Welcome to easyDNS, Press 1 for support. Press 2 to get the last 4-digits of your credit card number on file here.

Just kidding.

We've had numerous requests to today to comment on this issue as Naoki Hiroshima's nightmarish tale of how his Godaddy account, Paypal account and ultimately his highly coveted Twitter handle were compromised and the latter stolen.

(Sorry I haven't posted sooner on this, I'm out of the office this week, way up north in a log cabin where not only does it get down to -37C at night, but they told me when I checked in this year "make sure you look outside for wolves before you come out at night or in the morning". Not to mention there's no wifi and I'm tethering through my phone right now.)

Anyhoo, since Naoki Hiroshima's story went viral a lot of you are asking what easyDNS would or wouldn't do. There are similar follow up stories being posted as well, like @jb's similar account.

The common thread in both of those events are that the attackers used social engineering attacks using publicly available information (like address info from whois records) and were able to obtain in one online service or another, the last 4 digits of the credit card used to make purchases on the account.

That seems to be the "secret key" for a lot of places, if you can come up with the last 4-digits of the credit card on file, you can get a password reset or some other access to a target account.

At easyDNS we do not store your credit card details at all, having made the decision years ago (right at the beginning, in fact) that we had enough problems on our own (DDoS attacks, spammers, phishing, etc) that if we could jettison the responsibility and associated anxieties of having all your credit card numbers in our database, we'd be happier for it.

And we were right.

It doesn't mean people don't try to socially engineer us. We have our systems in place and they've worked for 16 years and that is basically this:

If you forget your password, you try the password recovery mechanism, which needs to know your username or your domain name.

You also need to know the answers to your three secret questions which you set up at the time you create your account. It used to be one secret question / answer pair, it's now three since we moved to the new system.

If you successfully navigate that, it sends a password reset to the email address on file in your account (which is ideally not the same as the ones you have listed in your public whois records).

Now, we have faced criticism on this for a couple of reasons:

Criticism #1: The questions are stock questions, you can't define your own. This is a valid point, something we meant to address but since this is now hot button material, we're going to do this sooner than later.

Criticism #2: Three questions is too onerous. Why don't you guys lighten up? (Because we'd rather be over-zealous guarding your names than lackadaisical.)

If you can't answer the questions/answers you have to go the rather involved route of sending us your government identification papers (which matches the info on file in your account) or if you're a company, it gets even worse, because then you have to give us incorporation docs and one of your officers has to supply ID that matches the corporate register, etc.

It's a real pain in the ass and we get a lot of complaints about it.

I don't know about you, but I'd much rather see a story all over twitter about how impossibly anal those s.o.b easyDNS guys are being about getting somebody back into their account than one about how some high profile domain name ended up pointing at the Syrian Electronic Army website.

There are a lot of things you can do to protect yourself and your business against this sort of thing, including but not limited to:

Further, there is a whole "right way" and a "wrong way" to register your domain names, especially if you're a business or other organization that is bigger than one person.

We've documented a lot of that in our PDF report "Guaranteed Steps To Never Losing Your Domain Name Again".

If you're an easyDNS member, you can download this from with your member control panel under the resources section.

If you're not an easyDNS member, you can get a copy of the PDF at NeverLoseADomain.com - which is, it's true, a squeeze page that collects your email address. The mailing list you get added to is our DomainHelp.com mailing list and I post to it about once a month. (You can always just sign up, get the PDF and then unsub if you're really intent on not getting any of the DomainHelp mailings to it. But typically we send stuff like this.)

Hopefully this not only answers your questions about how we do or don't do things here at easyDNS, but can also help you avoid this sort of thing no matter where your domain name is.

Now if you'll excuse me I'm just going to have a look-see out the window for any wolves and go nab dinner….

Comments

  1. says

    Ironically had Naoki Hiroshima's used different
    credit cards for PAYPAL and GoDaddy that would
    have been enough to trip up the scheme. (Without
    necessarily even doing so for that reason.)

    My general lack of confidence in PAYPAL led me
    to use it with a bank account I set up as a
    "financial firewall" to ACH money in or out
    of PAYPAL. The "credit card" I gave them was
    a VISA Debit card drawn on the same account
    that I think I only used once for one other
    thing. It was set up this way so that if
    PAYPAL went haywire the damage they could do
    would be limited to what's in PAYPAL plus
    what was in the attached account at a bank
    that I had no other accounts at. (I've since
    closed that account because that bank brought
    in new fees and since I haven't set up a
    replacement I can't currently use PAYPAL.)

    What surprised me was that the attacker
    reached a "PAYPAL agent". Every time I'd
    E-mailed them I either got an outsourced
    person that didn't know any answers so they
    looked for ways to be vague or excuses to
    not answer the question or later got an
    AI Auto-responder that sent back canned
    answers based on key words in my E-mail
    message. Thus I was pretty convinced that
    if the system ever did go haywire there
    would be nobody there to fix it. But…
    …a lot of people I was dealing with
    wanted to use it so thus the "firewall"
    approach to dealing with them.