CSO Online wrote an article on how easy it is to compromise the controls that ISPs and domain registrars have put it place. I will describe it in more detail in a minute, but here is the short version:
Businesses are much more concerned about keeping customers happy than they are about keeping customers secure.
Sorry, GoDaddy, but that is the truth. The article’s writer and his friend, a security guy, set out to test GoDaddy’s security.
Here is the crux of the problem: GoDaddy support says that account resets are a simple process. If you have forgotten your username or customer number, no problem. Just click on a link and we will make you happy. Or you can call them. Account resets should not be a simple process. At least you should make the hacker or terrorist work a little bit.
In this case, they called customer support. They asked for the domain registration information (which is available to anyone on the planet with access to the Internet via Whois or other domain tools). You can use private registration services to make this harder, but most registrars charge extra for this. One big registrar that does not charge extra for private registration is 1&1 Internet. I would say that this is not a security measure, but they would say it is.
GoDaddy asked if the attacker had access to the account’s email. He said no. GoDaddy said no problem.
GoDaddy asked for the account PIN. Didn’t have that either. Still no problem.
GoDaddy asked for the last 4 of the credit card for the account. Didn’t have that either. Still no problem.
The psuedo-attacker was good at making up reasons for why he didn’t have any of this information, but still, he had none of the information.
The final step was to ask the customer to fill out a form and include a copy of a government issued ID. Of course, no one at GoDaddy has heard of that little used program called Photoshop.
So, after a little work with Photoshop, the attacker-friend submitted the paperwork to GoDaddy. Apparently, unlike customer service, the people who read paper forms only work first shift on weekdays, so the attacker was slowed down by submitting the paperwork Friday evening.
Monday morning the attacker received an email from GoDaddy at the fake GMail account he had set up for this purpose saying the accounts were registered to a business, so there were additional steps – they needed to contact the business.
Again the attacker made stuff up – this is not a real business, I just thought I had to put something in the blank on the form so there is no one you could call. Of course, the CSR could have tried to see if the business existed with a Google search, but that, for you Star Trek fans, would have violated the prime directive – a happy customer is one who continues to let us charge his credit card.
At this point, the attacker had control of the domain account and every email that is associated with it.
Not bad for no information and a couple of hours work.
This technique is a favorite of terrorists and hackers. It is easy and basically untraceable.
To be fair to GoDaddy, MOST businesses are susceptible to this form of attack, whether it is your local department store web site, a registrar, the electric company or whatever. Social engineering is pretty easy because of the prime directive above – keep the customer happy.
So, until businesses (and really consumers) push back and say if you can’t provide the account number or credit card number or PIN or have access to the account’s email, then we are not going to help you, it will continue to be very easy to attack someone. AND, it is really only a little bit harder for the attacker to get one of these pieces of information.
A few security product companies will tell you that if you forget your information then you are out of luck . Absio is one and Silent Circle is another, but this is very rare. Because, for the most part, customers are more concerned about convenience than they are about security and until that changes, hackers and terrorists won’t have to work very hard.
GoDaddy’s response after the fact was pretty classic:
- No system is perfect.
- Creating a fake government ID is illegal so since you brought our bad policies to our attention we might report you to the authorities (they apparently didn’t do that either – more weakness in the process).
- We are going to hold our breath until we turn blue if you ever do this again or write about it.
Well, they didn’t really say the last one, but the other two are true.
I have said for years that in a battle between security and convenience, convenience will always win. GoDaddy proved it. Again.