You may have heard by now how Wired‘s Mat Honan was hacked. If you haven’t, you can read about it here, but in a nutshell: hackers got into his Twitter and Gmail account after easily obtaining the last four digits of his credit card from his Amazon account. With that information, they were able to satisfy Apple’s security questions. Apple’s customer service then proceeded to reset his Me service which, in turn, allowed them to gain access to his email, then Gmail and Twitter. In the process they remotely wiped his iPhone, iPad and iBook. Because no backups had been done, Mat lost years of photos, documents and emails. All because of a questionable verification process.
Since those articles have appeared, I’ve had several customers voice their concerns about our security when it comes to social engineering tactics to gain access. The short answer is: we take it very seriously.
The long answer is: unless you can 100% prove you are who you say you are, you may find that you’ll have the opposite problem with us. You will need to go the extra mile to provide undeniable proof of who you are to gain access to your account or domain name.
It is possible that someone may be able to gain access to your email account; however, with an email address alone they can’t get access to your domain name. If they are unable to answer the secret questions on file, no password reset is done. And while someone may know some of the security answers, the questions are tailored so that only the account holder will know all the answers.
And that’s just one of the security steps we have in place to ensure we’re talking to the right person.
Still concerned? Be sure to enable IP-based Access Control List (ACL) (“only allow access to a specific IP or IP range”) and Geo-Specific Controls (i.e., “only allow logins from IP addresses in Canada”). Turning these security features on can prevent somebody from accessing your account even if they had somehow compromised your password.
Finally, we are always thinking about ways to make your account more secure and we will be rolling out an option for 2-factor authentication this fall.
We’re a small group of tech nerds that, over the years, have got to know our customers on a personal basis. It’s not uncommon for a client to call and we recognize each other. Yet, we still go through the security process. A security check takes less than a minute and many of our customers are grateful to know that their domain is kept with the same diligence as a bank account and that no clever-talking hacker will be able to weasel their way in using information potentially obtainable in the outside world.
I’m glad to know companies I do business with continue to make progress.
I’ll be looking forward to 2-factor authentication. Bonus points if it looks like Google’s, with double bonus points if can make use of Google’s Authenticator app.
2-factor authentication sounds great! I just went through the process of making my WHOIS private for my domains. I had been meaning to do it for a while (I occasionally got snail mail spam that was clearly based on my domains), but this incident motivated me to do it finally.
Are your security questions visible to your support people?
I.e. are they stored in the clear in your database?
Realize that good security questions are hard to make, so likely the same across multiple sites. I treat them as additional passwords,
Making up random sequences.
Hi,
Definitely looking forward to 2-factor auth enabled for EasyDNS customers (of which I’m one)!
I’ve switched it on for my Gmail account, and am not looking back (I never have to go through the 2-factor “dance” more than once a day… takes about 20 seconds, and keep me at ease from having my password stolen).
Any update on this, by the way?
Thank you!
Greg