Episode 1: Don't Screw The Pooch on OpSec.
Thanks
@hover; The last 2 days of my life have been amazing, and I will never forget you. But I think we need to see other people. Happy Valentines 🥰
I've decided since I can't use my website to blog because my domain is still frozen by you. Ill do it here. Here's the play by play of
@hover miserably failing at security and authenticating humans.
1. Person X calls
@hover ☎️
2. Person X says. "Hi, I'm
@densone 💁♂️ and I can't reach my domain". 👨💻
3. Hover:👨💻 "really sorry to hear that, let me run a lexis nexis on your name really quick but not ask for any physical form identification."
4. Person X: "Sure" 🎉
5. Hover "Cool, thanks for providing that information that
@TMobile and
@Equifax gave to the dark web, no need to prove it's you when companies like
@LexisNexisRisk can just generate some arbitrary questions about you. They have mined since you were old enough to drive a car, we got this!! 🦹♂️ Here's your new password.
6. Person X transfers domain to
@namesilo (They are nice people and it's not their fault and they were very helpful)
7. Person X see's me text my phone number to hover CEO
@enoss in a plea for help and decides to negotiate a deal for my domain. We met in the middle at $2000 + a twitter handle that I owned and he wanted it so he took it.
8. Now I need to buy $2000 worth of BTC. Guess what I had to do
@hover? I had to take a photo of my chubby little face and a photo of my drivers license to buy that BTC. It's called KYC. KNOW YOUR CUSTOMER.
9. I pay person X and they promptly give me the namesilo account credentials. I lock everything up. Enable 2FA, fix my MX etc etc.
10.Going back a few steps before Person X sold me back my property. In between this mess, I call hover and they keep trying to email me a verification pin, after I tell them like 5 times that my mx records have been hijacked, and that they gave my account and domains away.
11. Hover decided after several hours to get my domain locked at the other registry. After I paid person x to give it back and after I repaired my MX records so person x would not get my email anymore.
12. When hover had my domain locked at the other registry, my nameservers were reverted and person x started to receive my emails again. Person X at this point was apologetic believe it or not and I got good customer service from them for my money. You can see in the attached photo where they are updating me on the emails I am missing.
13. You can see where person x was using
@ImprovMx to forward my email to their gmail. Improvmx has a free tier which makes this stuff easy.
14.
@hover has finally gotten back to me on the afternoon of day 2 of me knowing. My email has been hijacked for 5 days, but I didn't check it over the weekend. Guess what they want me to do? They want me to make an affidavit and get it notarized. So I ask. "Why didn't person x need to get a notarized affidavit to take over my account?". The person at hover who I think is the head of risk says, "Because it's not a policy here". Me, "Don't you see the irony here". Hover: "Yes".
Conclusion. My domain is still locked. As of writing this Hover has updated my mx records so I can start to receive email again.
Person X has received emails from my bank, accountant, attorney. All of which have likely put serious further risk to my identity. Person X took and kept a twitter handle that I have had for years. I don't hate person x for their hustle, but I do believe
@hover should have and could have done a lot more and that they are completely negligent.
Lesson for me. Just because you secure things well, doesn't mean you are secure when the ultimate factor of your security can be take over by a simple phone call. Ring ring.
Please make sure you choose wisely when choosing a registrar. I personally don't think
@Cloudflare or
@Google or
@awscloud would allow this kind of tomfoolery.
See some of the images attached for a chuckle.