The nice thing about standards is that there are so many to choose from.
The rules only say:
"If such permission is not granted, there is no (zero) market value or worth to this account."
If you walk away, cash in hand, are you liable for any punishment other than the banhammer from Twitter?
PayPal is the only way I can get paid by my American client (in Canada) other than waiting a week for a cheque to mail, walking to the bank to deposit it, then another week or two for it to clear.
http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...
http://en.wikipedia.org/wiki/List_of_Issuer_Identification_N...
I'm really interested to see godaddy's response to this...I'm sure paypal records their interactions, I would imagine godaddy does as well. Hell, I called Avis about something 2 months later with a dispute and they pulled the recording to make sure I wasn't BS'ing them.
Perhaps he has something against GoDaddy (many do) and/or PayPal (again, many do) so took the opportunity to make them look bad by making sure that their effective complicity in the hack is well known.
If you loose your credentials and the token that you can use to recover your credentials with (credit card number), it's fine, even preferable, that it takes 1-2 weeks to recover them.
Also, people don't seem to be up in arms over PayPal freezing funds on suspicious activity for 1-2 weeks. They seem to be up in arms over funds being indefinitely frozen with no recourse for the unambiguously legitimate account owner.
People have a problem with sending their credit card scans, driver's license, birth certificate, marriage certificate and their first born in order to remove those dreaded limits that seem to be imposed for little reason :-).
I gotta say that's not the case anymore, at the very least they don't limit the account for paying too much on eBay or logging in from a different IP in my experience (and that's a good thing).
You'd have to check in regularly to confirm this is still the way they do things.
but thank you for helping the guy get his twitter account back and fixing up the internal controls.
I wanted a domain that had been registered with godaddy, so I needed to backorder it through them, and register it through them.
A password reset link that emails a temporary password is OK in my opinion (not ideal, but a tradeoff for password resets, and perfectly fine if the site actually forces a change on logging in with it), but "Thanks for registering, your password is foo" is not, as then the user has to change it (and some exceptionally bad sites may then email them that password as well).
Twitter should look into what happened in this specific case, and somehow (if the posting is right) return the username to its original owner.
But there does seem to be something terribly broken here if it's possible for someone to get another person's Twitter account, and for it to take a full investigation to get it back to the original owner. And for not having better procedures in place, I think that an apology wouldn't be unreasonable.
In general, it seems to me that demonstrating empathy for your customers is a pretty reasonable strategy. Even if they didn't do anything wrong, and before they have finished this investigation, they can show that they care about the people using their system.
I don't think that Twitter could go wrong by saying, "We now see that we need to make it harder for scammers to switch the ownership of a Twitter account, and are looking into how to do so without hurting our legitimate users."
The grandfather post is referencing asymmetric warfare[0] which would be a pretty decent name for what could happen. I don't think he just threw some cliches into a sentence.
Less than 10 tweets in 3 years and all I do is read other tweets
[1] 3 = AmEx; 4 = Visa; 5 = Mastercard; 6 = Discover.
One reasoning is that it is a sort of reassurance, much like the stickers you see on doors of retail locations that show which cards they accept. It's a reassurance in the idea that if you're deciding if you want to make the purchase or not, that the site will have no problems in accepting the payment option you would like to use. Plus, in a strange sort of way, it implies the site is a valid on-the-level company because surely a credit card company would come down hard on a scam site for using their copyrighted visual identity.
There's not much valid reasons other than it's a visual thing for customers. Although I always suggested using the method of displaying the type of card after starting the number, that goes against the reassurance thing. If a customer has two different branded credit cards, they know up front if one or both will be accepted. Otherwise they have to start typing to find out, which is work for the customer. You always want it to be easy for the customer to spend money, no second guessing.
Pretty much all cards can be validated with the Luhn algorithm in js. See http://stackoverflow.com/questions/20725761/validate-credit-...
- You have a row of credit card icons. By default they are in full color.
- These icons react like buttons (hover shows clickability) and act like radio buttons if clicked -- all the others gray out.
- When a user starts typing a credit card number, it selects the appropriate icon if not already selected (graying out the others).
Because they aren't radio buttons (or a dropdown), it doesn't force people through the step, but because they can act like radio buttons (providing only visual feedback), they don't confuse anybody who thought they were supposed to be there.
The forms I've used that feel the most natural do something like this.
Just for the record, I have no reason to believe he's saying anything less than the truth - but I can't fault Twitter for basically presuming malice until they have conclusively documented the opposite.
The right of ownership includes to right to use what you own in your own way.
That being said if you're not actually going to use your account you might want to at least consider giving it to someone who would put it to more active use. Just a thought.
Just how much of the "real world" law you're alluding to by using the term "ownership" do you suppose applies to Twitter handles? (or Gmail addresses, or Facebook pages, or even domain names?)
I just don't quite see how a username is 'owed' to other people who would use it more, either.
Also, a Mercedes and a twitter handle (or domain name) aren't exactly the same thing as a twitter handle is a unique owner of a particular pice of the namespace.
A better analogy would be an owner of a valuable piece of property who wasn't putting it to good use.
So if you were not putting your backyard to good use you would not feel too bad if your neighbors decided to encroach on it?
For example, I used one email for most of my life. But recently, I stopped using that email address, and have used another one due to wanting to boycott that company. Since I no longer use that email address, I should have to give the password to another person. This is just the right thing to do in all cases.
That would FREE UP a lot of email addresses. If you have any email addresses that you do not need, you are obligated to give your password to another person. If you don't, then they can't use email.
Just make sure that if you use that email to sign in to other websites using that email and password combination, go to all of those websites and notify your friends that you are giving your email to someone else and you are not the same person if you see future comments using that name.
Or is it just vaguely notable?
Not a security risk I'm willing to take, when I could simply leave that email address dormant. There's not really a huge shortage of good email addresses if you're willing to pay $10 a year for your own domain.
Poe's law and all that.
Of course, if the institution's judgement is that people can take things that I'm not using at that exact moment, and it is not interested in intervening, then it's not my 'right' to leave my house alone for the day.
Turns out my rights are entirely dependent on the amount of guns I can bring to bear vs. the amount of guns somebody challenging my claim can bring to bear.
Seeing how easily GoDaddy handed over the domain, it seems one can't even own a domain properly, and that is supposed to be a lot closer to an "ownership" right than Twitter handles.
We could look towards email and dns, though, as examples of a more fair distribution of namespace resources.
Organizations would do well to investigate what their options are to retain control over their namespace, lest it fall whim to a mishap such as this instance.
places like foursquare, people know people at twitter. if your outside the valley twitter won't even help you when the autosuspender mistakenly pops your account but valley/connected people call an investor or executive and get their vanity handle in hours. seen it happen twice.
it's all who you know and never forget it. when i dealt with twitter support as a normal the disparity between insider service and official was pretty amazing. they are the worst of the valley backscratchers.
bet they would have taken @n if the right person called. what would you do, sue?
Up until maybe 18-24 months ago if you knew the right folks you could generally get an inactive account released but even that is pretty much off the table at this point.
All industries have insiders. In some you can get a twitter handle, in others hard to get concert tickets, in others I bet it's early access to the latest in air ventilation equipment. It's not malicious. It's just personal relationships.
shrug
The GP's analogy is extremely weak.
Some rich guy buys an amazing house on a beautiful California beachfront. But then never even bothers to stay there because he's got 3 other vacation homes. It just sits there empty all year long.
Would it be ok for someone to break in and start living there? No, of course not.
But you do have to kind of dislike that guy right? If he doesn't want to use this limited and valuable resource he should maybe give it up so someone else can get good use out of it.
"Would it be ok for someone to break in and start living there? No, of course not."
Dislike != ok to take my shit but it's still dislike.
I understand that you have not said that the situation the OP faced is deserved, but you don't feel too bad about it.
Unfortunately your defense does make it seem that you are not completely opposed to a framework that would take back "limited resources" not being used well. Most likely this is not your intention at all.
I often come across businesses/store locations and most importantly domain names that are not using even a small fraction of true potential. I do feel sorry for them, but I can't say I dislike them, they might dislike themselves if they knew what I knew.
The only way I can fathom the minutest possibility of disliking them is if they knew how to thrive and did not do anything, if it was common knowledge on how to do it right, but they chose not too.
Unfortunately most people don't know how to use potential or don't recognize it at all, can't dislike them for trying though.
Somebody just moved in and started living in his house. And just tossed all of his personal belongings out.
To be honest, I kind of disliked my friend for a while.
You mean Communism?
And if seizing it is too "communist" for you, then enormous taxes should be close enough to socialism.
There's nothing wrong with advocating the concept of sharing when a person obviously has more resources than he could actually use.
There is no reason he should have to give up @H just because he isn't utilizing it enough. The person that got it better not send a single tweet shorter than the maximum to fit your logic.
Land should not remain unused.
"They paved paradise, put up a parking lot." Joni Mitchell
IANAL, but I have a hard time believing that a court of law is going to issue a judgement of adverse possession where the perpetrator used fraud/identity theft, extortion and blackmail to come into possession of it.