tips Why you should not use SMS for 2-step domain account verification! - A lesson by MapleDots

[MapleDots]

The 2-Step Verification GoDaddy uses makes the account very secure and I advise every domainer who has even one valuable domain in their GoDaddy account to use it. I use an authenticator app instead off a text message because it is far more secure than a text message.

Let me explain the details of the security for you...

With sms notification your phone will get a sms message with the code and you punch it in to login to your account. There are a couple of reasons why this might prove to be problematic.....

Lets just pretend you had a roommate and he wanted one of your domains, it would be very possible for him to steal it from you. With my system he would not be able to do so.

Lets begin...

Your roommate stays up until you go to bed (apply it to other circumstances hotel rooms etc) and gets access to your godaddy account because your browser automatically fills in the password. He then sees you need an sms code so he simply looks at your phone and enters it in and voila he now has access to your account. Smarter domainers will not display sensitive information on their lock screen but the fact is most people do. There is an option to turn that off though.

Here is my advice...

Use the authenticator app option instead because it is much more secure. So same circumstance but instead of an sms message my roommate now gets a prompt to enter the authentication code. He goes to my phone and would have to unlock it to get access to my authenticator program. Lets pretend for a second the roommate even has my unlock code. He now has to open my autehnticator app with another security code before he can ever see that login code. The security measures are so immense that even the people I know the best and am the most trusting of would never have access to my account.

So you would think that is the most secure right? ---- Wrong

One more step...

GoDaddy is an example of what not do do on the login screen, they mean well but are still making one security mistake. You notice GoDaddy asks you to name the app you picked as your authentiocator app and most people will do as in the picture above and say "Google Authenticator" or whatever app they use. That is another security trap I personally would not fall into. Make sure to name it something other than the app you actually use because you also do not want to tell a possible hacker what program you use.

Take the security to the absolute max....

I named my Authenticator app Google Authenticator and I use a completely different program. This throws a possible hacker a false curve ball. In my case even if a roommate got access to my phone and knew my unlock code he would now have to have the unlock code to my authentification program as well but I take it even further, I have a few of them loaded on my phone and he would try the google autenticator first because it is named on my login screen but he would be completely wrong because I use a different one.

So you see, there are always ways to dramatically increase the security of your account.

You would think this is as far as security goes right?

Wrong again.....

Apply the above to your email as well and you will be secure!!!

 

[frank-germany]

Show attachment 88979

The 2-Step Verification GoDaddy uses makes the account very secure and I advise every domainer who has even one valuable domain in their GoDaddy account to use it. I use an authenticator app instead off a text message because it is far more secure than a text message.

Let me explain the details of the security for you...

With sms notification your phone will get a sms message with the code and you punch it in to login to your account. There are a couple of reasons why this might prove to be problematic.....

Lets just pretend you had a roommate and he wanted one of your domains, it would be very possible for him to steal it from you. With my system he would not be able to do so.

Lets begin...

Your roommate stays up until you go to bed (apply it to other circumstances hotel rooms etc) and gets access to your godaddy account because your browser automatically fills in the password. He then sees you need an sms code so he simply looks at your phone and enters it in and voila he now has access to your account. Smarter domainers will not display sensitive information on their lock screen but the fact is most people do. There is an option to turn that off though.

Here is my advice...

Use the authenticator app option instead because it is much more secure. So same circumstance but instead of an sms message my roommate now gets a prompt to enter the authentication code. He goes to my phone and would have to unlock it to get access to my authenticator program. Lets pretend for a second the roommate even has my unlock code. He now has to open my autehnticator app with another security code before he can ever see that login code. The security measures are so immense that even the people I know the best and am the most trusting of would never have access to my account.

So you would think that is the most secure right? ---- Wrong

One more step...

GoDaddy is an example of what not do do on the login screen, they mean well but are still making one security mistake. You notice GoDaddy asks you to name the app you picked as your authentiocator app and most people will do as in the picture above and say "Google Authenticator" or whatever app they use. That is another security trap I personally would not fall into. Make sure to name it something other than the app you actually use because you also do not want to tell a possible hacker what program you use.

Take the security to the absolute max....

I named my Authenticator app Google Authenticator and I use a completely different program. This throws a possible hacker a false curve ball. In my case even if a roommate got access to my phone and knew my unlock code he would now have to have the unlock code to my authentification program as well but I take it even further, I have a few of them loaded on my phone and he would try the google autenticator first because it is named on my login screen but he would be completely wrong because I use a different one.

So you see, there are always ways to dramatically increase the security of your account.

You would think this is as far as security goes right?

Wrong again.....

Apply the above to your email as well and you will be secure!!!

you really should get another room mate
and not use godaddy...

 

[Name Trader]

I take my phone to bed with me. Just to add yet another level of security

 

[bluemeteor]

I have no roommate

 

[kam]

If you want to dramatically increase the security of your account.
The most simple way is to use a separate laptop / desktop for domaining and encrypted the whole hdd.

 

[MapleDots]

If you want to dramatically increase the security of your account.
The most simple way is to use a separate laptop / desktop for domaining and encrypted the whole hdd.

That does not protect the account itself, just the info on the laptop. Remember the account sits at your registrar so you still have to put safety protocols in place regardless of what device you are using.

 

[thekiller]

Don't give your roommates any access, why in the first place your roommates would know anything about your account?

Create two accounts in your Computer OS, one for serious things like domaining and banking, where you can save passwords etc. and other account should be without password so that your roommates can access anything he like without knowing the passwords.

Protect the first account with secure and strong password, or even with MS account if you use Windows.

 

[CarlosN]

If you want to be safe I think you shouldn't be saving your login credentials in your browser in the first place.

 

[MapleDots]

Seriously? You are more worried about your "friend" stealing from you then some random stranger? If thats the case then you need new friends not a special app.

It's a tutorial for everyone, and yes I have had trusted employees who I considered friends steal considerable amounts of cash and assets. In fact one person hijacked a vital company domain name.

In the end I got things back but it did teach me to not let my guard down. It's always the person you least expect, that person that knows how your security works that ends up taking advantage.

I sincerely hope it never happens to you because trust me it sucks to be on the receiving end of betrayal.

 

[eternaldomains]

Wasn't there an article somewhere in the Firefox in-browser "news feed" (Pocket) sometime ago saying that a hacker doesn't even need physical access to the phone? Just grab personal info from social media or whois or somewhere, steal the number from the telco company itself, and gain instant access to... just about everything connected to the phone attached to that number

2-factor is already hopeless long ago

 

[Bob Hawkes]

I 'handle' this by having a non-smart flip-phone Seriously! Luddite here. What is SMS anyway?

But on a more serious note, thanks for all the great suggestions. While some balance of convenience and security is always necessary, for high value domains clearly the balance needs to tip towards highest security.

A couple of questions....

• Is there such a thing as domain insurance against theft of assets, or is it covered by any other form of personal or business insurance? This must have come up.
• Even if someone temporarily steals a domain name, surely ultimately, they are such obvious assets, that the true owner can get them back? Or am I wrong? I would think it is those who inadvertently purchase stolen domain names that are at risk of losing.

Thanks everyone.
Bob

 

[MapleDots]

Is there such a thing as domain insurance against theft of assets, or is it covered by any other form of personal or business insurance? This must have come up.

That is assuming the insurance company and the domainer could come up with the same value. The domainer always sees the potential value to an ideal end user whereas the insurance company would probably rely on an appraisal tool which we all know would more than likely not set the real value.

 

[MapleDots]

2-factor is already hopeless long ago

Two factor by description means two methods of authorization, one must use common sense to pick the strongest two factor when protecting very valuable assets. SMS is definitely not the strongest compared to an authenticator app which changes the access code every minute. So to even get at the authenticator one must also have the password to the authentication program.

So you must get through the cell phone security, and the authenticator app security, whereas with sms you don't even need to get past the phone security, most people display that data right on the lock screen. Even if they are smart enough no to then there still is only the phone password standing between the loss of the domains. I would much rather add another layer.

So 2 factor is very relevant, it is just up to you to use the correct one.

 

[Shamiul]

For SMS code, I think we should use a phone that has no Internet. (Phone phishing)

 

[MapleDots]

For SMS code, I think we should use a phone that has no Internet. (Phone phishing)

Not sure if I have heard of that, I have heard of SMS Text Phising though:
https://www.lifewire.com/protect-yourself-from-smishing-sms-phishing-attacks-2487626

 

[MapleDots]

No roommates guys, it's an example that can be applied to hotel rooms, it can apply if someone finds your phone etc.

Security is always a worst case scenario and if your domains are worth a lot of money you should apply the same security as on your bank account.

 

[MapleDots]

The biggest issue here is that go daddy asks you to name the app. In my example picture I named it google authenticator. In this case I just gave a would be crook a vital clue.

HeHe

Little does he know....... shhhh.... I don't actually use that app

 

[MapleDots]

If you want to be safe I think you shouldn't be saving your login credentials in your browser in the first place.

That's another good point, I personally use a password program with 2 factor but I did forget to mention that. Good point @CarlosN

 

[Name Trader]

Talking of password programs. I hate Iolo's (System Mechanic) password program. It gets in the way and is ugly. I love Avast's password program. It doesn't get in the way, it does what it's supposed to do, and it's nice looking. I did try LastPass, but I forgot what I didn't like about it.

 

[Name Trader]

If you want to be safe I think you shouldn't be saving your login credentials in your browser in the first place.

This is true. However it beats having a paper list sitting on your desk with 1000 passwords, which gets scribbled on, coffee spilt on it, looks generally grubby most of the time, lost in a fire or flood etc, stolen. Can't find, or takes ages to find, the password you need most of the time, maintaining the database manually, and cannot remember the password of the password locked file when you need to reproduce it

Oh.Also. I take my NUC out with me when I watch a game or go out to dinner. In case I get burgled It's a good job I don't have any dangerous sports, like rock climbing But I will intervene, if I see a little old lady being abused

 

[MapleDots]

Was out for lunch with a prominent domainer the other day. He got up to go to the bathroom and left his phone on the table. Sure enough a sms came in and I could see sensitive information.

After the meeting I emailed him this topic.

 

[MapleDots]

At some point hyper security becomes more trouble than it’s worth. Time is money too and I can’t be robbed of time every time I login to something or other.

Two factor authentication is good enough for me. No one I don’t trust is going to get access to the phone number I use for it or even know what that number is.

Have you ever misplaced your phone?
You can have the best password possible but if your godaddy verification code displays on the lock screen you are risking your high end domains.

Remember it is not the stranger finding your phone you should be worried about, it's the person that knows you have a domain and they want it that is of greatest concern. Most theft occurs by people we trust and in those cases they can have more access to information than you realize.

I am not talking about using an authenticator program for everything but if you own a lot of high value domains it is just an extra step to assure you never lose one.

 

[ComboNames]

I stopped using SMS verification just because one day I was trying to buy good catch in pending delete domain names, and I couldn't received the SMS at all. After talking to Godaddy support they told me it's an issue with my SIM card and I need to fill a form and send it to them to verify it so they can delete that SMS verification. So I lost the domain that day and after 48 hours they deleted the SMS verification , and I stopped using it since then. Btw thanks for the Google Authenticator trick.

 

[carob]

If using authenticator or similar you need to be sure to save - securely - the backup codes in case you do not have access to authenticator. So then you need secure storage for those backups. And you need to cover the scenario of losing or replacing phone and migrating your authentication method to the new phone.

 

[MapleDots]

I know how to hack Godaddy 2 step sms

That is very unlikely

If you do then you need to report it and rectify the situation, it is your duty as a member of the community to do what is best for the community because if you truly know how to do that it would be quite worrisome and bad news for a lot of domainers at godaddy.

So please clarify your statement.