Hacker News new | past | comments | ask | show | jobs | submit login

Hey all, Teddy from Namecheap here. Happy to answer any questions here or at ted@namecheap.com.

As always, we advise turning on 2-factor authentication on your account.

OT, but why is that providers like Namecheap implement 2FA but not organizational team support?

If I set up 2FA, only my device can log in. If I become unavailable for some reason, none of my team members can access the account. The only way to do this is for all team members to do the 2FA setup at the same time, which I believe will seed the generator so that they will all produce the same sequence of tokens. But that's just unacceptable. It's like renting an office and only getting a single key.

I find it amazing that in this day and age, most providers still conflate the concepts of "login" and "account". I log into an account; that login is a set of credentials giving me access, but one account obviously must support multiple logins.

Without a clean separation, you turn employees into single points of failure. Shared account credentials is a potential security risk. And it makes it harder to lock out employees who leave the company once given access. And of course, it makes auditing harder because you just have the IP.

Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS and iWantMyName, all set up like this. Cloud-oriented providers like Digital Ocean and Mailgun, same problem. AWS does the right thing.

We actually have a little-known feature, which allows you to grant domain modification rights to other Namecheap users. https://www.namecheap.com/support/knowledgebase/article.aspx...

You can also add other phone numbers to your 2FA preferences, although I can understand if that's annoying for your colleagues if everyone is getting an SMS on every login.

(Namecheap user here. Just set up 2FA.)

Could you have people adding multiple phone numbers to the 2FA process and then allow someone to set their preferred, whitelisted number for the SMS?

I need to grant access to a second account to purchase services on my behalf. Does your solution of granting domain modification access work in that case or are we going to have to deal with the SMSes?

Also, is there a plan to upgrade the internal tools that don't much the newer public design? It's pretty jarring.

The new account panel / internal tools are in development and will roll out soon.

With the existing 2FA, you can set a primary or disable a number without deleting it. This could work for what you're describing.

Timo from iwantmyname here.

It's certainly something we are aware of and multiple logins are planned.

We are using Authy as two-factor authentication service provider and they allow you to use multiple devices: http://blog.authy.com/multi-device

At least with gandi, you can keep the barcode of the 2FA seed around (or the text seed) and set up new devices with it. We use Gandi and everyone with access uses Google Authenticator with the same 2FA seed.

I use Gandi as well and I've noticed that you can have 4 separate accounts with access to yours, the different domain contacts each can be separate accounts.

To save time for those hunting for this on Namecheap:

1. Log in

2. Click "Menu" (in the top right portion of the page)

3. Expand the "My Account" submenu (if it didn't already automatically expand when the menu appeared)

4. Click "Manage Profile" (5th from the bottom of the "My Account" submenu)

5. On the next page that appears, look for "Two Factor Authentication" on the left side under "Personal Settings"

Thanks! Also, a direct link if you're already logged in: https://www.namecheap.com/myaccount/TwoFA/TwoFAProfileManage...

My phone often has no service, which would make 2FA with you a roadblock. Please consider using Google Authenticator for generating the code, instead of sending a text or voice call.

Excellent, thanks!

I have been using 2FA on NameCheap since you added the feature, but it's one of the more annoying implementations -- compare to Google's 2FA setup, for example. There I have to jump through the hoop of getting an SMS once a month (and verify my password a bit more frequently).

For NameCheap, it's every single time I log in, which translates to every single time I need to do or check something in my account.

This is probably only a minor annoyance for most of your customers; for me it sometimes means I can't sign in. I live in an area with fairly poor mobile coverage, so internet access & ability to receive an SMS do not always coincide. I'm also not tied to my mobile, so I may need to go find it where it's charging downstairs (or plug it in if it's dead) before I can continue.

I'd really appreciate either the option of a code generator (Google Authenticator, Authy, etc.), or a longer "remember-me" time -- it's rather more likely that my phone would be stolen than my laptop... so letting the laptop I've just double-authenticated be a "thing I have" is perfectly valid.

We're rolling out Google Authenticator support sometime in the fall. I know SMS can be a pain sometime but we definitely recommend having it enabled, regardless.

If you simply sent the SMS as soon as someone enters their login credentials instead of requiring another button to be pressed, it would make your system a bit less annoying.

That's good feedback. We have the extra step there now because some people actually prefer getting a call rather than SMS to retrieve their code.

One of those people here - Much prefer calls over SMSs as they're more realtime. SMS can be delayed anywhere from instant to infinity

This is fantastic news. It's a feature I've been missing since you introduced 2FA (which was also a great move)

Unfortunately, your 2FA is unusable for me. I have pretty bad cell phone reception in my home and cannot receive the SMS messages. Also, it's unusable for anyone that travels outside their home country and cannot receive SMS messages.

We've been waiting for ages for another 2FA option from Namecheap, either Authy or Google Auth. Now I'm just registering my domains elsewhere and when my Namecheap domains come up for renewal I'm jus transferring out.

Hi Teddy!

I’m curious what evidence you have that ties these login attempts to the CyberVor (1.2bn) hacked credentials database specifically?

Given that (to my knowledge) none of the data from this database has yet been leaked publicly, couldn’t the credentials being used for these attacks be coming just as easily from any number of sources, or previously-disclosed databases (Adobe, LinkedIn, Forbes, etc.)?

Just trying to distinguish “what we know” from “what we suspect”, here. Thanks!

Hi, did you turn on (or can you) selective forensic logging from the ip-adresses you believe are attacking, logging username/password pairs? AFAIK the list in question isn't public, it would be nice to see if there was a pattern (to uids and/or uid:password pairs) -- that might be turned into an IDS rule? (failed login for user: alfa, followed by user beta, followed by... -> block/flag originating ip etc)

two factor authentication via SMS is the biggest waste of time. It's not true two factor authentication as you need to depend on the network and protocol between namecheap and my phone. Not to mention the code is probably not originating from a namecheap server but from a third party service.

TOTP is a standard, it's great, there are open source implementations, and it's easy to integrate. Google even has that pam module. Use it.

Aside from expensive, and questionable reliability, there is are a few other major issues SMS just doesn't address:

1) Blocking phishing: where are you typing that code into? the real site? Are you sure......zeus-in-the-mobile coming at you

2) and once you are into the actual site and you want to do something of value, man-in-the-browser becomes an issue

>>>> this sums it up http://blogs.computerworld.com/data-security/24250/financial...

oh yes, and the 34 banks that have been spear-phished and SMS compromised know about it too.......

> It's not true two factor authentication as you need to depend on the network and protocol between namecheap and my phone.

That's rubbish. 2FA means 'something you know and something that you have'.

What you know is your account credentials, what you have is your phone.

I don't think you understood my comment. SMS is not something "you have". You have your phone, the SMS is sent (presumably from namecheap, or from a third party service) through the network and arrives at your phone.

This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.

If you use true TOTP, i.e. Google Authenticator, then the code is generated via a secret key that lives on your phone, and nothing ever leaves your phone besides printing to screen and showing it to you when you need to log in.

Therefore, SMS "two factor" is not only costly and annoying, but ineffective.

Can I get my upvote back?

> This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.

and they don't have your account credentials, that's the other half of the two factor approach

Why did you have to bring up the specific "CyberVor" incident that has been called out as bullshit by several people in the security industry?

While cheerfully acknowledging there is controversy, I dispute your immediate dismissal of these reports. For other readers, then:



As to why it may be on-topic here: the activity reported by NameCheap in the OP lines up pretty well with the reports of a large collection of compromised accounts in the hands of a criminal group.

The activity reported by namecheap hardly lines up with these reports, mass amounts of user/password combinations leaking is hardly anything unique.

Teddy, I'm a Namecheap user (over 30 domains and a bunch of SSLs) and what really concerns me is that I find out about this security issue via hacker news, instead of being sent an email. This is not how you communicate with customers when these types of security issues arise.

Agreed -- it would be a great service to customers without 2FA enabled to inform them all directly that this is in-progress, not just the ones whose accounts have already been successfully accessed.

I know you wouldn't want to provoke panicked overreactions, or risk customers thinking that this indicates a flaw in NameCheap's security, but direct contact is essential for this kind of ongoing attack.

> continue to update our customers through our blog and social media

I'm not sure what percentage of your customers this will actually reach, but surely not a majority (certainly not me, anyway).

We take these issues very seriously and always try to get the word out about as quickly as possible. We emailed everyone that was affected this morning and continue to update our customers through our blog and social media.

You should have no such expectation. This isn't a namecheap-specific security issue - they are reporting their perspective of a global security issue.

They are reporting a specific attack on Namecheap accounts based upon a previous attack.

Which is not something people should expect an email about.

At last count, I have several hundred logins with various online services. I do not want a note every time one of them is subject to a dictionary attack, no matter the scale.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact