Friday Archive Dive: Don’t use your domain-based e-mail to register with Web sites
Once again, I’m trying something new with the Friday Archive Dive. Even if you’re not a member of the site, you can read the entire post, which originally ran here last February. If you’ve ever been curious about the kind of information, tutorials and advice that you’ll get as part of your subscription to Webcomics.com, this is a good sample.
When Phillip Hofer, the man who created Comic Easel and co-created ComicsPress, gives me a technology tip, I take it to heart. And this one kinda took me back.
“Do not use personal domains to register for Web sites,” he warned me, “use GMail [or an equivalent].”
He pointed me to this story on The Verge.
To paraphrase, Naoki Hiroshima reportedly lost his “valuable” Twitter account because someone allegedly broke into his e-mail by taking over his domain. According to the story on The Verge:
While the attacker didn’t gain access to Hiroshima’s PayPal account directly, they did manage to pose as a PayPal employee and convince the payments firm to release the last four digits of Hiroshima’s credit card over the phone. Those numbers are usually fairly useless on their own, but the attacker then used them as verification on the phone to GoDaddy. Hiroshima uses GoDaddy to host his own domain and email accounts, so the attacker assumed control over the domain and was able to access Hiroshima’s email address. “It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification,” says Hiroshima.
It’s important to note that Paypal denies such a breach occurred.
Nonetheless, it’s a security loophole that I hadn’t considered. After all, GMail offers three levels of security on their e-mail accounts. Beyond your password itself, you can register a cell-phone number and register security questions.
And if that doesn’t work, Google concocts a series of questions (based, I assume, on public records) about your life that help verify that you own the account.
The questions we ask to verify your identity are intentionally difficult. Answer as many questions as possible, and make sure your answers are accurate. If you’re unsure about an answer, provide your best guess. It also helps to submit your answers from a computer you’ve used in the past.
I’ve been through this one. It dug an address from an apartment I lived at twenty years ago and put it into a multiple-choice question (“Have you lived at one of these addresses?”). Most of the cities were cities in which I had lived at one point in time, but only one had an accurate address.
I will be interested to find out whether GoDaddy will use similar methods to put the domain back into the rightful hands of the proper owner.
In the meantime, I’m going to make sure all of the sites that I register with have non-domain e-mail addresses attached to them.
Don’t use your domain-based e-mail to register with Web sites. Here’s why… http://wp.me/p4lKly-35k via @Webcomicscom
Editor’s Note: This post does not mean you cannot use your domain-based e-mail to register on Webcomics.com — especially for Returning Members. Rather, it’s a general, all-purpose piece of advice about Web safety.