Hacker News new | past | comments | ask | show | jobs | submit login
When two-factor authentication is not enough (fastmail.fm)
284 points by ab9 on Apr 10, 2014 | hide | past | web | favorite | 53 comments

Although Gandi.net is a fantastic company, their security practices are nothing to write home about.

A few years ago, one of my clients lost access to her Gandi.net account. Unfortunately, she had the "disable password resets via email" option set in her account. That should have given her quite a headache, right?

Nope. I, an independent contractor who didn't even own the account, was able to convince Gandi support to disable that option so that she could reset her password via email. They didn't even ask for any documents to prove either my identity or my client's. It took several days, but the only reason it took so long was because their English support was very slow back then.

So I'm not surprised that Gandi let the attacker change the email on FastMail's account when presented with genuine-looking documents.

And this is not a problem that is specific to Gandi. Even with other online services, it's often quite easy to bypass automated security measures if you go through a human being, whether through the support system or through good ol' snail mail. In fact, I'm sure that snail mail is by far the most reliable way to take over someone else's account nowadays. So many of us in the tech industry have no idea how to verify the authenticity of a piece of paper, especially if it's from a different country.

Meanwhile, another favorite web host and registrar of mine, NearlyFreeSpeech.net, recently enabled two-factor authentication. But they did it differently. In addition to OATH TOTP, NearlyFreeSpeech allows you to select several other tests that you need to pass in order to recover your account. If you tell them to give you six different tests, which will probably take several weeks because some of the tests involve snail mail, they'll honor your preferences. Or you can choose to take four tests. Or three. Or two. It's your choice. That's multi-factor auth done right.

> And this is not a problem that is specific to Gandi. Even with other online services, it's often quite easy to bypass automated security measures if you go through a human being, whether through the support system or through good ol' snail mail.

I wonder if this is actually a counter-intuitive advantage of AWS, which, as far as I can tell, offers absolutely zero, zip, nada human support.

Actually they do for MFA problems, even if you don't have paid support on your account. A few years ago I wiped my phone without first disabling MFA on my account (I use Google Authenticator). After business hours on a holiday, I submitted the support form [0] and got a call from a human five minutes later. He asked me several questions and deactivated MFA so I could log in.

[0] https://portal.aws.amazon.com/gp/aws/html-forms-controller/c...

They called you. That makes a huge difference. Problem if you called them from public phone.

Well, that's great, except, according to the article at the top of this thread, that's maybe not so great, depending on what kind of questions they asked you.

So, what kind of questions did they ask you?

Google is one of the few companies I've dealt with that generally does not easily fall victim to social engineering of this nature.

It's interesting how there are people who think spending $100/year/domain is a lot of money - but when your entire company's business/value is on the line, I would think that spending $1,000/year/domain, to make absolutely sure nothing goes wrong, would be a bargain.

It also ensures that your registrar has the resources required to guarantee a very high level of verification and due process to ensure that everything is done correctly, with lots of extra human review (in addition to all of the automated safety checks, not instead of)

I've heard good things about https://www.markmonitor.com/ when it comes to managing domains (among other things)

Well, we are paying for Gandi's corporate level of support.

Funnily enough, we feel the same way about people who don't want to pay $20/year for their email address, given that it's the primary method of identifying yourself online.

As with any business expense though, you only want to pay for value - if you spend $1000/year for exactly what you could have got for $100 year, that's wasting money.

And we're satisfied that Gandi know us now! Overall they've been really good - they just missed this one thing when they added 2FA. I bet they're not the only site.

With all due respect. I looked at the pricing of fastmail. So is it security the customer is paying for? Because for $10 and $20, you get a rather small max storage (250MB or 1GB). The only way to get a useful amount of data is to pay at least $40 a year. So basically most of the money goes to small data storage. What part of it goes to security and human time to handle security breaches?

> So is it security the customer is paying for? [...] The only way to get a useful amount of data is to pay at least $40 a year.

Security is one of my top concerns, which is why I don't need much storage at FastMail. My email is deleted from FastMail's servers in less than 180 days after receipt because the USG considers email over 180 days old to be abandoned and will access such email without a warrant.


The $10 level is very much "entry level". The $20 level is enough for a lot of people. It's surprising how many people still delete most of their email from the server.

You're also paying for multiple replica copies and backups and all that good stuff. By the time you add RAID, search, metadata, etc - there's pretty much a 10:1 ratio between quota usage figures and raw disk used.

Then there's development effort - we're not just installing a couple of packages and then sitting back and letting them run.

I've heard this claim made repeatedly on this site, but I've not heard any details as to what specifically MarkMonitor does to protect domains above and beyond other registrars. Anyone care to chime in?

I realize it's an appeal to authority, but if there is one company that would have a lot to lose if its domain was ever exploited, it's google.


I think Google actually stand to lose less than a smaller corporation. The registry will not assign Google to another company in any way that passes any eyeballs without seriously questioning it; if it did get re-assigned then they wouldn't have a problem recovering it. It's not likely to be gone for more than a few seconds before it's noticed and customers who were phished, or whatever, wouldn't be that likely to leave Google because of it.

That said I think appeal to authority is quite useful in this situation.

I would agree that any attempt to reassign google.com ought to raise someone's eyebrows.

But I would have said the same about mit.edu and they got reassigned about a year ago. Obviously not for long, but the damage someone well-prepared could do by owning google.com for just 30 minutes is scary.

There's no way anyone could own it for more than a couple of minutes before Google had contacted the managers of the root name servers and ICANN to revert. Like the sibling comment intimates handling the traffic would be nigh impossible - easier to control and perform a localised attack on a nameserver to "own" google.com for a limited subset of users.

The "well prepared" part makes me wonder. What kind of infrastructure would you need to handle google.com's traffic? I don't think any of the cloud providers can scale up to that kind of traffic out of the box, and it's not like someone can just build and staff a dozen data centers in preparation of this hijack attempt.

I have previously worked with MarkMonitor. One big factor is that at the time I had a single dedicated person who oversaw our domains. I knew him and his manager, and they knew me. Everything related to our domains went through them. It's not impossible to fool someone in that situation, of course, but it's a lot harder than fooling some random support person who knows nothing about the business or people involved. We talked on the phone regularly, and I have absolute certainty that if anything unusual came through, they wouldn't hesitate to call me and figure out if it was legitimate.

FWIW I think Apple previously used MarkMonitor. In fact that's currently mentioned on Wiki. However, now Apple.com is controlled by something named "Corporation Service Company".

I think the idea behind these services is, they're not just a registrar. Broadly speaking, their business is "know your customer". They're boutiques. They protect large companies against the vagaries of DNS hacks, expired domain registrations, typosquatting, etc.

E.g. a (long) while ago Microsoft failed to renew hotmail.co.uk, just like they previously forgot to renew passport.com. But today, Microsoft can't forget to renew microsoft.com, because that's now MarkMonitor's job. Similarly, renewing passport.com is now the job of (according to whois '=passport.com'):

   Corporation Service Company(c) (CSC) 
   The Trusted Partner
   of More than 50% of the 100 Best Global Brands.
The bad part is if CSC screws up, quite a few companies could be in a world of hurt.

Part of what they do is set up registry locks.

This is different than a registrar lock in that a registrar lock is managed by the registrar (GoDaddy, Tucows, etc) but a registry lock is managed by the registry themselves. It requires personal contact with specific individuals to enable and disable the lock, making attempts to steal domains more difficult (but not impossible since social engineering is still feasible).

I've never used MarkMonitor before, but I did handle the registration for a hugely popular domain at one time. They decided to move to MarkMonitor but in the meantime they requested a registry lock set up on their main domain. This turned out to be very good idea since the registrar at the time was social engineered into changing the credentials for the account (with forged letter head similar to the fastmail.fm attack). The attackers were able to change the nameservers for little used domains but their main domain could not be modified.

Wasn't Facebook's domain, or at least their whois record, hacked via MarkMonitor in February? At least that was the initial report; I'm not sure what happened and it's hard to find a credible source about it. Here's the best I found in a short search:


Of course if it was hacked it wasn't necessarily MarkMonitor's fault; it could be Facebook's (though good security would anticipate that some customers will have poor security).

(If that post looks familiar, yes I'm reposting from a few days ago when someone made a similar comment. I'm hoping someone knows more about it.)

What I wonder is where I can get a domain with less human reviews. This wouldn't have happened if the humans at Gandi ignored the email with the fake documents and had just relied on the automated authentication systems.

The problem with their system is that it has the right amount of human intervention to be fallible to social engineering.

You actually want both - you want all of the automatic safety checks to be first completed, and then, after all of them have been passed, you want an account manager to personally pick up the phone, and call their contact at the company making the change, and have a discussion as to what is trying to be done, and whether everything is kosher.

Sure, for a company, yeah. For my personal domains, I'd rather have cheap and human-free ;)

Actually gandi's fortune was created on human-free. But they had a founder clash on what do with the money, and wether to seek more, one left, and now it's a normal corporate company.

This article really should have been called "Security hole in Gandi's processes". Why would they change the account email address if you didn't reply to a single email within 24 hours? Who thought that was a good solution?

A possible reason was called out in the article:

"Gandi’s paper 'email reset' form makes a lot of sense in the world where most of their customers are individuals or small businesses with one or two domains, and using addresses that they may lose access to. With no other factors, if they lose access to the email address and forget their password, there needs to be a process to regain access."

If a customer loses access to the one e-mail registered with GANDI (a small business signs up with their Earthlink.net address, moves, and now only has a Comcast.com address), there needs to be a way that allows an e-mail change without requiring positive confirmation from the old address. Having GANDI change process to disallow this when an account is 2FA-enabled is, to me, a reasonable compromise.

Shouldn't they send out a paper letter to the owner of the domain then? That might be a better way to verify identity. Or use an actual "real world" identity check?

In Germany you can do that with the German mail system - the postman will then check your id and confirm you are who you claim to be. Certainly not foolproof, but just accepting incoming letters at face value seems crazy.

In Finland all changes to your .fi domain (renews, nameserver changes, etc.) are snail mailed to you. It was a confusing experience for me when I registered a .fi domain on Gandi, but still got all the mails sent to me. Also, I can't control my domain on Gandi, as the credentials were snail mailed to me by my country's authorities. The only place I can make changes to my domain is on Finnish authority's website - with the credentials which were snail mailed to me.

In here postmen only check your ID when receiving or retrieving packages, but I've understood that you can buy the same service for letters as well. Most online identity checks are made by logging in trough banks, which can verify your SSN and alike.

It's probably too expensive to use as a standard method, but I would be willing to deposit some money with Gandi just in case they need to ID check me.

The US has this as well -- registered mail, which provides a full chain of custody for the letter. It's also a serious crime to provide fraudulent identification.

A better compromise is a 30 day lock down by default, with weekly, for three weeks, and then daily messages notifying of the change.

The alternative would be to go to a fastmail selected notary, and present appropriate identification material to them, and then pay a small fee to have an expedited (3 day) recovery process.

Why not send a reset code to the registered address or phone number? Or they could pay some money into the registered bank account with a special code that would only be visible on a bank statement (like Paypal).

People move physically and change their phone numbers, too.

You don't have a bad idea, you just need to consider all the effects.

It is not like you have a perfectly verified identity in the first place. There are no photos or biometrics that could uniquely identify the person in the absence of the things like address or phone. Most websites do not verify identity but the provenance of the user (is it the same person?). Establishing actual identity is just more difficult and mostly unnecessary.

For my personal domain, yes, that's overkill.

For the places where it's really necessary, like fastmail, they should have physical photos of all the principals on hand.

It's expensive, but it's also an extremely precious resource they need to guard at all times.

Hence the "bolting a new security item onto an existing process" part. Without 2FA, the common case is that you've lost the password and access to the listed email address... so waiting any longer would just mean more time without access.

Yeah, that's not something that should count as two-factor authentication. It's just single factor authentication with a warning.

I wish there were a "pro registrar" who handled domains, ssl certs, etc for people who actually value their business. Right now, the best you can do is probably become an ICANN registrar yourself (since all the registrars seem to be assclowns from a security or support perspective, or both), and get an intermediate ca (if needed) or manage your certs through something like venafi. That is maybe a $100k setup, $50k/yr cost.

Someone less than that, or for that price but without having to devote staff, would make sense for some customers.

Sort of like MarkMonitor, I guess.

That email message from Gandi is _so_ confusing, at first I thought the story was going to be about how it was a phishing attempt!

> If you can read this message, then you can recover the password of your account, and thus modify the email address of the handle. In that case, we won't take care of your request.

Wait... what?

I've been a fan of easyDNS for their security features and how they go to bat for their customers when it comes to things like transfers / takedown notices.



And has Gandi changed their terms recently to remove the bullshit? https://news.ycombinator.com/item?id=4970947

Online games separate your public handle from your login username (typically your email address). If someone wants to take over LazerBob, they have to first guess his username.

It's nowhere near sufficient by itself, but it cuts down on the noise dramatically.

Many email addresses should be considered sensitive, in that you want any attempt to talk to them to get close personal attention from several senior people. "hostmaster@fastmail.fm" should be changed to "hostmaster-9508gdgs42x@fastmail.fm" simply to reduce the amount of noise going to it. Don't publish it in your whois or on your blog; tell it only to your domain manager.

You can't count on it staying secret forever, of course.

If you are opposed to this modification, thank you for letting us know only by replying to this email.

If you can read this message, then you can recover the password of your account, and thus modify the email address of the handle. In that case, we won't take care of your request.

I get that they are not native English speakers, but if I got an email like that I'd be VERY likely to conclude that it was phishing and ignore it. It just reads like so many of those broken-English "Kind Sir, your email quota has been exceeded, please to click here to revalidate your password account" mails I get every other day.

Hire an English speaking writer to draft your email notices.

I'm currently using https://iwantmyname.com for my active domains, but I would like to hear people's experiences with it.

The passport will be obviously forged. A hacker won't have even done a good job it doesn't matter because people don't check. This process was described in a candid interview with a hacker that tried to take over the interviewers website - in it he points out that social engineering is the easiest way around security. http://shoptalkshow.com/episodes/special-one-one-hacker/

Especially since this request was done by snail mail, so the passport was probably a black-and-white photocopy. All the attacker needs to alter is the name, which seems pretty trivial.

The article links to a Schneier article which suggests using random keyboard mashing as an answer to "Security" questions. This is all well and good until you need to use the Australian Government Centrelink application, in which not one, but FIVE "Security" questions are requested.

And then, without any warning, you're obliged to provide your password AND the answer to a random one of those questions when you log in.

Guess how long I was on hold for...

Multiple forms of authentication do not ensure security. They merely raise the bar for the effort it takes to break it.

Can anyone recommend a registrar who takes domain security seriously? (think, £ six digit value domain names)

I would suggest either MarkMonitor or Corporation Service Company. They're trusted by all the biggest corporations, and handle all their domain registrations themselves.

When you're at that level of risk you probably need to worry as much about the registry as the registrar. If a corrupt registrar can simply bypass your registrar and claim the domain for example.

That's why several TLDs have a "registry lock" as well as a "registrar lock". Basically you can't transfer your domain between registrars without first going above their head to the registry.

Yes, agreed. The domains in question are .com TLD

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact