GoDaddy account hacked and changed the credentials

rmungara said:

Thanks, I tried but no luck in finding the person

Click to expand...

Note: LinkedIn is no stranger to fake accounts.

linkedin .com/in/codymahaffey/

Godaddy Account manager
Sep 2018 – Present

Good luck!

NameDeck said:

Anyway, At some point a transaction number would be created though right? So if GD has a transaction Id, and the same Id is stated on my credit card transaction overview that would to some extend prove I'm the actual owner/account holder?

It's not 100% fool proof but in ideal circumstances it should give GD enough justification to reverse any changes made to the account and request further identification of the account holder.

Click to expand...

That's exactly my point, that any reasonable person would see the above scenario and would lock down both the account and domains, immediately.

Too bad it took GD several days and several CSR inquiries to reach that point.

I mentioned about the payment receipts but not received any response from GD, At least it seems that they have locked the account from further use until they complete their investigation.

DomainRecap you're still not answering the point to any of what you've posted...you're not going to be able to prove that your GD account is "yours" via any sort of AVS. And you're not involved whatsover with the merchant side of credit card processing, so, yes, I'll say it...you are not equipped to follow all of what is at issue. All that is going to "pass through" to the merchant is a couple of AVS codes verifying that whatever card was used matched the numerical digits in the address, and the zip code. That's it. The merchant isn't even privy to the entire credit card number just the last four.

That you posted the example of
Mickey Mouse
123 Cartoon Lane
Disneyland, The Universe
11111
thinking that this wouldn't pass AVS shows that you don't understand how AVS works. If the zip code were 11111 and the address had the numerical portion of 123 in it, provided the merchant's form accepted the above, the credit card processor would accept this as fine.

---

Anyway to be more productive and get this thread back on track, let's say that GoDaddy has a record of a credit card payment for a MasterCard ending in 5656 where the AVS system matched the address and the zip and where the street address supplied was 123 Elm Street and the zip code was 90012.

Now I'm supplying GoDaddy a scan of my credit card, and a copy of my credit card billing statement from the date that payment was made, stating that I was the one who made that payment therefore this must be my account.

Is that definitive? You tell me. How easy it is to create such docs, and how could a merchant know whether the images and docs supplied bear any relation to the actual card that was used and the actual billing statement that was issued?

Do you think the AVS system reveals to the merchant whether it was a Bank of America visa or a Wells Fargo? Does any of the AVS match reveal to the merchant what to look for to determine if the images sent are genuine? I know the answers but it seems that you don't if you think the answer to either of these is Yes.

Once the hacker gets into the GoDaddy account he has access to all this same info as the merchant, the last four of the card used, the address supplied, the name, everything, and could create these same docs just as easily as the legitimate user could supply the genuine docs. No, the docs the fraudster supplies would not be the same as the genuine but looking at the other end, from GoDaddy's end, there really isn't any way for me to verify what is real and what is counterfeit. If you're really in the business of credit card processing then you would know this. Docs like these are created every day for all sorts of nefarious purposes.

If I were GoDaddy I wouldn't accept "proof" that a payment made on the account was with "my" card as definitive, because without further verification that could not be done quickly or easily, such evidence would not be conclusive.

Change update is the right department to contact. If you have provided them with the information they ask for in the form they will contact you back usually within 1-2 business days.
It would be very hard for someone to social engineer the customer service representatives because they are not able to see almost anything on the account until you are able to validate into the account with your pin or your last 8 numbers of a credit card that was used. That is not easy to get. Until they have they info (assuming you do not have 2 factor enabled in which case you would also have to provide that code). They can see an account exists for a given domain name or a name someone provided them calling in, or account number, but they can only see whatever was already provided to them until the account is validated. We did that on purpose years ago to help combat this. It is really hard to social engineer someone who can't see anything about your account.
It is much more likely that if someone has access to your account they have access to your your personal information already such as email accounts, full credit card info, pin number, account password, etc. In which case it is difficult for us to know who is telling the truth. We are not a court but we will do what we can to help.
The change department is part of the legal department and they will look over the documents and evidence asked for and make a determination.

However, today I may login to my own account and see past payments and the limited credit card payment details I mentioned above. Why wouldn’t I be able to see all that? it’s my account. Now, If someone hacks my account until such time as I alert GoDaddy to an issue why would the successful hacker see anything different within the account from what I would see?

What you posted above refers to security measures that would be in place once an issue is detected or reported not before.

I don't know of anywhere inside the account you can see the last 8 digits of a credit card that was used. It doesn't really matter anyway. If someone is logged into your account already they really don't need to contact customer service with the last 8 digits of your credit card to get help from us. They already have access to all your stuff at that point.

Yes exactly. Once someone unauthorized is in it’s unfortunately hard for the legitimate account owner to come up with something better than what the fraudster might be able to come up with is what we’ve been discussing above.

So, just to be clear in a situation like this there's nothing GD can do? I'd reckon you keep some logs of account changes so if I go through ID verification that matches whois of my domains and previous account details before I got hacked it wouldn't be enough to regain access?

What about ip logs? GD could look up login sessions and look for red flags.

There's always a trail unless you're using a highly flawed security protocol.

We didn't say there is nothing GoDaddy may do, most of what we've been discussing is just that thinking that "well I paid with a credit card at some point in the past on my account, and here it is" is enough - is not the case - this is not definitive proof under these circumstances.