Jump below for links to domain providers who offer two factor authentication.
Naoki Hiroshima's "How I lost my $50,000 Twitter username" is a fascinating, terrifying description of how Hiroshima had his Twitter handle,
@n (now @n_is_stolen) stolen by an attacker. The mundane, articulate emails from the attacker are particularly chilling to me.
The attacker also uses a method that, though very simple, I haven't heard of before. The attacker compromised Hiroshima's GoDaddy account and got control of his domain name, and then used this to take control of Hiroshima's email address that used it. The attacker didn't need to compromise Hiroshima's email service provider (Google Apps) -- just his email address' domain provider (GoDaddy).
Hiroshima describes in great detail the spiral of terrible corporate security, social engineerng, and customer service that allowed the attack to succeed from that point onwards. His account reveals many different problems -- including some services using credit card numbers to verify identity -- and it's put a number of companies' security policies into the spotlight.
Gmail Addresses Aren't the Answer
Unfortunately, Hiroshima then comes to a mistaken conclusion. In a section titled "Avoid Custom Domains for Your Login Email Address", Hiroshima cautions against registering for services with emails using your own domain:
I changed the email address I use at several web services to an @gmail.com address. Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised. If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.
The only reason that a @gmail.com address would have been more secure for Hiroshima is that he would have Google's two factor authentication (2FA) enabled. 2FA requires an attacker to not only know your password, but also have access to something you own (typically your phone). Hiroshima does acknowledge 2FA's importance:
Using two-factor authentication is a must. It’s probably what prevented the attacker from logging into my PayPal account. Though this situation illustrates that even two-factor authentication doesn’t help for everything.
But of course, 2FA can help you protect your domain -- but only if your domain provider offers it, and you use it. That's the real lesson here.
Using your own domain for email is a hugely important way to take control of your identity online. This is a good reminder that when you do that, you need to choose a domain provider whose security you trust.
In fact, it it looks like GoDaddy actually does provide 2FA (not that I would ever recommend using GoDaddy). Even if Hiroshima didn't turn it on, I don't blame him! My domain provider, iwantmyname, also provides 2FA, but I hadn't thought of enabling it until reading Hiroshima's account. I witnessed a number of friends make the same decision.
While I'm sorry that this event happened to him, I'm extremely glad he wrote it up like this. Our domain providers have the responsibility to provide at least the same level of security we get from our social networks, and we're responsible for taking advantage of that security when it exists.
Providers who offer 2FA
Here's how to set up two factor authentication on your domain's registrar or DNS provider.
- iwantmyname (recommended!)
- DNS Made Easy
- GoDaddy (but still, don't use GoDaddy)
Providers who DON'T offer 2FA
And here are some domain providers who need some shaming.
- Bluehost - demand it from @bluehostsupport
- 1and1 - demand it from @1and1_4U
- Network Solutions - they says it's supported but you have to call to activate it, and it's not publicly documented. Nowhere near easy or good enough.
- Namesco - demand it from @Namesco
- Domainmonster.com - demand it from @domainmonster, because they have a broken idea of two-factor
- No-IP - Can't find it mentioned anywhere, demand it from @NoIPcom
- DynDNS - demand it from @Dyn as a standard feature, they apparently only offer 2FA to premium accounts
Providers working on 2FA now
- Rackspace - they've updated their support thread to say it's coming this summer, and to offer early access
Tweet at @konklone with any providers I'm missing, and I'll add them to the list.
Update: Mentioned the social engineering aspect to the attack, which 2FA wouldn't have prevented.
Image credit: http://halfelf.org/2013/two-factor-authentication/