Name.com suffers breach, credit card data accessed, encryption in place (phew!)

Filed Under: Data loss, Featured, Privacy

"Dear John" used to be a euphemism for the letter that an ex-girlfriend wrote to break off a relationship.

It was the sort of letter no-one really wanted to get, but such is the way of the world that many young men ended up receiving one anyway.

The modern version of a "Dear John" - the email everyone hopes to avoid but which many have experienced - comes not from your erstwhile Significant Other, but typically from your ISP, or a social network, or some other online company.

The "Dear Johns" of 2013 usually contain something like this:

Dear %CUSTOMER%, We recently discovered a security breach...so we have %ACTION% your account. You will need to %RESPONSE% next time you log in. We are sorry. Your security is %ADJECTIVE% to us. At least, it is now.

Indeed, we've written about a number of high-profile breaches recently, for example at online coupon site LivingSocial, and search-result tweakers Reputation.com

Now it's the turn of domain registrar and web hosting company Name.com, part of the Demand Media group, to suffer a breach.

A Naked Security reader kindly sent in the "Dear Johnette" email she received from Name.com; the good news is that sounds a bit more upbeat, apparently with some justification, than many similar emails from other companies in similar straits:

We are writing to inform you of a security measure we have taken to protect the integrity of the domain names and information associated with your account.

Name.com recently discovered a security breach where customer account information including usernames, email addresses, and encrypted passwords and encrypted credit card account information may have been accessed by unauthorized individuals. It appears that the security breach was motivated by an attempt to gain information on a single, large commercial account at Name.com.

In particular, Name.com seems to be offering some reassurance that much of the Personally Identifiable Information (PII) stolen was exfiltrated in encrypted form:

Name.com stores your credit card information using strong encryption and the private keys required to access that information are stored physically in a separate remote location that was not compromised. Therefore, we don't believe that your credit card information was accessed in a usable format. Additionally, your EPP codes (required for domain transfers) were unaffected as they are also stored separately. We have no evidence to suggest that your data has been used for fraudulent activities.

Like LivingSocial after its recent hack, Name.com is also offering this excellent generic advice:

If you use your previous Name.com password in other online systems, we also strongly recommend that you change your password in each of those systems as well.

Amen to that, but remember: don't change shared passwords because of the Name.com breach. Change your habit of sharing passwords anyway, whether you use Name.com or not.

Here's something Name.com could have left out, though:

Please click the link below to reset your password:
[LINK TO PASSWORD RESET]

Aaargh! Did they really need to do that?

They've sent an email that is little different to the spams that many of us have received along the lines of "Your account {has expired, was locked, is over quota, may be investigated for piracy, has had US$100,000,000 of unclaimed lottery winnings deposited in it}, click HERE to validate."

→ The fact that Name.com's letter is grammatical and clearly written definitely sets it apart from many, if not most, of the phishing campaigns we have seen in recent years. But you can't say a web link is good on that basis alone.

The problem with encouraging people to click email-borne links (which could have come from anywhere, or could point to anywhere) for anything relating to logging in or password reset is this: it softens them up to email links that end up at "enter your password" dialogs.

That plays into the hands of phishers, so please don't do it.

Always encourage users to find their own way to your login page: that forces them to familiarise themselves with the usual sequence of pages, forms, and questions.

Lastly, if you are a web hoster or a cloud provider yourself, please remember that you don't employ encryption as an alternative to keeping hackers out - you're supposed to do both of them, as part of defence in depth.

, ,

You might like

2 Responses to Name.com suffers breach, credit card data accessed, encryption in place (phew!)

  1. Mike · 534 days ago

    "Encrypted passwords," eh? Wonder if they keep the encryption key physically separate for that, too. I guess they have an intern walk over to the air-gapped PC to check every password as someone logs in?

  2. Greg · 533 days ago

    Encrypted passwords or no, they'll be cracked pretty quickly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog