A few years ago, one of my clients lost access to her Gandi.net account. Unfortunately, she had the "disable password resets via email" option set in her account. That should have given her quite a headache, right?
Nope. I, an independent contractor who didn't even own the account, was able to convince Gandi support to disable that option so that she could reset her password via email. They didn't even ask for any documents to prove either my identity or my client's. It took several days, but the only reason it took so long was because their English support was very slow back then.
So I'm not surprised that Gandi let the attacker change the email on FastMail's account when presented with genuine-looking documents.
And this is not a problem that is specific to Gandi. Even with other online services, it's often quite easy to bypass automated security measures if you go through a human being, whether through the support system or through good ol' snail mail. In fact, I'm sure that snail mail is by far the most reliable way to take over someone else's account nowadays. So many of us in the tech industry have no idea how to verify the authenticity of a piece of paper, especially if it's from a different country.
Meanwhile, another favorite web host and registrar of mine, NearlyFreeSpeech.net, recently enabled two-factor authentication. But they did it differently. In addition to OATH TOTP, NearlyFreeSpeech allows you to select several other tests that you need to pass in order to recover your account. If you tell them to give you six different tests, which will probably take several weeks because some of the tests involve snail mail, they'll honor your preferences. Or you can choose to take four tests. Or three. Or two. It's your choice. That's multi-factor auth done right.
I wonder if this is actually a counter-intuitive advantage of AWS, which, as far as I can tell, offers absolutely zero, zip, nada human support.
So, what kind of questions did they ask you?
It also ensures that your registrar has the resources required to guarantee a very high level of verification and due process to ensure that everything is done correctly, with lots of extra human review (in addition to all of the automated safety checks, not instead of)
I've heard good things about https://www.markmonitor.com/ when it comes to managing domains (among other things)
Funnily enough, we feel the same way about people who don't want to pay $20/year for their email address, given that it's the primary method of identifying yourself online.
As with any business expense though, you only want to pay for value - if you spend $1000/year for exactly what you could have got for $100 year, that's wasting money.
And we're satisfied that Gandi know us now! Overall they've been really good - they just missed this one thing when they added 2FA. I bet they're not the only site.
Security is one of my top concerns, which is why I don't need much storage at FastMail. My email is deleted from FastMail's servers in less than 180 days after receipt because the USG considers email over 180 days old to be abandoned and will access such email without a warrant.
You're also paying for multiple replica copies and backups and all that good stuff. By the time you add RAID, search, metadata, etc - there's pretty much a 10:1 ratio between quota usage figures and raw disk used.
Then there's development effort - we're not just installing a couple of packages and then sitting back and letting them run.
That said I think appeal to authority is quite useful in this situation.
But I would have said the same about mit.edu and they got reassigned about a year ago. Obviously not for long, but the damage someone well-prepared could do by owning google.com for just 30 minutes is scary.
I think the idea behind these services is, they're not just a registrar. Broadly speaking, their business is "know your customer". They're boutiques. They protect large companies against the vagaries of DNS hacks, expired domain registrations, typosquatting, etc.
E.g. a (long) while ago Microsoft failed to renew hotmail.co.uk, just like they previously forgot to renew passport.com. But today, Microsoft can't forget to renew microsoft.com, because that's now MarkMonitor's job. Similarly, renewing passport.com is now the job of (according to whois '=passport.com'):
Corporation Service Company(c) (CSC)
The Trusted Partner
of More than 50% of the 100 Best Global Brands.
This is different than a registrar lock in that a registrar lock is managed by the registrar (GoDaddy, Tucows, etc) but a registry lock is managed by the registry themselves. It requires personal contact with specific individuals to enable and disable the lock, making attempts to steal domains more difficult (but not impossible since social engineering is still feasible).
I've never used MarkMonitor before, but I did handle the registration for a hugely popular domain at one time. They decided to move to MarkMonitor but in the meantime they requested a registry lock set up on their main domain. This turned out to be very good idea since the registrar at the time was social engineered into changing the credentials for the account (with forged letter head similar to the fastmail.fm attack). The attackers were able to change the nameservers for little used domains but their main domain could not be modified.
Of course if it was hacked it wasn't necessarily MarkMonitor's fault; it could be Facebook's (though good security would anticipate that some customers will have poor security).
(If that post looks familiar, yes I'm reposting from a few days ago when someone made a similar comment. I'm hoping someone knows more about it.)
The problem with their system is that it has the right amount of human intervention to be fallible to social engineering.
"Gandi’s paper 'email reset' form makes a lot of sense in the world where most of their customers are individuals or small businesses with one or two domains, and using addresses that they may lose access to. With no other factors, if they lose access to the email address and forget their password, there needs to be a process to regain access."
If a customer loses access to the one e-mail registered with GANDI (a small business signs up with their Earthlink.net address, moves, and now only has a Comcast.com address), there needs to be a way that allows an e-mail change without requiring positive confirmation from the old address. Having GANDI change process to disallow this when an account is 2FA-enabled is, to me, a reasonable compromise.
In Germany you can do that with the German mail system - the postman will then check your id and confirm you are who you claim to be. Certainly not foolproof, but just accepting incoming letters at face value seems crazy.
In here postmen only check your ID when receiving or retrieving packages, but I've understood that you can buy the same service for letters as well. Most online identity checks are made by logging in trough banks, which can verify your SSN and alike.
The alternative would be to go to a fastmail selected notary, and present appropriate identification material to them, and then pay a small fee to have an expedited (3 day) recovery process.
You don't have a bad idea, you just need to consider all the effects.
For the places where it's really necessary, like fastmail, they should have physical photos of all the principals on hand.
It's expensive, but it's also an extremely precious resource they need to guard at all times.
Someone less than that, or for that price but without having to devote staff, would make sense for some customers.
Sort of like MarkMonitor, I guess.
> If you can read this message, then you can recover the password of your
account, and thus modify the email address of the handle. In that case, we won't take care of your request.
And has Gandi changed their terms recently to remove the bullshit? https://news.ycombinator.com/item?id=4970947
It's nowhere near sufficient by itself, but it cuts down on the noise dramatically.
Many email addresses should be considered sensitive, in that you want any attempt to talk to them to get close personal attention from several senior people. "email@example.com" should be changed to "firstname.lastname@example.org" simply to reduce the amount of noise going to it. Don't publish it in your whois or on your blog; tell it only to your domain manager.
You can't count on it staying secret forever, of course.
If you can read this message, then you can recover the password of your account, and thus modify the email address of the handle. In that case, we won't take care of your request.
I get that they are not native English speakers, but if I got an email like that I'd be VERY likely to conclude that it was phishing and ignore it. It just reads like so many of those broken-English "Kind Sir, your email quota has been exceeded, please to click here to revalidate your password account" mails I get every other day.
Hire an English speaking writer to draft your email notices.
And then, without any warning, you're obliged to provide your password AND the answer to a random one of those questions when you log in.
Guess how long I was on hold for...