You may have heard by now how Wired‘s Mat Honan was hacked. If you haven’t, you can read about it here, but in a nutshell: hackers got into his Twitter and Gmail account after easily obtaining the last four digits of his credit card from his Amazon account. With that information, they were able to satisfy Apple’s security questions. Apple’s customer service then proceeded to reset his Me service which, in turn, allowed them to gain access to his email, then Gmail and Twitter. In the process they remotely wiped his iPhone, iPad and iBook. Because no backups had been done, Mat lost years of photos, documents and emails. All because of a questionable verification process.
Since those articles have appeared, I’ve had several customers voice their concerns about our security when it comes to social engineering tactics to gain access. The short answer is: we take it very seriously.
The long answer is: unless you can 100% prove you are who you say you are, you may find that you’ll have the opposite problem with us. You will need to go the extra mile to provide undeniable proof of who you are to gain access to your account or domain name.
It is possible that someone may be able to gain access to your email account; however, with an email address alone they can’t get access to your domain name. If they are unable to answer the secret questions on file, no password reset is done. And while someone may know some of the security answers, the questions are tailored so that only the account holder will know all the answers.
And that’s just one of the security steps we have in place to ensure we’re talking to the right person.
Still concerned? Be sure to enable IP-based Access Control List (ACL) (“only allow access to a specific IP or IP range”) and Geo-Specific Controls (i.e., “only allow logins from IP addresses in Canada”). Turning these security features on can prevent somebody from accessing your account even if they had somehow compromised your password.
Finally, we are always thinking about ways to make your account more secure and we will be rolling out an option for 2-factor authentication this fall.
We’re a small group of tech nerds that, over the years, have got to know our customers on a personal basis. It’s not uncommon for a client to call and we recognize each other. Yet, we still go through the security process. A security check takes less than a minute and many of our customers are grateful to know that their domain is kept with the same diligence as a bank account and that no clever-talking hacker will be able to weasel their way in using information potentially obtainable in the outside world.