inmotion security procedures seems lax re domain access and changes

Avatar
  • Answered
There are a lot of posts describing inmotion's procedures to validate whether a caller owns a domain, before they will perform domain and account changes that the caller is requesting.

Basically all you need do is supply the last four digits of the credit card used to pay inmotion bills.

Here is an example from inmotion customer support staff. There are many others:
https://www.inmotionhosting.com/support/community-support/registrations-and-transfers/transfer-of-ownership-of-domain-between-2-inmotionhosting-customers

There is an alarming negative review claiming that this lax procedure cause a customer to lose their domain. It seems that after this happened inmotion's customer service was shameful.

See review from someone called Nikki B here:
http://www.yelp.com.au/biz/inmotion-hosting-los-angeles-5?hrid=LPLCvNBBqqKcPESA_zH4cQ

Has inmotion reviewed their procedures following what happened to this customer? Has anything changed to increase our protection?




Avatar
Barry4679
Hello Arnel, <<<<< Responsibility for security is a two-way street. It will always be that way. If a customer feels that their security is sufficient, then they won't think twice about it until something bad happens.>>>> Well, nothing has happened (to me), but I am thinking twice about it. I know security is tedious, but when one contacts one's bank or their Telco, the identification credential requirement is more rigouress than just a url and the last 4 (public) digits of a credit card. I don't see why you as an ISP should take this matter more lightly. Especially if someone is asking to do something like change the site's admin email address, etc. An ISP is potentially protecting not only their customers' money and privacy, but in most cases also many 1,000's of hours’ worth of effort. Why use the last 4 digits from the credit card which printed on every receipt slip. They are the *only* four digits which are printed. They seem the least secure ones that you could have chosen. Maybe use another 4 digits from the card? Part of me is concerned that you may have chosen these 4 digits *because* they are semi-public. ie. if a customer's credit card is ever compromised, all of your support staff are protected from suspicion, as they have only been told the already compromised part of the card number. ... I hope that this isn't the case? ie. that your overriding security focus isn’t towards your own security, and not that of your customers. Presumably you would like your customer to help promote your services. Ie. https://www.inmotionhosting.com/link-to-us Right now that would be a really dumb thing for a customer to do, as it gets a hacker half way, and the remaining hurdle is insecure. <<<>>> OK, thanks. How do I initiate this extra level of security for myself? <<<<>>> Arnel, thank you for your responses. But, from what I understand of your generous responses, inMotion haven’t actually taken any steps at this point. I do hope that inMotion walks the walk, as well as just talks the talk. I presume that you have read your reviews at Yelp. It reads as if there is a view forming that inMotion are sliding, so running may be more appropriate than just walking, or sitting and talking. <<<>>> I don’t feel that I am being overly critical. We could have has had this conversation via social media if I had wanted critical, rather than in here, where you have hidden this thread (ie. it doesn't appear in the index). BTW: If you are so comfortable that inMotion is perusing, or moving towards, best practice and is aligned with customer wishes in this matter, why not have the discussion out in the open? Can you please escalate this matter in inMotion. This issue isn't going to go away. In the meantime please advise how I can take up your offer to increase the security level for my own account?
Avatar
Barry4679
Thank you for your response Arnel. I have some followup questions and comments, as I remain concerned regarding my security as an InMotion client. <<>> I don't know anything about Nikki B other than what she posted in her review of your service and security procedures. In what way was her credit card information "compromised"? As she reported it, and your own employees confirm in their postings here, all that is required is the last four digits of the credit card. This hardly qualifies as credentials. This information is disclosed whenever I use the credit card. It is printed on all my receipts from most vendors. There are 1000's of copies of it everywhere I spend money. It is basically public information. It is often used in conjunction with my web site; buying plugins for example. How is this secure enough? How come I can't buy anything just based upon the quotation of this information, or even the quotation of the full credit card number. <<<. We provide hosting services and domain registration services. The domain registration services are provided through Melbourne IT. Since the hacker had the credentials changed so that they could access the domain, they were able to change the registration. If the domain in question was compromised (and basically stolen)>>> I believe that she said in her report that your employee changed the site's admin address just on the basis of someone having the last 4 digits of her credit card. Your employees here post often saying that this is all that is required for proof of ownership. It doesn't look to me like her site was "stolen", it was basically gifted to the hacker by your lax security procedures. <<>>> Please do this. Unless I misunderstand something, your processes need urgent attention. Could you provide a follow up answer please?
Avatar
Arn
Hello, Our apologies to Nikki B - as she lost her domain when her credit card information was compromised. Many online services that people use will use some type of password, and if it is compromised, then unfortunately bad things may happen. We provide hosting services and domain registration services. The domain registration services are provided through Melbourne IT. Since the hacker had the credentials changed so that they could access the domain, they were able to change the registration. If the domain in question was compromised (and basically stolen), then the owner should be registering the complaint with the governing body for internet names - ICANN. This organization can overturn the change in registration. You can find more information on dispute resolutions here. The complaint will not be simply forgotten, but will be used constructively to improve our own internal processes. We take any security issue very seriously and will continually work toward providing the best services for our customers. Regards, Arnel C.