We've had numerous requests to today to comment on this issue as Naoki Hiroshima's nightmarish tale of how his Godaddy account, Paypal account and ultimately his highly coveted Twitter handle were compromised and the latter stolen.
(Sorry I haven't posted sooner on this, I'm out of the office this week, way up north in a log cabin where not only does it get down to -37C at night, but they told me when I checked in this year "make sure you look outside for wolves before you come out at night or in the morning". Not to mention there's no wifi and I'm tethering through my phone right now.)
Anyhoo, since Naoki Hiroshima's story went viral a lot of you are asking what easyDNS would or wouldn't do. There are similar follow up stories being posted as well, like @jb's similar account.
The common thread in both of those events are that the attackers used social engineering attacks using publicly available information (like address info from whois records) and were able to obtain in one online service or another, the last 4 digits of the credit card used to make purchases on the account.
That seems to be the "secret key" for a lot of places, if you can come up with the last 4-digits of the credit card on file, you can get a password reset or some other access to a target account.
At easyDNS we do not store your credit card details at all, having made the decision years ago (right at the beginning, in fact) that we had enough problems on our own (DDoS attacks, spammers, phishing, etc) that if we could jettison the responsibility and associated anxieties of having all your credit card numbers in our database, we'd be happier for it.
And we were right.
It doesn't mean people don't try to socially engineer us. We have our systems in place and they've worked for 16 years and that is basically this:
If you forget your password, you try the password recovery mechanism, which needs to know your username or your domain name.
You also need to know the answers to your three secret questions which you set up at the time you create your account. It used to be one secret question / answer pair, it's now three since we moved to the new system.
If you successfully navigate that, it sends a password reset to the email address on file in your account (which is ideally not the same as the ones you have listed in your public whois records).
Now, we have faced criticism on this for a couple of reasons:
Criticism #1: The questions are stock questions, you can't define your own. This is a valid point, something we meant to address but since this is now hot button material, we're going to do this sooner than later.
Criticism #2: Three questions is too onerous. Why don't you guys lighten up? (Because we'd rather be over-zealous guarding your names than lackadaisical.)
If you can't answer the questions/answers you have to go the rather involved route of sending us your government identification papers (which matches the info on file in your account) or if you're a company, it gets even worse, because then you have to give us incorporation docs and one of your officers has to supply ID that matches the corporate register, etc.
It's a real pain in the ass and we get a lot of complaints about it.
I don't know about you, but I'd much rather see a story all over twitter about how impossibly anal those s.o.b easyDNS guys are being about getting somebody back into their account than one about how some high profile domain name ended up pointing at the Syrian Electronic Army website.
There are a lot of things you can do to protect yourself and your business against this sort of thing, including but not limited to:
- Two-Factor authentication
- Enabling an IP or hostname based ACL or alternatively,
- Limiting logins by country of remote IP address
- Turning on event notifications on logins, name server delegations, whois updates, DNS updates and password changes (hell, just turn them all on).
Further, there is a whole "right way" and a "wrong way" to register your domain names, especially if you're a business or other organization that is bigger than one person.
We've documented a lot of that in our PDF report "Guaranteed Steps To Never Losing Your Domain Name Again".
If you're not an easyDNS member, you can get a copy of the PDF at NeverLoseADomain.com – which is, it's true, a squeeze page that collects your email address. The mailing list you get added to is our DomainHelp.com mailing list and I post to it about once a month. (You can always just sign up, get the PDF and then unsub if you're really intent on not getting any of the DomainHelp mailings to it. But typically we send stuff like this.)
Hopefully this not only answers your questions about how we do or don't do things here at easyDNS, but can also help you avoid this sort of thing no matter where your domain name is.
Now if you'll excuse me I'm just going to have a look-see out the window for any wolves and go nab dinner….