Wow. Some random person was able to move a domain to their own account simply by whatsapp ing the registrar, telling them that they had bought the domain and were having trouble moving it.
That's it.
It makes me realize that Google's no humans policy -- is it a policy? -- is actually a strength here. My domains purchased through Google are safe from social engineering because, well, there are no humans to contact to ask them to manually move domains.
(p.s. That is not some kind of dare to hackers! I am not suggesting you prove me wrong.)
The no humans thing also just closes off any path for exceptions that occur outside of what is coded.
I bought a domain for a blogger blog ages ago. At the time google had no domain registry so they partnered with some company.
Years later and google starts hammering me with "hey your credit card is expired we're not going to renew your domain" ...
Fine right?
"Hey go update your payment information on admin.google.com"
Wait. I don't have a g-suite account... and on my personal account my payment info is up to date, so I figure maybe they migrated my email address or emailed me about it but nope.
Then comes circular system where if you forgot X you need Y and if you don't have Y you need X and links on pages that always lead to admin.google.com...
There was no place to find / get help from google. Blogger seems like the information there is wrong / hasn't been updated / abandoned. Just links that ran in circles.
I found the old registrar they partnered with and got them to help.
With Google as far as I could tell there was no way to resolve the issue in a situation where I"m even trying to give them money (granted a nominal amount).
I had a similar circular issue with Google. I solved it by shoulder tapping my GCP sales rep who pulled some strings. Luckily my company spends quite a bit so I had a back door. Without that or a twitter following I think you’re fucked.
Yep, similarly here. eNom successfully "extorted" $300 from me due to it. My fault ultimately in the end though. But it was a stressful couple days, and eNom and Google partnership soured my view of both of them. I no longer do business with eNom.
Because it’s as exactly as RileyJames said above. It was ultimately my own doing but was masked by the strange relationship eNom has/had with Google. It felt like extortion, but wasn’t in reality, just business practices that don’t put the customer first.
"In the end, E-HAWK was able to wrest back its hijacked domain in less than 48 hours, but only because its owners are on a first-name basis with many of the companies that manage the Internet's global domain name system. Perhaps more importantly, they happened to know key people at PDR - the registrar to which the thieves moved the stolen domain.
Dijkxhoorn said without that industry access, E-HAWK probably would still be waiting to re-assume control over its domain."
A different read: It was "humans"-based customer support that saved E-HAWK. A "no-humans" customer suppport system might have left E-HAWK powerless, waiting, hoping.
Analogising to the parent's example, if parent had a serious problem, a "no-humans" customer support system might result in helplessness, waiting, hoping for some human at Google to discover and fix parent's problem, unless parent happened to know key people at Google.
> It makes me realize that Google's no humans policy -- is it a policy? -- is actually a strength here. My domains purchased through Google are safe from social engineering because, well, there are no humans to contact to ask them to manually move domains.
I'd suppose that goes both ways. If someone does find a way to steal a domain that's managed by Google, who are you going to contact to get it back?
If google servers decided tomorrow to shut down your domain, because the anti-fraud algorithm decided that the use of the domain has patterns which it decided is indicative of fraud, what would you do? All there is a computer saying that it de-registered the domain name and all the support options becomes a circle of the computer saying that it de-registered the domain name.
To me that is a risk. Through I have no evidence for this, I think that the false positives of those algorithms are higher than the risk of a hacker managing to social engineer a high end registrar. The reason I think so is that there is very little incentive for google to eliminate false positives but a huge one for eliminating false negatives.
Google Domains does have phone/chat/mail support but I still would like to believe that their security practices are solid enough that they wouldn't fall for this most basic of social engineering attacks.
> It makes me realize that Google's no humans policy -- is it a policy? -- is actually a strength here. My domains purchased through Google are safe from social engineering because, well, there are no humans to contact to ask them to manually move domains.
Except Google actually has a lot of humans in the loop for Google Domains. I was having an issue transferring a domain and I clicked a button to chat and was talking with a real person in about a minute.
Granted, they may have better security procedures but they're still humans.
AWS Route53 user chiming in here. I have IAM accounts and soft-token 2FA, and I like how minimal the R53 panel is. This makes me feel like I have a handle on things because there are so few paths to make changes. It also makes me worried I'm missing something. 7 years and no hacks (that I've detected). Knock on wood.
I'm guessing your domain wasn't a huge target then. There was a dns hijacking bug in r53 like 3-4 years ago that was fairly trivial to use. It allowed an arbitrary attacker to register new records to redirect your traffic and take a higher priority in the routing table. I probably shouldn't say much more about it because I don't think it was publicized after they fixed it.
That wasn't reaaaaly an AWS hack. BGP hacks are still an issue since it is mostly an honor system! There are no safeguards against this except fast admin.
Well, there was that too. What I was referring to was a specific issue that allowed you to add entries for domains in r53 which were already in use (in r53). I can't remember the specifics too well, but I think it was an api validation issue on one of the endpoints. It wasn't a "I own your domain now" so much as "I receive some of your traffic sometimes".
That's it.
It makes me realize that Google's no humans policy -- is it a policy? -- is actually a strength here. My domains purchased through Google are safe from social engineering because, well, there are no humans to contact to ask them to manually move domains.
(p.s. That is not some kind of dare to hackers! I am not suggesting you prove me wrong.)