Journalist Steve Ragan and CEO of security firm Night Lion Security Vinny Troia conducted an experiment, the results of which were rather unpleasant for GoDaddy and its clients. Ragan suggested to test how safe were domains registered by GoDaddy.
To do that Troia contacted customer support of GoDaddy. He presented himself as Steve Ragan and said that he wanted to make changes to the registration data. He didn’t know the email address of Ragan (the owner of the domain), or his credit card number, or the account PIN. All of that Troia explained by saying that he was a big businessman and the domain was registered by his assistant, that suddenly resigned and didn’t leave any of the necessary information.
Obviously, Vinny Troia had to do some preparatory work. He forged the digital image of the driving license in Steve Ragan’s name issued in Indiana and put his photo, creating a fake ID. Also he created a couple of fake accounts of Ragan in the social networks and a Gmail email account in his name. However, all of that required several hours and basic knowledge of Photoshop, according to Troia. The rest was the issue of negotiations with the customer service of GoDaddy.
As a result in four days Troia gained access to Ragan’s domain account. Interestingly enough, Ragan was notified that registration data of his domain were changed. However, the message came to his email address (that was initially mentioned in the account) only 9 hours later. This time is enough to transfer the domain to another registrar and make in impossible to return the domain to his lawful owner. «GoDaddy is the largest registrar in the world. It operates around 60 million domain names; it has about 13 million clients. A business of this scale clearly deserves stricter security measures”, concluded Ragan and Troia after their experiment.
