GoDaddy’s security sucks. We all know this. I have gotten domains stolen from me in the past no numerous other developers that have as well and just yesterday a big story came out about how someone socially hacked GoDaddy & PayPal to steal Naoki Hiroshima’s domains and gain access to the victims email accounts and from there all of their accounts on the internet. The hacker was able to do this by working inside of GoDaddy to manipulate the victims DNS for their purchased domains and forward all emails to himself, and use the password reset emails to change the details on the account over to himself. Eventually then the hacker was able to gain access to the victims Facebook & Twitter and have complete control of the victims internet life.
In this day and age, security becomes very interesting when the government regulates (for good reason) what information of ours needs to be encrypted. Let’s look at this as a common software problem:
“A user needs to be able to reset their password in some easy and safe way.”
How do we do this? What should be required for the user to reset their password. For most websites a simple “forgot your password” email should work.
However, Gmail, Outlook, GoDaddy, etc. control your emails, so if you are locked out of your email how do you reset your password?
Gmail protects your account by asking for you to use a recovery email, but if you don’t have that you can fill out a questionnaire that asks for possible recovery emails, a secret question, people that email contacts, and the date you created the account. This becomes useless though if your recovery email becomes hacked.
GoDaddy however is interesting, because they allow you to speak to a real person to gain access to your account. They generally ask for proof of ID, which is easily faked, along with the last 4 of your credit card, which is “almost” public information. You see the last 4 digits of your credit card aren’t secure in any way. Anyone that stores credit cards stores the last 4 digits of your card because that is what they use to show you what credit card you’ve been using, etc. So now we have to find anyone who will give us the 4 digits and anyone will. Why? They aren’t private – no entity says those last 4 can do anything. It’s not PayPal’s job to protect you from someone changing your GoDaddy password, it’s PayPal’s responsibility to protect you from someone stealing your entire Credit Card and they do a great job at that.
GoDaddy should know that while using ID verification, and last 4 digits of a Credit Card as a verification technique customer changes can still happen. So how should GoDaddy protect your account?
It’s simple – GoDaddy should REQUIRE their customers to have an account recovery email through a LARGE email service. If GoDaddy implemented this it would slow down their account recovery system, but it would close a huge hole GoDaddy has left WIDE open with their system. If the user really complained however they need to verify private information, match the full credit card number, match the user’s social security, add SECRET QUESTIONS (they aren’t secure, but it’s something), keeping account recovery as easy as a fake ID and the last 4 of the users social isn’t enough.
When you’re developing your password reset system, make sure you build your account recovery system to be easy for the user, but keep it safe! People will try to hack into other people’s accounts and your system needs to prevent that.