Your Security is VERY Important to Us
With the recent news about an external account intrusion on another registrar that was facilitated through a social engineering attempt, we at Namecheap want to educate our customers about our security policies.
First and foremost, we encourage all of our customers to use two-factor authentication on their accounts. This means that if you want access to your account, you will get it only by using a password and by using a code that is sent to your phone. You will not gain access to your account through a password only; the numeric code that goes to your phone is an added layer of security. (Currently, we only accept SMS authentication but Google Authenticator, Authy, and TOTP authentication are planned).
If you are at all familiar with social engineering tactics, this is done by speaking to a single support representative who is essentially tricked into believing you are a legitimate account holder of an account you are trying to seize control over. At Namecheap, security is of utmost importance to us, that is why all our security and support staff are well trained and well versed in these types of tactics to prevent and control these situations from happening. We also have a number of strict control, policies, and checklists that they must abide by.
We have gained our reputation of being an extremely secure registrar and web hosting company and will continue to meet our customers’ expectations of ensuring that your account is never inadvertently or maliciously transferred to someone else at any time.
We know we’ve earned it, but we’ll say it again: we appreciate your trust in our business.
Thank you for your quick response to this issue. Please add Google Authenticator, Authy, and TOTP authentication support as soon as possible,
Do you have the option of not storing credit card details on the account. I don’t store my credit card details on accounts but the provider that was hit by this attack have started storing all credit card details automatically and you can’t prevent it or remove it without closing the account or cancelling the domain names that were purchased with that card.
Hi Dean, absolutely! You can choose not to save the credit card information to your account.
Is there any way to change the settings so that any MAJOR account-level change requests require verification? Having to enter a code every time I login (according to the F2A page) seems a bit much?
Dustin, not at this time. However, I will take down your feedback so that we can enhance the process – perhaps we can remember the computer like Google does with their 2FA or similar. Thanks!
Thank you Tamar! That would great!
Could you make a FAQ or something on what exact information is needed to gain access to an account? Could I (or someone pretending to be me) call up and say they lost access to their cell phone and so need to login with just a username and password? Can such an option be disabled? Basically can the responsibility be placed fully on me to have something to verify I am me. Good example is github’s implementation of 2FA. They say in big bold letters that if you lose access to second factor and the recovery codes then it is not possible to ever login to your account again. Elsewhere I’ve set it up and they made me type one of the codes in to verify I really did copy them down.
Todd,
In full transparency, we debated providing more information in this post. However, if we shared that information, it would negate the very protections we are trying to keep secure. Therefore, we are not providing more details as we do not want to empower individuals to intrude upon the very protections we work hard 24/7/365 to protect.
I hope that makes sense.
Customer service reps are just not paid enough to give a fudgebucket about some annoying customer’s account. All it takes is a social engineer calling Namecheap support to get the account reset criteria then they slap the info on Pastebin and voila.
Just disclose it.
Pete, again, if we disclose that, we’ve just given someone pretty good ammunition to wreak potential havoc on another user’s account. We have rigorous checks and balances in place, but if we tell you what they are, the hackers have won.
If you are our customer, would you want us to tell everyone what information we need from a customer to provide access to his/her account? I wouldn’t think so.
They can’t call support, btw. We don’t have phone support. 🙂
I always use a unique email address for each site. Sorry to say that got several SPAM on the email address I used on namecheap.com (and only there).
So, someone stole your database or you sold our addresses.
Please, explain.
Thank you,
Yago
Hi Yago, I’ve had this investigated by our risk management team. We think we know what happened in your case and it’s not a breach but rather how the system is designed, but we’d need you to create a ticket for our legal and abuse team with full headers so that we can investigate. Please do so at your earliest convenience. Thank you.
I’m your customer, and I would like to use 2FA.
But I have a problem because my phone can’t receive SMS or such thing.
Why don’t you do like this:
1. User log in using normal USERID and PASSWORD
2. Your system sends an email. This contains random number
3. User input its number to a form
4. User can now able to login
Hi Terr, we will be supporting additional methods of authentication for 2FA in the future. Thanks for the feedback!
OK, thank you Tamar. I’ll do that right now.
Would be nice to know how “the system is designed”.
Does the system allows third party access to our email addresses?
Hi Yago, again, please submit a ticket.
In our case, we think you had not applied domain privacy in time. I get the same messages on domains I also recently registered if I don’t apply domain privacy on the domains. Those guys are smart, but yes, I agree — those emails are unwelcome and unsolicited.
Done. Ticket ID: FIY-384-71684
The address leaked comes from the “E-mail Forwarding Setup”, not from the WHOIS email.
Hi Yago, no problem, I will escalate the ticket.
We’re not going to be able to shed light into the design of our system, since that’s a way to get the wrong folks in.
However, we will be happy to investigate and let you know what you can do to secure your account.
Now I got “Invalid ticket ID or you do not have permission to access this ticket”
Yago, the ticket is there and I have escalated it for you. Please hang tight; you’ll get a response via email.
Hi Yago, we reviewed and responded to the ticket which should address the concerns you have. I assume you wanted to reverse the setup of your email, but the publicly available address is forwarding to the Namecheap one that leads you to believe that it’s coming from us. It’s not 🙂 Hope that clarifies!
Thank you Tamar, yes it is clear now.
Sorry for the inconvenience 😉
How can my webpage at another site long on to namecheap and remap my domain to my webpage at another site.
All they get from me is password and user name, plus my phone number.
It can’t work — they can’t get in.
Ernest, I’m afraid I do not know exactly what you are trying to ask, but this is a support question versus a security question. Please contact us directly and we’ll be happy to help.
What’s the current status of the planned support for Google Authenticator, Authy, and TOTP?
Still planned, Louis, but we’re unable to provide an ETA. Thanks!