GoDaddy Accounts Vulnerable To Social Engineering (and Photoshop) 70
itwbennett writes: On Tuesday, Steve Ragan's GoDaddy account was compromised. He knew it was coming, but considering the layered account protections used by the world's largest domain registrar, he didn't think the attacker would be successful. He was wrong. Within days, the attacker gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID.
Meh (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Gandi.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Notarized documents.
Re: (Score:2)
Hard to do, because you usually do not need them to sign up. So what should they compare against.
Re: (Score:2)
Well, if they are going to accept "documents" (scans, easily edited), as proof of something, then really they should only accept real, notarized paper versions.
I call BS... (Score:5, Funny)
Re: (Score:2)
Wait a sec, you mean to say there isn't really a bunch of hot godaddy girls waiting on the edge of their seats just to talk to me??
*dejected face*
Re: I call BS... (Score:1)
I know a few from the Iowa call center.
Re: (Score:1)
Danica, is that you?
Stuff like this always reminds me of John Candy playing Tattoo from Fantasy Island, lying on a desk, rubbing his thighs with his hands say "Chicks, boss. Chicks!"
Re: (Score:2)
I like the sexiest opensource developers, but moderate sexy ones are okay, too.
No Duh. (Score:1)
Really? Never heard of Identity Theft. Anybody can do the same thing and walk out of a bank with all my money. Unless you are recommending some sort of National ID system hard coded to my DNA, then these type of "hacks" will always happen, or at least you will know its your twin who stole it.
Re:No Duh. (Score:5, Interesting)
If somebody does that and removes money from your bank, the bank is going to have to show it was really you, or that there was sufficient authentication by a route you agreed to. A conversation with a bank employee and a photoshopped ID are not going to be considered sufficient authentication. If it turns out the bank was liable, it is going to have to restore the money, and it will be able to do so. Recovering the money fraudulently taken from the bank is, after that, the bank's problem.
There have been cases where stolen domains (where the evidence is clear) are never returned. It seems to depend on the registrar, and that's a good reason not to use GoDaddy.
Re: (Score:2)
Okay. What registrar do you recommend using?
Re: (Score:2)
Not affiliated, blah blah blah and so on and so on.
Re: (Score:1)
namesilo [namesilo.com]
I use them for about 10 domains.
The price is right. They also include a ton of stuff for free, like whois privacy,
I've configured it to email me every time there is any action with the account, even just a login kicks off an email immediately.
Re: (Score:2)
I've used this technique before. A company needed a recent bank statement scanned to comply with money laundering rules or some rubbish. I don't have paper statements any more, and an electronic one wouldn't do. So I scanned an old one and shopped a recent date in.
Re: (Score:1)
It doesn't require any special skill to exploit weak authentication requirements, so I doubt the article will result in a mass theft of domains.
This is exactly why I used PGP verification with InterNIC back in the day.
Godaddy are thieving wankers dot com (Score:5, Interesting)
... is the name of a domain name I searched for on their site to see if they'd bite.
A few years ago I thought I'd buy a domain for myself. Went and searched for it on their site. NEVER DO THIS.
It wasn't taken.
I ummed and aahed and slept on it.
I came back. It was taken. By Domains By Proxy LLC. Who are owned by GoDaddy.
It seems to have been sold on to another speculator, unless Afternic are them too. (I just checked. Afternic were bought out by GoDaddy in 2013).
I own the .co.uk variant of it now. I used GANDI, who by all accounts, are not wankers.
So, if you want a domain, be prepared to buy it on the spot if it's available. And use a registrar who aren't arseholes.
Re:Godaddy are thieving wankers dot com (Score:4, Informative)
I don't know if Godaddy speculates under Domains By Proxy, but Domains By Proxy is what they also list any account that has enabled the "whois privacy" feature to mask their contact information. It's possible you were just a victim of bad luck.
Re: (Score:1)
Re:Godaddy are thieving wankers dot com (Score:5, Insightful)
For a 2 word .com domain name that had been previously unregistered for 30 years? And was registered for the first time shortly after I fed it into a whois query box on their site?
No. There's no coincidence there.
Re: (Score:1)
Re:Godaddy are thieving wankers dot com (Score:5, Interesting)
...there is some additional asshattery...
There is some period for which they can register, then cancel, without paying fees upstream.
Re: (Score:2)
Re: (Score:2)
Why not just register everything?
Combinatorial explosion. No way to register "everything"; no practical way to predict what will actually be requested.
Re: (Score:2)
Re: (Score:2)
This was called "domain tasting" [wikipedia.org], and the guise it was made under was to "allow a customer to put up a web site under a new domain name to test it out and sample it to see if they wanted to purchase it". This is of course a silly concept, you don't need to have the domain name in its final form to decide whether or not your web page works. What it DOES do is encourage this
Re: (Score:2)
Re: (Score:3)
I experienced the same with a Danish DNS company 15 years ago. I came up with a good name and short, never registered before. Filled out the form and paid with credit card, only to have it rejected the next day because it all of the sudden already was registered by the same registrar but to some odd company I could not find any information on.
Re: (Score:1)
Fake Story to drive clicks on the article (Score:1)
Don't feed the huckster as I inadvertently did...
On the 1st page, I was confused by the alleged victim writing his description of the attack in the wrong person... then on page 3 you learn that the so-called "attack" on which the article was based is actually a fake attack (by the author, looking to boost hid street 'cred' as a security guru?) on an account setup just to be attacked for this article.
This sort of "story" is nothing but a dishonest ad, erroneously promoted on Slashdot.
[ben stein voice]Editor
Photo ID over the internet is STUPID (Score:1)
I've noticed that a lot of companies demand a photo id to verify your identity when they have doubts. I refuse to ever do it for two reasons:
(1) Its practically inviting identity theft. I mean W T F? How do I know some disgruntled employee isn't keeping a copy of every scanned ID that comes in and then selling the info on some darknet market?
(2) Its totally forgeable. There is no way they verify that a scanned ID has not been photoshopped, all the anti-forgery stuff on them depends on it being the orig
Wow... (Score:1)
Wow, guy who owns the account managed to get access... to his own account. Wow, what a great story, bro.
Re: (Score:2)
I did read the article. The guy worked with someone else to get access to his own account.
Gimped (Score:1)
>"gained control over Steve's account just by speaking to customer support and submitting a Photoshopped ID."
Are you sure it wasn't a "Gimped ID" or any number of other programs? Yeesh.
Hint: "photoedited" ID.
Re: (Score:3)
Yes, they are sure.
"This was probably overkill, but I’m a perfectionist when it comes to these things. The subtitles in the driver's license seal were no match for Photoshop's 'content aware and replace' feature. It wasn't perfect, so the majority of my time was spent pushing pixels until it looked right. A little blur and grain go a long way to making something look authentic," Mr. Troia said.
Re: (Score:2)
Well if you're going to cry about it, here's a kleenex. And to help make you feel better, please have some jello. If you don't get the joke, google it.
Now if you'll excuse me, I have to xerox and fax my ID somewhere.
Ideally, I'd want a registrar that does PGP. (Score:2)
They should only accept orders as signed emails from a public key you provide on first registration.
Barriers to transferring away from GoDaddy (Score:5, Informative)
I recently transferred one domain (I plan to transfer the rest), but came across an interesting issue in the process. The domain used a proxy registration to hide my information (as recommened in TFA), but, in order to allow the transfer, I had to disable the proxy registration and make it public. Thus, for some time, my privacy protection was not effective. Now this wasn't a big deal for me, but it could be for others.
Also, note that GoDaddy's domains by proxy makes the total cost of a private domain registration far higher than many other registrars.
Re: (Score:1)
A callback needs to be mandatory to change account (Score:1)
While it's cool to shit on GoDaddy here, it is not only that company that can fall to this type of an attack. They have to implement better security features themselves rather than just trying to sell their own version of 'security' to their customers (extra $$$ for preventing your name and email and whatever else, possibly address from being queried by whois).
I think at the very bare minimum they can implement some sort of a secure word / pin / voice password and maybe a call back to a phone number as a s
NFS.net lets you configure your paranoia level.... (Score:2)
NearlyFreeSpeech.net offers many TLDs (not all) for registration. If you use them for DNS, their config page isn't that great IMO (it's a bit slow and cumbersome), but I like just about everything else about them.
Relevant to TFA: you can configure how many "recovery actions," between 2 and 7 (default: 3), which are required before you're granted access to lost account credentials. They also offer a "scorched earth" option: if you lose access to your account, it's gone forever (any associated services will p