Although Gandi.net is a fantastic company, their security practices are nothing to write home about.
A few years ago, one of my clients lost access to her Gandi.net account. Unfortunately, she had the "disable password resets via email" option set in her account. That should have given her quite a headache, right?
Nope. I, an independent contractor who didn't even own the account, was able to convince Gandi support to disable that option so that she could reset her password via email. They didn't even ask for any documents to prove either my identity or my client's. It took several days, but the only reason it took so long was because their English support was very slow back then.
So I'm not surprised that Gandi let the attacker change the email on FastMail's account when presented with genuine-looking documents.
And this is not a problem that is specific to Gandi. Even with other online services, it's often quite easy to bypass automated security measures if you go through a human being, whether through the support system or through good ol' snail mail. In fact, I'm sure that snail mail is by far the most reliable way to take over someone else's account nowadays. So many of us in the tech industry have no idea how to verify the authenticity of a piece of paper, especially if it's from a different country.
Meanwhile, another favorite web host and registrar of mine, NearlyFreeSpeech.net, recently enabled two-factor authentication. But they did it differently. In addition to OATH TOTP, NearlyFreeSpeech allows you to select several other tests that you need to pass in order to recover your account. If you tell them to give you six different tests, which will probably take several weeks because some of the tests involve snail mail, they'll honor your preferences. Or you can choose to take four tests. Or three. Or two. It's your choice. That's multi-factor auth done right.
> And this is not a problem that is specific to Gandi. Even with other online services, it's often quite easy to bypass automated security measures if you go through a human being, whether through the support system or through good ol' snail mail.
I wonder if this is actually a counter-intuitive advantage of AWS, which, as far as I can tell, offers absolutely zero, zip, nada human support.
Actually they do for MFA problems, even if you don't have paid support on your account. A few years ago I wiped my phone without first disabling MFA on my account (I use Google Authenticator). After business hours on a holiday, I submitted the support form [0] and got a call from a human five minutes later. He asked me several questions and deactivated MFA so I could log in.
Well, that's great, except, according to the article at the top of this thread, that's maybe not so great, depending on what kind of questions they asked you.
A few years ago, one of my clients lost access to her Gandi.net account. Unfortunately, she had the "disable password resets via email" option set in her account. That should have given her quite a headache, right?
Nope. I, an independent contractor who didn't even own the account, was able to convince Gandi support to disable that option so that she could reset her password via email. They didn't even ask for any documents to prove either my identity or my client's. It took several days, but the only reason it took so long was because their English support was very slow back then.
So I'm not surprised that Gandi let the attacker change the email on FastMail's account when presented with genuine-looking documents.
And this is not a problem that is specific to Gandi. Even with other online services, it's often quite easy to bypass automated security measures if you go through a human being, whether through the support system or through good ol' snail mail. In fact, I'm sure that snail mail is by far the most reliable way to take over someone else's account nowadays. So many of us in the tech industry have no idea how to verify the authenticity of a piece of paper, especially if it's from a different country.
Meanwhile, another favorite web host and registrar of mine, NearlyFreeSpeech.net, recently enabled two-factor authentication. But they did it differently. In addition to OATH TOTP, NearlyFreeSpeech allows you to select several other tests that you need to pass in order to recover your account. If you tell them to give you six different tests, which will probably take several weeks because some of the tests involve snail mail, they'll honor your preferences. Or you can choose to take four tests. Or three. Or two. It's your choice. That's multi-factor auth done right.