URGENT! eNom security question

[armstrong]

I have a reseller account, and can create sub-accounts. I notice that I can also enter and manage any sub-account, even if the sub-account password has been changed. This is a serious security breach, as a dishonest reseller can enter his sub-accounts and basically do anything once inside.

I haven't actually tried doing any funny business in my sub-accounts, so I could be wrong in my assessment. Can anyone confirm this?

Regards,

Apollo

 

[biggie]

The purpose is to be able to update pricing or to assist in DNS management for your clients, if necessary.

Any parent account holder should be ethical to their child accounts.

It is good business to do so!

 

[armstrong]

Is this standard for other registrars? Can you also enter and do anything in the sub-accounts you create?

Something like this should be properly emphasized and explained by eNom. If at all, the parent account should only have 'read' access to sub-accounts; they should not be able to push, pull, or unlock domains at will. The need to handhold clients should be secondary to security. After all, handholding is only needed for the first few domains you register, while security (and peace of mind) is always needed.

 

[yesonline]

Yes, you may modify some tech info on your resellers accounts, however, you can't push any of their domains away, thus it still keeps their domains safe basically.

 

[armstrong]

Originally posted by yesonline
Yes, you may modify some tech info on your resellers accounts, however, you can't push any of their domains away, thus it still keeps their domains safe basically.

I just tested this, using the ff steps:

1. logged in to reseller account A
2. created a new retail account B
3. pushed my domain to B
4. logged out
5. logged in to B
6. changed password for B
7. logged out
8. logged in to A
9. entered B via auto-login
10. pushed my domain back to A

So you can in fact push domains away from your sub-accounts!

 

[Jeff]

Yeeps. :o

Thank Goodness I have an ethical and professional Enom "parent".
Good info here.

 

[yesonline]

So you can in fact push domains away from your sub-accounts! [/B]

I can't believe this!! Is there any record enom would have if someone did this to his sub-account? I mean can we get any evidence if this happened to us that we need the evidence to get it back?

 

[Elefekt]

wow that isnt good but I am sure that most will be professional to keep their business.

 

[armstrong]

Oh, most will be professional. Most of us will also return a lost wallet, but what about the 30% who won't?

Originally posted by yesonline
I can't believe this!! Is there any record enom would have if someone did this to his sub-account? I mean can we get any evidence if this happened to us that we need the evidence to get it back?

yesonline, what made you say it couldn't be done in the first place? Something you read in eNom, or just something you assumed?

 

[yesonline]

I just tried to push some domain of my sub-account away and it returned the error message and just can't do so, but I did not enter the sub-account to try it out as you said.
Anyway, I just wrote this problem to enom.com asking if there were aware of it or not, and any solutions may be done on it? I hope they will give me a good answer or I might consider beginning to transfer my premium domains away.
Actually, I think I move my domains to MY OWN SUB-ACCOUNT is a good idea, that my parent reseller either can't log in nor even view the sub-account of his sub-account. Right?

 

[RJ]

This is one of the main differences between a retail and reseller account with eNom that most people overlook. If you have a retail account, your reseller still maintains complete management control over your domains.

This is by design and for good reason. As a domain reseller, you need to be able to manage the domain names of your customers.

Companies like NameCheap and RegisterFly are eNom resellers just like you and I. Although they do not technically own the domains they sell to their customers, they still maintain power to make changes if neccessary.

Conversely, a sub-reseller account cannot have changes made to it. You can view the domains your subresellers own, but not make modifications.

 

[yesonline]

Thanks RJ, I tried what you said and it is true that I can't modify anything to my RESELLER sub-account. that makes me feel more comfortable now :D

 

[Jeff]

Originally posted by yesonline
Thanks RJ, I tried what you said and it is true that I can't modify anything to my RESELLER sub-account. that makes me feel more comfortable now :D

Agree.
Thanks for clarification, RJ.

 

[Delete]

I never knew that. Thanks for the info.

 

[armstrong]

Originally posted by -RJ-
... a sub-reseller account cannot have changes made to it. You can view the domains your subresellers own, but not make modifications.

Thanks, RJ. I've verified that this is so.

For my own paranoid protection, then, I created a new sub-reseller, and pushed my most valuable domains (as well as the adult ones) into that. My parent reseller can't auto-login to this new account at all.

 

[aww]

The answer to all this is beyond simple.

You go and make a free enom account from their main page which will then be directly under enom itself.

Then no matter what reseller or retail accounts you have, after a domain purchase you push them to the top level account.

 

[theparrot]

For those that want to be safe from this, I have a direct ETP account for enom, I would sell for the right price.