
Access to your GoDaddy account was obtained using Photoshop
Recently, an article was published on how to get around the multi-level security system of the largest GoDaddy registrar using Photoshop.
The author of the article, Steve Reagan, conducted an experiment: he asked a friend of security specialist Vinnie Troy, director of Night Lion Security, to hack his account. Hacking was successful, and all that was needed was a call to tech support and several hours of work in Photoshop.
The recovery procedure was easy. The conversation with the tech support girl began with the confirmation of personal data easily accessible through Whois. When he needed an email address to which the domain was registered and which Troy did not know, he entered the role of an upset subordinate who was not given full information and about complex rules within the organization. The noise of the playing daughter during the conversation also created a suitable atmosphere in order to suppress the technical support operator with pity.
People are the most vulnerable link in any security system. This also applies to technical support operators. Their task is only to help customers and facilitate the resolution of their problems. To express suspicions to customers and blame them is not their responsibility. In most organizations, the operator simply does not have the right to refuse the client, based only on their suspicions.
This feature of the work of operators is often used by scammers.
Next, the operator asked Troy to name the pin code and the last digits of the credit card with which the domain was purchased. He replied that he did not know either one or the other, since the assistant registered the domain for him. “I apologize for the fact that I can’t provide you with the necessary information, and for the fact that my daughter is constantly making noise,” he said.
After that, she sent Troy to a page through which the domain owner can restore his rights to him by presenting a photo of an identity document.
It took the cracker about four hours to fake a driver’s license in the name of Steve Reagan. He also created a Gmail email address and a Google+ account in his name. This was done in order to create the illusion of Troy being on the net like Steve Reagan.
Operators satisfied the data. No one began to check the correspondence of the photo in the "certificate" made in the Photoshop of the real photo of Reagan. There were no other verifications of the applicant’s identity.
Her last question was information about the legal entity to which the domains were registered. Troy also honestly replied that he had no information about this. To which she herself went to meet the cracker, saying that this was a common thing, and many registered domains for non-existent companies.
After that, the account was re-registered to the mailing address of Troy, and he got full access to it. The operation completed successfully.
It is worth noting that Steve Reagan received a notification about the change of account data not immediately, but only after a few days. If the hack were real, it would probably be impossible to return the domains: they would have already been sold or transferred to another registrar.
The function of restoring access through a photo of a document is unreliable, and many registrars do not use it just because everyone can draw anything in Photoshop. However, the largest registrar in the world, GoDaddy, has it. This feature was introduced so that users can restore the rights to domains registered many years ago. Users often do not remember old credit card numbers and other data.
However, the risk of hacking GoDaddy accounts with it is very high, and the registrar should change this procedure. It is interesting that, for example, Network Solutions also restores the rights to domains through personal documents, only they need to be transmitted by fax, and not upload photos from a computer.
Steve Reagan said the article was written in order to identify a problem that could lead to the theft of multiple domains. To protect his domains, he recommends using all the additional services that the registrar offers, and in advance to be interested in what can be done if the domain is stolen.
The author of the article, Steve Reagan, conducted an experiment: he asked a friend of security specialist Vinnie Troy, director of Night Lion Security, to hack his account. Hacking was successful, and all that was needed was a call to tech support and several hours of work in Photoshop.
The recovery procedure was easy. The conversation with the tech support girl began with the confirmation of personal data easily accessible through Whois. When he needed an email address to which the domain was registered and which Troy did not know, he entered the role of an upset subordinate who was not given full information and about complex rules within the organization. The noise of the playing daughter during the conversation also created a suitable atmosphere in order to suppress the technical support operator with pity.
People are the most vulnerable link in any security system. This also applies to technical support operators. Their task is only to help customers and facilitate the resolution of their problems. To express suspicions to customers and blame them is not their responsibility. In most organizations, the operator simply does not have the right to refuse the client, based only on their suspicions.
This feature of the work of operators is often used by scammers.
Next, the operator asked Troy to name the pin code and the last digits of the credit card with which the domain was purchased. He replied that he did not know either one or the other, since the assistant registered the domain for him. “I apologize for the fact that I can’t provide you with the necessary information, and for the fact that my daughter is constantly making noise,” he said.
After that, she sent Troy to a page through which the domain owner can restore his rights to him by presenting a photo of an identity document.
It took the cracker about four hours to fake a driver’s license in the name of Steve Reagan. He also created a Gmail email address and a Google+ account in his name. This was done in order to create the illusion of Troy being on the net like Steve Reagan.
Operators satisfied the data. No one began to check the correspondence of the photo in the "certificate" made in the Photoshop of the real photo of Reagan. There were no other verifications of the applicant’s identity.
Her last question was information about the legal entity to which the domains were registered. Troy also honestly replied that he had no information about this. To which she herself went to meet the cracker, saying that this was a common thing, and many registered domains for non-existent companies.
After that, the account was re-registered to the mailing address of Troy, and he got full access to it. The operation completed successfully.
It is worth noting that Steve Reagan received a notification about the change of account data not immediately, but only after a few days. If the hack were real, it would probably be impossible to return the domains: they would have already been sold or transferred to another registrar.
The function of restoring access through a photo of a document is unreliable, and many registrars do not use it just because everyone can draw anything in Photoshop. However, the largest registrar in the world, GoDaddy, has it. This feature was introduced so that users can restore the rights to domains registered many years ago. Users often do not remember old credit card numbers and other data.
However, the risk of hacking GoDaddy accounts with it is very high, and the registrar should change this procedure. It is interesting that, for example, Network Solutions also restores the rights to domains through personal documents, only they need to be transmitted by fax, and not upload photos from a computer.
Steve Reagan said the article was written in order to identify a problem that could lead to the theft of multiple domains. To protect his domains, he recommends using all the additional services that the registrar offers, and in advance to be interested in what can be done if the domain is stolen.