In another move related to the social engineering that took place at Go Daddy and allegedly Paypal (Paypal stands by the position they did not give the hijacker anything and that it was a failed attempt) Go Daddy is now changing their security practices.
In a tweet on Saturday there was an exchage from the former owner of @N and Go Daddy, he is also a former Go Daddy client as he tweeted yesterday that he has moved his names to Namecheap.
@N_is_stolen Will do. We now require 8 card digits, lock after 3 attempts and deal with 2-factor authentication accounts differently. ^NF
— GoDaddy (@GoDaddy) February 1, 2014
Tech Crunch covered the story:
We spoke to @N, known to most as Naoki Hiroshima, after the fact and and he detailed a few things that GoDaddy should do to tighten its security, methods that might have helped protect his account:
“[Two factor authentication] can’t prevent this from happening again,” says Hiroshima. “GoDaddy allowed the guy to reset everything over the phone. As long as a company only uses the last 4 digits of a [credit card] to verify [identity], this will keep happening. They should ask multiple questions.”
GoDaddy has made steps that mirror what Hiroshima felt was needed. In a tweet today, the company said the following:
@N_is_stolen Will do. We now require 8 card digits, lock after 3 attempts and deal with 2-factor authentication accounts differently. ^NF
Password reset should be done only at the website. NOT via phone. Temporary password should be sent only to the domain holder’s email address upon request. Credit card numbers are widely exposed anywhere for shopping, etc. How can it be a means of identification for security check?
I could have sworn godaddy required you to give name, address, pin #, etc over the phone for verification. I agree, last 4 is not a good means for security check. This whole thing reminds me of the commercial where the lady can’t remember her pets name and the guy tells her “account frozen” lol.
As far as PayPal goes; something doesn’t seem right. I’m not holding my breath for answers either. I’ve canceled my PayPal account and told them why. Whether PayPal was at fault or not, I don’t like the way they’ve responded to this incident, plain and simple.
@Domain Observer – given that Go Daddy offers phone support, that gives some customers (especially the average non-techie user) a convenient way to regain access to their accounts. Like any online service provider, Go Daddy somehow needs to balance convenience and security — especially based on their customer feedback.
Only time will tell how those changes Go Daddy tweeted will work out for them and their user base.
Davez I agree, thing is, most banks offer phone support/service too (as well as online banking) and I have to answer about a zillion questions before the banker even talks about my account (at my local credit union). Should be no different for the company that houses your valuable domain names.