My Moniker Account was Breached – Security Flaws Persist
I woke up on September 1st, Labor Day, to an email alert that one of my domains had been transferred out of my account at Moniker without my authorization. I soon learned that my account had been hacked, the account email had been changed, a new user had been created, and five domains had been transferred away to another Moniker account.
Since that day, I’ve encountered numerous security flaws with Moniker’s system, including one that renders Portfolio MaxLock ineffective as it allows all the domains in an account to be transferred to another registrar without needing to answer the Portfolio MaxLock security questions.
As is well reported elsewhere, KeySystems caused massive disruptions when they replaced the legacy Moniker domain management system with a new system from their DomainDiscount24 (DD24) registrar. Unfortunately all the pain and trouble caused by the “upgrade” served primarily to replace a reasonably secure system with one with gaping security holes that have been exploited by hackers. The problem was exacerbated by Moniker’s failure to enact basic security procedures.
Another massive security breach was recently reported on Acro.net and DotWeekly. This appears to be a separate breach from the one I experienced which occurred in late August, as it happened much later and the IP involved was different, though it may involve the same people.
I called Moniker to alert them to the breach the same day I learned of it, and they locked down my account and the account that the stolen domains had been transferred to. Later that week I spoke to a manager at Moniker and exchanged emails with her. On September 5th, she wrote: “Our technicians are working very hard to ensure that breaches such as this never happened again.” Clearly they failed.
I was told that the technical team in Germany was investigating the breach and that I would receive a report within a few days. Despite several requests, it has now been over a month and I have yet to receive any account of what happened in the breach.
Yet from my own experience with the new Moniker interface I learned of several security flaws.
I had purchased and auto-renewed Portfolio MaxLock for several years on the old Moniker system. Portfolio MaxLock creates two security questions that must be answered successfully before any domain can be transferred out of the account. Portfolio MaxLock seemed to work well and I had peace of mind that the account was secure.
With the transition to the new DD24 interface, Portfolio MaxLock was dropped without any notice and I didn’t realize it was no longer active on my account.
When calling in to Moniker’s customer support team to make changes to the account, the customer support team verifies that you are the legitimate account owner by asking you to verify the following information from the account profile: Company name, company address, company phone number and they often, but not always, ask for the account email address. As most, if not all, of this information is available in public whois records, it is a ludicrous way to verify identity. A few years ago I changed the account email to be different from the whois email, but for many accounts the account email is likely the same as the whois email.
After my account was hacked the account email address was changed to one that was very similar to the correct one. It makes me wonder whether the hack was the result of social engineering one of the customer service reps. It is plausible that the hacker called to say that there was a typo in the account email address, and persuaded the customer service rep to make the slight change in the email address so that the email address then became one under the hacker’s control. I don’t know for certain since I haven’t received the report on how the breach happened so I can only speculate.
Moniker keeps a handy IP log showing the IP address and date stamp of anyone who has logged in or attempted to log in to the account. Yet worryingly the day that the hacker logged into my account and pushed out the domains the IP log showed no access at all. The customer service reps said that should only happen if the account was accessed internally, such as by the customer service reps themselves. This was disturbing and reinforced my suspicion that the hack was the result of the hacker persuading a customer service rep to make the changes.
I received no email to the original account email when the account email was changed. After I suggested that it is a basic security rule to send an alert to the original email address when the account email is changed, the folks at Moniker agreed that sounded like a good idea and they would ask their team to implement it.
After the hack was discovered, my account was kept in locked status and I had to call customer support, often enduring lengthy waits on hold, and having to go through the drill mentioned above “proving” my identity before the customer service rep would temporarily unlock the account to allow me to make whatever changes I needed to make.
Eventually I decided that if I purchased Portfolio MaxLock that they would not need to lock down the account each time after I was done logging in. So I spent the $124 to purchase Portfolio MaxLock. I thought it would have been a nice gesture if they had offered Portfolio MaxLock at no charge, since my account had been breached and domains taken from it. But they didn’t offer, and I didn’t press it, so I paid for Portfolio MaxLock.
The new Portfolio MaxLock works somewhat differently than the legacy version, but the key functionality is the same as it requires that two security questions be answered before a requested job will run. According to the customer support reps, even they don’t know the answers to the questions, and it would take a high level member of the technical team to be able to reset the answers if I ever forgot them.
Once I got the hang of it, Portfolio MaxLock seemed to work well. If I wanted to have an auth-code sent to me, I would navigate to the desired domain in the admin interface to request the auth-code but then I would need to go to the Jobs section to answer the security questions before the job would execute and the auth-code would then be sent. Even minor items such as changing the Time to Live (TTL) record in the DNS required answering the security questions.
One day though, I couldn’t log into my account. I called Moniker customer support assuming that the account had been relocked. But the support rep said that it hadn’t been locked, but he did say the password had been recently changed. I hadn’t requested a password change and was suddenly concerned that my account had been hacked again. The rep investigated some more and said that someone had requested a password reset, but they weren’t logged in when they requested the password change. I asked if this meant that anyone could force the password on my account to be changed at any time. The rep said that this is the way the system works. So here is another flaw in the design. You may have your password memorized, or saved in a password keeper program, and anyone at any time could force the password on your account to change so that your password is obsolete.
You may question my complacency that I would leave my domains at Moniker through the flawed transition to the new interface that blocked account access for a long time. You may question my complacency that I didn’t immediately move out all of my domains after discovering the account breach. I also question my complacency.
Yet after weeks went by without any report of what had gone wrong with the breach and without any assurance that the problem had been fixed, combined with the troubling fact that no IP was logged the day the account was breached suggesting an internal system may have been compromised, I finally decided it was time to move away my domains.
The next time I talked to customer service, I told the rep that I had heard that Moniker had recently added a feature that allowed a bulk export of auth-codes. The rep showed me where to find the link in the interface. I clicked the link and received a message that the list of auth-codes would be sent to the account email address. I went to the ‘Jobs’ section where one must go to answer the Portfolio MaxLock security questions. But there was no need. A few minutes later a report with the auth-code of every domain in my account showed up in my inbox.
Even though I had paid to add Portfolio MaxLock to my account, and even though I couldn’t change the TTL for one domain without answering the security questions, the bulk auth-code export feature was added without linking it to Portfolio MaxLock so I was able to receive every auth-code for every domain in the account without needing to answer any security questions.
That is a major security flaw, but one would think it is of little practical consequence since the domains couldn’t be transferred out to a different registrar without unlocking them first. And when I navigated to the management page for an individual domain and requested to unlock it, that change required answering the Portfolio MaxLock questions first.
However, I noticed on the account summary page that lists all the domain in the account, there is a little ‘lock’ symbol beside each domain. The symbol shows whether the domain is locked or unlocked. A nice feature is that you can click on the ‘lock’ symbol to change its status, from unlocked to locked, or from locked to unlocked. When you click on the lock symbol to unlock the domain, you don’t need to answer the Portfolio MaxLock security questions.
So I tested out whether I could move domains to another registrar without needing to answer the Portfolio MaxLock questions. I chose a few domains, click the ‘lock’ symbol for each one to unlock the domains, and then entered the auth-codes for the domains at the gaining registrar. The auth-codes were accepted, the gaining registrar emailed me to approve the transfer, a little while later Moniker emailed me a link to cancel the transfers if I wanted to keep the domains at Moniker, and a few days later the domains moved to the new registrar.
So now as I transfer out the domains in my account, I don’t bother bulk unlocking the domains and then answering the Portfolio MaxLock security questions. I just go down the list of domains clicking the ‘lock’ symbol to unlock them. And the domains are leaving my Moniker account. And Portfolio MaxLock is still active on my account, utterly useless for safeguarding the domains.
I will give a shout-out to DomainTools, as thanks to their Registrant Alert report I learned that the domains had been moved out of my account in time to prevent them from being transferred away from Moniker. Moniker’s team froze the thief’s Moniker account that the domains had been moved to, and eventually moved the domains back to my account. I need to do a thorough review but I am not currently aware of any domains that are missing from the account.
It makes me sad to write this post. I was one of Moniker’s first customers. I was a Moniker customer before there was a Moniker, before it was a registrar, back when it was DomainSystems, a NetworkSolutions reseller. When Monte was changing the name from DomainSystems he asked my opinion of the new ‘Moniker’ name. I told him I had always thought the word was spelled “Monicker”. But Moniker is a great name, and Moniker has been the home of my core domain portfolio for nearly as long as Telepathy has been in business.
So it is sad to say goodbye to Moniker, and to witness the self-destruction of this company that played such a large role in the development of the domain industry.
I must say that everyone I dealt with at Moniker after the breach was friendly and helpful to the extent that they could be. But they were saddled with a buggy system, and they couldn’t provide the account security that the customers needed. Yet someone continues to make poor decisions, such as the recent one to change all the passwords and send out the new passwords in unencrypted plain text emails.
Unfortunately it appears that Moniker’s President, Bonnie Wittenburg, is experiencing serious health issues as her email auto-reply includes the following message: “I am out of the office on medical leave and will be out for several weeks.” Bonnie’s absence may be contributing to the lack of leadership and the ineffective response to the security breaches so far. I wish Bonnie, and Moniker, a return to good health. But I will be watching from a distance.
Anyone who still has names with them must be nuts, too many stories of this happening … transfer out immediately i suggest to all
Thank you for sharing these painful events. In front of our eyes, a great company is collapsing – incompetent registrars have no place in this ultra competitive world.
Thanks for sharing your story as it’s always nice to hear from others with what they are trying and if it’s working or not! I think you summed it up perfectly. You gave them how many chances to prove they “get better” and it’s just not happening. It’s actually getting worse!
I too will be completely leaving Moniker (have been for awhile but will speed it up) and I always liked the registrar up to when Monte left.
Holy Cow! Thats scary got to move some of the domains ASAP.
Thanks for the warning!
These people are dangerous.
They knew about these hacking attempts yet they allowed a single IP address to log into ALL Moniker accounts!
Nat, I am just curious, why were you still at Moniker?
Looking back I don’t have a good answer as to why I stayed so long. I suppose it was out of habit and misplaced loyalty as the core team I knew from Moniker had left long ago.
I mean I have written maybe 10 posts about this Moniker mess and I even wrote one before the control panel warning people that it could all go to shit. Which it did.
I know some things about software engineering and the first thing I always have in my mind is “if it works don’t try and fix it”.
I believe that these people didn’t know a thing about how moniker was working.
I have been complaining for years about Moniker as it began collapsing after Monte left. All strange things were happening. Even what people might consider as good things. At one point I was renewing domains for 1 year and was getting an extra year for free! I left immediately.