
When two-factor authentication is not enough - ab9
http://blog.fastmail.fm/2014/04/10/when-two-factor-authentication-is-not-enough/
======
kijin
Although Gandi.net is a fantastic company, their security practices are
nothing to write home about.

A few years ago, one of my clients lost access to her Gandi.net account.
Unfortunately, she had the "disable password resets via email" option set in
her account. That should have given her quite a headache, right?

Nope. I, an independent contractor who didn't even own the account, was able
to convince Gandi support to disable that option so that she could reset her
password via email. They didn't even ask for any documents to prove either my
identity or my client's. It took several days, but the only reason it took so
long was because their English support was very slow back then.

So I'm not surprised that Gandi let the attacker change the email on
FastMail's account when presented with genuine-looking documents.

And this is not a problem that is specific to Gandi. Even with other online
services, it's often quite easy to bypass automated security measures if you
go through a human being, whether through the support system or through good
ol' snail mail. In fact, I'm sure that snail mail is by far the most reliable
way to take over someone else's account nowadays. So many of us in the tech
industry have no idea how to verify the authenticity of a piece of paper,
especially if it's from a different country.

Meanwhile, another favorite web host and registrar of mine,
NearlyFreeSpeech.net, recently enabled two-factor authentication. But they did
it differently. In addition to OATH TOTP, NearlyFreeSpeech allows you to
select several other tests that you need to pass in order to recover your
account. If you tell them to give you six different tests, which will probably
take several weeks because some of the tests involve snail mail, they'll honor
your preferences. Or you can choose to take four tests. Or three. Or two. It's
your choice. That's multi-factor auth done right.

~~~
brianmwaters_hn
> And this is not a problem that is specific to Gandi. Even with other online
> services, it's often quite easy to bypass automated security measures if you
> go through a human being, whether through the support system or through good
> ol' snail mail.

I wonder if this is actually a counter-intuitive advantage of AWS, which, as
far as I can tell, offers absolutely zero, zip, nada human support.

~~~
dbarlett
Actually they do for MFA problems, even if you don't have paid support on your
account. A few years ago I wiped my phone without first disabling MFA on my
account (I use Google Authenticator). After business hours on a holiday, I
submitted the support form [0] and got a call from a human five minutes later.
He asked me several questions and deactivated MFA so I could log in.

[0] [https://portal.aws.amazon.com/gp/aws/html-forms-
controller/c...](https://portal.aws.amazon.com/gp/aws/html-forms-
controller/contactus/aws-token-support-v2)

~~~
meapix
They called you. That makes a huge difference. Problem if you called them from
public phone.

------
ghshephard
It's interesting how there are people who think spending $100/year/domain is a
lot of money - but when your entire company's business/value is on the line, I
would think that spending $1,000/year/domain, to make absolutely sure nothing
goes wrong, would be a bargain.

It also ensures that your registrar has the resources required to guarantee a
very high level of verification and due process to ensure that everything is
done correctly, with lots of extra human review (in addition to all of the
automated safety checks, not instead of)

I've heard good things about
[https://www.markmonitor.com/](https://www.markmonitor.com/) when it comes to
managing domains (among other things)

~~~
mike-cardwell
I've heard this claim made repeatedly on this site, but I've not heard any
details as to what specifically MarkMonitor does to protect domains above and
beyond other registrars. Anyone care to chime in?

~~~
ghshephard
I realize it's an appeal to authority, but if there is one company that would
have a lot to lose if its domain was ever exploited, it's google.

[http://reports.internic.net/cgi/whois?whois_nic=google.com&t...](http://reports.internic.net/cgi/whois?whois_nic=google.com&type=domain)

~~~
pbhjpbhj
I think Google actually stand to lose less than a smaller corporation. The
registry will not assign Google to another company in any way that passes any
eyeballs without seriously questioning it; if it did get re-assigned then they
wouldn't have a problem recovering it. It's not likely to be gone for more
than a few seconds before it's noticed and customers who were phished, or
whatever, wouldn't be that likely to leave Google because of it.

That said I think appeal to authority is quite useful in this situation.

~~~
danielweber
I would agree that any attempt to reassign google.com ought to raise someone's
eyebrows.

But I would have said the same about mit.edu and they got reassigned about a
year ago. Obviously not for long, but the damage someone well-prepared could
do by owning google.com for just 30 minutes is scary.

~~~
pbhjpbhj
There's no way anyone could own it for more than a couple of minutes before
Google had contacted the managers of the root name servers and ICANN to
revert. Like the sibling comment intimates handling the traffic would be nigh
impossible - easier to control and perform a localised attack on a nameserver
to "own" google.com for a limited subset of users.

------
Revisor
This article really should have been called "Security hole in Gandi's
processes". Why would they change the account email address if you didn't
reply to a single email within 24 hours? Who thought that was a good solution?

~~~
techsupporter
A possible reason was called out in the article:

"Gandi’s paper 'email reset' form makes a lot of sense in the world where most
of their customers are individuals or small businesses with one or two
domains, and using addresses that they may lose access to. With no other
factors, if they lose access to the email address and forget their password,
there needs to be a process to regain access."

If a customer loses access to the one e-mail registered with GANDI (a small
business signs up with their Earthlink.net address, moves, and now only has a
Comcast.com address), there needs to be a way that allows an e-mail change
without requiring positive confirmation from the old address. Having GANDI
change process to disallow this when an account is 2FA-enabled is, to me, a
reasonable compromise.

~~~
facepalm
Shouldn't they send out a paper letter to the owner of the domain then? That
might be a better way to verify identity. Or use an actual "real world"
identity check?

In Germany you can do that with the German mail system - the postman will then
check your id and confirm you are who you claim to be. Certainly not
foolproof, but just accepting incoming letters at face value seems crazy.

~~~
Jhsto
In Finland all changes to your .fi domain (renews, nameserver changes, etc.)
are snail mailed to you. It was a confusing experience for me when I
registered a .fi domain on Gandi, but still got all the mails sent to me.
Also, I can't control my domain on Gandi, as the credentials were snail mailed
to me by my country's authorities. The only place I can make changes to my
domain is on Finnish authority's website - with the credentials which were
snail mailed to me.

In here postmen only check your ID when receiving or retrieving packages, but
I've understood that you can buy the same service for letters as well. Most
online identity checks are made by logging in trough banks, which can verify
your SSN and alike.

~~~
facepalm
It's probably too expensive to use as a standard method, but I would be
willing to deposit some money with Gandi just in case they need to ID check
me.

------
rdl
I wish there were a "pro registrar" who handled domains, ssl certs, etc for
people who actually value their business. Right now, the best you can do is
probably become an ICANN registrar yourself (since all the registrars seem to
be assclowns from a security or support perspective, or both), and get an
intermediate ca (if needed) or manage your certs through something like
venafi. That is maybe a $100k setup, $50k/yr cost.

Someone less than that, or for that price but without having to devote staff,
would make sense for some customers.

Sort of like MarkMonitor, I guess.

------
jrochkind1
That email message from Gandi is _so_ confusing, at first I thought the story
was going to be about how it was a phishing attempt!

> _If you can read this message, then you can recover the password of your
> account, and thus modify the email address of the handle. In that case, we
> won 't take care of your request._

Wait... what?

------
biot
I've been a fan of easyDNS for their security features and how they go to bat
for their customers when it comes to things like transfers / takedown notices.

[http://blog.easydns.org/2014/01/29/welcome-to-easydns-
press-...](http://blog.easydns.org/2014/01/29/welcome-to-easydns-press-1-for-
support-press-2-to-get-the-last-4-digits-of-your-credit-card-number-on-file-
here/)

[http://blog.easydns.org/2012/02/21/the-official-easydns-
doma...](http://blog.easydns.org/2012/02/21/the-official-easydns-domain-
takedown-policy/)

And has Gandi changed their terms recently to remove the bullshit?
[https://news.ycombinator.com/item?id=4970947](https://news.ycombinator.com/item?id=4970947)

------
danielweber
Online games separate your public handle from your login username (typically
your email address). If someone wants to take over LazerBob, they have to
first guess his username.

It's nowhere near sufficient by itself, but it cuts down on the noise
dramatically.

Many email addresses should be considered sensitive, in that you want any
attempt to talk to them to get close personal attention from several senior
people. "hostmaster@fastmail.fm" should be changed to
"hostmaster-9508gdgs42x@fastmail.fm" simply to reduce the amount of noise
going to it. Don't publish it in your whois or on your blog; tell it only to
your domain manager.

You can't count on it staying secret forever, of course.

------
ams6110
_If you are opposed to this modification, thank you for letting us know only
by replying to this email.

If you can read this message, then you can recover the password of your
account, and thus modify the email address of the handle. In that case, we
won't take care of your request._

I get that they are not native English speakers, but if I got an email like
that I'd be VERY likely to conclude that it was phishing and ignore it. It
just reads like so many of those broken-English "Kind Sir, your email quota
has been exceeded, please to click here to revalidate your password account"
mails I get every other day.

Hire an English speaking writer to draft your email notices.

------
kmfrk
I'm currently using [https://iwantmyname.com](https://iwantmyname.com) for my
active domains, but I would like to hear people's experiences with it.

------
richardwigley
The passport will be obviously forged. A hacker won't have even done a good
job it doesn't matter because people don't check. This process was described
in a candid interview with a hacker that tried to take over the interviewers
website - in it he points out that social engineering is the easiest way
around security. [http://shoptalkshow.com/episodes/special-one-one-
hacker/](http://shoptalkshow.com/episodes/special-one-one-hacker/)

~~~
smackfu
Especially since this request was done by snail mail, so the passport was
probably a black-and-white photocopy. All the attacker needs to alter is the
name, which seems pretty trivial.

------
Schwolop
The article links to a Schneier article which suggests using random keyboard
mashing as an answer to "Security" questions. This is all well and good until
you need to use the Australian Government Centrelink application, in which not
one, but FIVE "Security" questions are requested.

And then, without any warning, you're obliged to provide your password AND the
answer to a random one of those questions when you log in.

Guess how long I was on hold for...

------
j-rom
Multiple forms of authentication do not ensure security. They merely raise the
bar for the effort it takes to break it.

------
dawson
Can anyone recommend a registrar who takes domain security seriously? (think,
£ six digit value domain names)

~~~
pbhjpbhj
When you're at that level of risk you probably need to worry as much about the
registry as the registrar. If a corrupt registrar can simply bypass your
registrar and claim the domain for example.

~~~
nly
That's why several TLDs have a "registry lock" as well as a "registrar lock".
Basically you can't transfer your domain between registrars without first
going above their head to the registry.

