No password or PIN, but I have a fake ID. Sure, take the domain The world's largest registrar GoDaddy is under fire, after it handed control of a domain name in exchange for no more than a fake ID (and a little bit of good, old-fashioned chutzpah). Despite no knowing the account's PIN or credit card details or having access to its listed email account, GoDaddy handed over login details to …
I had pretty much the same experience with another Hosting company recently.
Company website setup and registered by an employee who had now left. I had to get into the hosting control panel to be able to update the whois details and billing info.
i called the tech support people, gave them the whole story, they said unfortunately they couldn't give me access without some form of lengthy verification involving photo ID, letter headed paper, faxes etc....this was all too long....
SO, i called them the next day, and pretended to be the original domain register (the ex-employee who left) i said i was having some issues getting into the account, they said they'd send me a confirmation email to get access back to the account -i said that wont work as we are having email issues at the moment, they said OK we'll call you on the number registered to the account (the main reception number) i agreed to this, i then called reception, told her of the imminent call and when the person asks for "[ex employee's name]" to put them through to me......sure enough 5 minutes later they called reception, got put through to me to which i answered "hello [ex-employee's name]" - the guy was happy he had got through to the right person and i was then granted full access to the account and was able to change everything.
*legal disclaimer, it was our site, we pay for it and manage it, no laws were broken in the making of this post.
That sounds ok to me. The contact details the registrar already had on record were used to confirm the request was valid. The security flaw, if there is one here, is that your company's receptionist lies and so do you. But that's a security hole with your company, not with your registrar.
If that phone number isn't good enough for identification purposes it shouldn't have given it to the registrar in the first place. It's the same as when I phone my bank - I don't verify I'm speaking to a trusted person by any means other than dialling the right number.
> That sounds ok to me. The contact details the registrar already had on record were used to confirm the request was valid.
Really ! Just having the phone answered by someone claiming to be the right person is enough ? In this case it involved the receptionist - you know, those highly vetted and highly paid people who are experts in security. In many cases, when someone leaves, reception is told to forward all calls for the person to someone else in their office - the bigger the organisation, the easier is would be for the highly trained security expert on reception to not notice being given duff information.
Or it could well have just been the cleaner or security guard at a weekend - you know, when it's best to phone up with the "our systems our down, I'll be strung up Monday morning if I can't fix this" story.
On second thoughts, if just answering the right phone is enough, can I borrow your mobile to call your bank - I'd like to withdraw some money on your behalf :-)
Social engineering is the best, and easiest way to commit fraud. I have used it to gain access to server rooms when I couldn't be bothered to go back to my car to get my ID. I once went into 6 magistrate courts server rooms in a day, only at one did they attempt to do their job and ask for ID (which was in my car) and I just said "oh it's in the car, but she *pointing at a random girl walking into the office* knows me" and the girl just agreed and not only let me in the room but gave me her spare key card and left me to it (I assume she didn't want the embarrassment of admitting she couldn't remember me, even though we'd never met before). Luckily I was supposed to be there, but I could have been anyone!
If you want to try it out without risking arrest (it IS fraud) simply go into a Ferrari dealer and demand a test drive (they wont normally allow you if you are a walk in), simply berate the salesman in your most condescending tone, mention that "this is why people recommended the Maclaren instead", and that you will see to it that all of the people at "the club" remove their future orders from the dealers books. Done right you will have the keys for a nice new supercar for a few hours, done to expert level and you get to keep it for the weekend...Oh, and the best way to pull that off is to walk in old ripped jeans and an old t-shirt, they instantly hate you for it and try to throw you out, but that just makes your self entitled rant more effective. If you have no morals you can get anything by causing a big enough scene.
Unfortunately, that weakness is humans, and there's no way to fix it without getting rid of them entirely. Sure, GoDaddy should probably make a bit more of an effort not to suck quite so badly, but as long as there are people involved at any stage of the process attacks of this sort are always going to be possible. The most you can do is try to make it a bit more difficult.
"they will let ANYBODY renew a domain without checking anything. Even if they are nothing to do with the domain owner, have no ID or anything."
If they are only allowed to simply renew the domain (ie they're not able to change any of the contact details) then it's not necessarily a security flaw. There was an incident some years ago involving a domain (I think it was linux related) that had been "allowed" to expire, some dude tried to visit the website of that domain and found that it had expired and instead of waiting for the domain owner to renew he got out his credit card and renewed it so it could get back online quicker.
GoDaddy did this exact thing to me about ten years ago. Someone faked a death certificate for me and they handed him my my entire portfolio. They never tried to call me, e-mail me, or send me a letter in the post. When I called and they told me what had happened (you can imagine how livid I was!) they asked me to provide proof that it was me. I had to fax them my passport, driver's licence, and a declaration -- more proof than the person who had faked the death certificate. Obviously, I immediately transferred all my domains and never looked back.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
