OT, but why is that providers like Namecheap implement 2FA but not organizational team support?
If I set up 2FA, only my device can log in. If I become unavailable for some reason, none of my team members can access the account. The only way to do this is for all team members to do the 2FA setup at the same time, which I believe will seed the generator so that they will all produce the same sequence of tokens. But that's just unacceptable. It's like renting an office and only getting a single key.
I find it amazing that in this day and age, most providers still conflate the concepts of "login" and "account". I log into an account; that login is a set of credentials giving me access, but one account obviously must support multiple logins.
Without a clean separation, you turn employees into single points of failure. Shared account credentials is a potential security risk. And it makes it harder to lock out employees who leave the company once given access. And of course, it makes auditing harder because you just have the IP.
Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS and iWantMyName, all set up like this. Cloud-oriented providers like Digital Ocean and Mailgun, same problem. AWS does the right thing.
You can also add other phone numbers to your 2FA preferences, although I can understand if that's annoying for your colleagues if everyone is getting an SMS on every login.
Could you have people adding multiple phone numbers to the 2FA process and then allow someone to set their preferred, whitelisted number for the SMS?
I need to grant access to a second account to purchase services on my behalf. Does your solution of granting domain modification access work in that case or are we going to have to deal with the SMSes?
Also, is there a plan to upgrade the internal tools that don't much the newer public design? It's pretty jarring.
At least with gandi, you can keep the barcode of the 2FA seed around (or the text seed) and set up new devices with it. We use Gandi and everyone with access uses Google Authenticator with the same 2FA seed.
I use Gandi as well and I've noticed that you can have 4 separate accounts with access to yours, the different domain contacts each can be separate accounts.
My phone often has no service, which would make 2FA with you a roadblock. Please consider using Google Authenticator for generating the code, instead of sending a text or voice call.
I have been using 2FA on NameCheap since you added the feature, but it's one of the more annoying implementations -- compare to Google's 2FA setup, for example. There I have to jump through the hoop of getting an SMS once a month (and verify my password a bit more frequently).
For NameCheap, it's every single time I log in, which translates to every single time I need to do or check something in my account.
This is probably only a minor annoyance for most of your customers; for me it sometimes means I can't sign in. I live in an area with fairly poor mobile coverage, so internet access & ability to receive an SMS do not always coincide. I'm also not tied to my mobile, so I may need to go find it where it's charging downstairs (or plug it in if it's dead) before I can continue.
I'd really appreciate either the option of a code generator (Google Authenticator, Authy, etc.), or a longer "remember-me" time -- it's rather more likely that my phone would be stolen than my laptop... so letting the laptop I've just double-authenticated be a "thing I have" is perfectly valid.
We're rolling out Google Authenticator support sometime in the fall. I know SMS can be a pain sometime but we definitely recommend having it enabled, regardless.
If you simply sent the SMS as soon as someone enters their login credentials instead of requiring another button to be pressed, it would make your system a bit less annoying.
Unfortunately, your 2FA is unusable for me. I have pretty bad cell phone reception in my home and cannot receive the SMS messages.
Also, it's unusable for anyone that travels outside their home country and cannot receive SMS messages.
We've been waiting for ages for another 2FA option from Namecheap, either Authy or Google Auth. Now I'm just registering my domains elsewhere and when my Namecheap domains come up for renewal I'm jus transferring out.
I’m curious what evidence you have that ties these login attempts to the CyberVor (1.2bn) hacked credentials database specifically?
Given that (to my knowledge) none of the data from this database has yet been leaked publicly, couldn’t the credentials being used for these attacks be coming just as easily from any number of sources, or previously-disclosed databases (Adobe, LinkedIn, Forbes, etc.)?
Just trying to distinguish “what we know” from “what we suspect”, here. Thanks!
Hi, did you turn on (or can you) selective forensic logging from the ip-adresses you believe are attacking, logging username/password pairs? AFAIK the list in question isn't public, it would be nice to see if there was a pattern (to uids and/or uid:password pairs) -- that might be turned into an IDS rule? (failed login for user: alfa, followed by user beta, followed by... -> block/flag originating ip etc)
two factor authentication via SMS is the biggest waste of time. It's not true two factor authentication as you need to depend on the network and protocol between namecheap and my phone. Not to mention the code is probably not originating from a namecheap server but from a third party service.
TOTP is a standard, it's great, there are open source implementations, and it's easy to integrate. Google even has that pam module. Use it.
I don't think you understood my comment. SMS is not something "you have". You have your phone, the SMS is sent (presumably from namecheap, or from a third party service) through the network and arrives at your phone.
This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.
If you use true TOTP, i.e. Google Authenticator, then the code is generated via a secret key that lives on your phone, and nothing ever leaves your phone besides printing to screen and showing it to you when you need to log in.
Therefore, SMS "two factor" is not only costly and annoying, but ineffective.
As to why it may be on-topic here: the activity reported by NameCheap in the OP lines up pretty well with the reports of a large collection of compromised accounts in the hands of a criminal group.
Teddy, I'm a Namecheap user (over 30 domains and a bunch of SSLs) and what really concerns me is that I find out about this security issue via hacker news, instead of being sent an email. This is not how you communicate with customers when these types of security issues arise.
Agreed -- it would be a great service to customers without 2FA enabled to inform them all directly that this is in-progress, not just the ones whose accounts have already been successfully accessed.
I know you wouldn't want to provoke panicked overreactions, or risk customers thinking that this indicates a flaw in NameCheap's security, but direct contact is essential for this kind of ongoing attack.
> continue to update our customers through our blog and social media
I'm not sure what percentage of your customers this will actually reach, but surely not a majority (certainly not me, anyway).
We take these issues very seriously and always try to get the word out about as quickly as possible. We emailed everyone that was affected this morning and continue to update our customers through our blog and social media.
Which is not something people should expect an email about.
At last count, I have several hundred logins with various online services. I do not want a note every time one of them is subject to a dictionary attack, no matter the scale.
As always, we advise turning on 2-factor authentication on your account.