Go Daddy Security Breached by Social Engineering Tactic; a Go Daddy User’s Account Stolen. What Next?
Remixed Photo Original from Wikipedia ___________________ |
I love the domain interface, the reasonable prices,
coupons, and the strong support that I enjoy.
Despite what others say, Go Daddy is growing up and
finally donning its long pants – one sees fewer cheesecake ads and more
professionalism in its marketing, and that is a good thing, although I still
find the incessant upselling highly annoying. Too much of a good thing (from a
marketing standpoint) can result in diminishing returns very quickly.
Another story for another day.
But, alas, this fairly young company seems to be
experiencing growing pains and seems to be behind the curve in terms of
security.
Here is the first person account of how Naoki Hiroshima, the
victim, lost his Twitter handle “N” via Go Daddy: How I lost my $50,000 Twitter Username.
This is Go Daddy’s response:
GoDaddy Statement RE: @N Issue
Our review of the situation reveals that the hacker was already in
possession of a large portion of the customer information needed to access the
account at the time he contacted GoDaddy. The
hacker then socially engineered an employee to provide the remaining
information needed to access the customer account. The customer has since
regained full access to his GoDaddy account, and we are working with industry
partners to help restore services from other providers. We are making necessary
changes to employee training to ensure we continue to provide industry-leading
security to our customers and stay ahead of evolving hacker techniques.
—Todd Redfoot
GoDaddy CISO
Contact
GoDaddy Public Relations, PR@GoDaddy.com
I find this extremely troublesome: that the thief was
able to manipulate a Go Daddy employee into revealing sensitive account
information.
As each day passes, I find myself increasingly paranoid
about the state of my virtual property.
Instead of complaining about “what is” and making
useless threats, I would like to offer some suggestions for what “could be” in
terms of protecting customer’s virtual property.
I have always felt that in order to beat the cons, one
must learn how to think like them, and that is what Go Daddy needs to do.
Perhaps they should even hire some ex-hackers and former social engineers to
help them plug these wide security holes.
Perhaps this company already has such a program in
place, and I’m sure that Go Daddy would not want to confirm or deny any
security changes pending or in-place plans, nor would I want it to.
At this point, it seems as though social engineering is
the weakest security point, both from the registrar and user access points, but
there are other points of entry that are also weak. I will address those first:
· The user
name/account number. At Go Daddy, these are interchangeable; a user can log
in with his/her account number or user name. Unfortunately, if a domain owner
sells a domain on the Go Daddy aftermarket, Go
Daddy hands over the seller’s account number to the buyer. What is to stop
a scammer from buying a cheap domain from a seller in order to gain access to
this account number and then hacking the password? From a security standpoint,
the user name/account number should be treated the same as the password and
kept secret from the world. This would offer double protection for the account holder. At the very least,
disable the account number as a login. At best, give the buyer a seller’s
non-functioning seller’s account number. Moreover, Go Daddy should offer frequent
tips on creating and securing strong user names and passwords.
· Require
that the account email address be different from the whois email for domains. Make
this a default setting. Using a secret email for the account stops yet another
point of entry for thieves. Make it so that all requested internal account changes and domain pushes and transfers be verified through this “secret” email, not just the whois email.
· Encourage
all customers to set up verification
protocols before domain transfers can take place. Yes, this is
labor-intensive, but one of the best ways to circumvent thieves.
· Stop
sending emails that require users to click on email links, which can be easily
spoofed; instead, require users to log in for account messages. Scammers often
use clone emails in their social engineering efforts.
· Take
responsibility for negative occurrences of all types and actively help
customers reclaim their stolen property. In the past, Go Daddy has been
very cagey about negative press, often trying to minimize instances by cover
stories or hiding behind “policy.” Well, customers are not fooled by such nonsense.
The fact that Go Daddy has taken some responsibility for this breach is a step
in the right direction.
· Invest in
beefing up security by training customer service representatives. Service
reps ought to be trained how to spot characteristics of social engineering
tactics. Once trained, reps should, when in doubt about a request, feel free to
consult security management. Training should be ongoing and intensive.
This is serious, and Go Daddy needs to take this
security breach seriously and be willing to invest the money in developing a secure
infrastructure for its customers.
Excellent customer service can help build a good
reputation, but poor security can kill it overnight.
I hope that Go Daddy begins to get this.
great publish, very informative. I ponder why the opposite specialists of
ReplyDeletethis sector don't notice this. You must proceed your writing.
I'm confident, you have a great readers' base already!
Here is my weblog