Go Daddy Security Breached by Social Engineering Tactic; a Go Daddy User’s Account Stolen. What Next?
Original from Wikipedia
I like Go Daddy.
I love the domain interface, the reasonable prices, coupons, and the strong support that I enjoy.
Despite what others say, Go Daddy is growing up and finally donning its long pants – one sees fewer cheesecake ads and more professionalism in its marketing, and that is a good thing, although I still find the incessant upselling highly annoying. Too much of a good thing (from a marketing standpoint) can result in diminishing returns very quickly.
Another story for another day.
But, alas, this fairly young company seems to be experiencing growing pains and seems to be behind the curve in terms of security.
A recent shocking – and successful – social engineering tactic has rocked the domaining and tech worlds.
Here is the first person account of how Naoki Hiroshima, the victim, lost his Twitter handle “N” via Go Daddy: How I lost my $50,000 Twitter Username.
This is Go Daddy’s response:
GoDaddy Statement RE: @N Issue
Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.
GoDaddy Public Relations, PR@GoDaddy.com
I find this extremely troublesome: that the thief was able to manipulate a Go Daddy employee into revealing sensitive account information.
As each day passes, I find myself increasingly paranoid about the state of my virtual property.
Instead of complaining about “what is” and making useless threats, I would like to offer some suggestions for what “could be” in terms of protecting customer’s virtual property.
I have always felt that in order to beat the cons, one must learn how to think like them, and that is what Go Daddy needs to do. Perhaps they should even hire some ex-hackers and former social engineers to help them plug these wide security holes.
Perhaps this company already has such a program in place, and I’m sure that Go Daddy would not want to confirm or deny any security changes pending or in-place plans, nor would I want it to.
At this point, it seems as though social engineering is the weakest security point, both from the registrar and user access points, but there are other points of entry that are also weak. I will address those first:
· The user name/account number. At Go Daddy, these are interchangeable; a user can log in with his/her account number or user name. Unfortunately, if a domain owner sells a domain on the Go Daddy aftermarket, Go Daddy hands over the seller’s account number to the buyer. What is to stop a scammer from buying a cheap domain from a seller in order to gain access to this account number and then hacking the password? From a security standpoint, the user name/account number should be treated the same as the password and kept secret from the world. This would offer double protection for the account holder. At the very least, disable the account number as a login. At best, give the buyer a seller’s non-functioning seller’s account number. Moreover, Go Daddy should offer frequent tips on creating and securing strong user names and passwords.
· Require that the account email address be different from the whois email for domains. Make this a default setting. Using a secret email for the account stops yet another point of entry for thieves. Make it so that all requested internal account changes and domain pushes and transfers be verified through this “secret” email, not just the whois email.
· Encourage all customers to set up verification protocols before domain transfers can take place. Yes, this is labor-intensive, but one of the best ways to circumvent thieves.
· Stop sending emails that require users to click on email links, which can be easily spoofed; instead, require users to log in for account messages. Scammers often use clone emails in their social engineering efforts.
· Take responsibility for negative occurrences of all types and actively help customers reclaim their stolen property. In the past, Go Daddy has been very cagey about negative press, often trying to minimize instances by cover stories or hiding behind “policy.” Well, customers are not fooled by such nonsense. The fact that Go Daddy has taken some responsibility for this breach is a step in the right direction.
· Invest in beefing up security by training customer service representatives. Service reps ought to be trained how to spot characteristics of social engineering tactics. Once trained, reps should, when in doubt about a request, feel free to consult security management. Training should be ongoing and intensive.
This is serious, and Go Daddy needs to take this security breach seriously and be willing to invest the money in developing a secure infrastructure for its customers.
Excellent customer service can help build a good reputation, but poor security can kill it overnight.
I hope that Go Daddy begins to get this.