Peter was just doing some simple administrative tasks at NamesDirect.com when a glitch brought him to a suspicious looking page full of computer code. A quick glance revealed that the firm’s user name and password were exposed on the page — and these were not just any set of login credentials. It was the keys to the firm’s entire kingdom of customers, providing detailed access to 180,000 domain name purchases during the past two years, including every credit card transaction. Worse yet: When Peter tried to give the keys back, when he tried to warn the company that all this data was exposed, no one would listen.
ALL THAT STOOD between a hacker and all of NamesDirect.com’s 180,000 customer transactions was a username and password. Armed with the login information, someone could visit the Web site for NamesDirect’s credit card processing firm, Authorize.net, and download all of NamesDirect’s transaction data.
The data reveal credit card numbers, expiration dates, home addresses, and of course, who was registering which domain names. It appeared to include every domain registered at the NamesDirect.com site from March 2000 through January 2002.
Just as critical, the login information also provided access to the NamesDirect virtual merchant terminal, which might have allowed a criminal to issue charges and credits. Control of a merchant’s terminal account is a critical component in a currently popular Internet crime called “credit-back schemes,” discussed recently on MSNBC.com..
Peter, who preferred not to give his full name, is himself a Web site administrator and customer of NamesDirect. He quickly realized that the login data was being broadcast to the Internet on a set of 13 Web pages. But it might not have been necessary for a hacker to stumble onto one of these pages to take advantage of the security hole, because the login information was hardly difficult to guess.
The user name: simply “Namesdirect.” And the password was “vanessa21.”
The difficulty Peter faced in simply convincing NamesDirect.com to stop broadcasting its user name and password is not atypical of electronic commerce Web sites, and of Internet registrars in particular. Few sites offer simple “security emergency” Internet addresses which are monitored by the company. And in the case of Internet registrars, many go to great pains to hide from customers who are seeking support. It’s nearly impossible to find a phone number for NamesDirect.com, for example.
Part of the reason: NamesDirect.com Inc. was recently sold by NameZero.com Inc. to Doster Inc. The transfer of ownership hasn’t yet been publicly announced, according to Project Manager Gordy Seeley, and that’s one reason for the confusion.
But it doesn’t explain why Peter’s Nov. 25 e-mail to support@NamesDirect.com went unanswered, leaving tens of thousands of credit card numbers ripe for the taking.
A day later, Peter contacted Authorize.net to advise the company of the problem. While that company did reply, he said he didn’t get a satisfactory response.
“In fact, they told me exactly how to download the credit card numbers,” Peter said.
An e-mail Peter says came from Authorize.net seems to do just that:
“If you can provide me the merchant’s name or e-mail I can contact them regarding this security error with their site. Also, credit card numbers are only viewable in our system by downloading batches in our merchant’s secure merchant interface ...” the note said.
Three weeks later, still trying to get someone to fix the problem, Peter decided to share the story with CardCops.com, a merchant advocate. CardCops’ Dan Clements told MSNBC.com that NamesDirect.com was broadcasting its password and that anyone armed with it was still able to download all that data from Authorize.net’s Web site.
WHO’S TO BLAME?
After MSNBC.com contacted NamesDirect, the offending Web sites were removed, and the Authorize.net passwords were changed.
But immediately, all the parties involved passed the blame around.
NamesDirect.com’s current owner, Dotster, says the problem predates its acquisition of the site and pushes blame back to NameZero.
“They are NameZero’s transactions in there. They are NameZero customers who registered domains through NamesDirect prior to the acquisition,” Seeley said.
Erik Iversen at NameZero was surprised to find out that Authorize.net was still allowing access to the data at its Web site. In fact, his firm stopped using Authorize.net’s transaction services nearly a year ago.
But Roy Banks, general manager and vice president of Authorize.net, said companies need access to account information up to a year after leaving the service for tax and other accounting purposes. He blamed NamesDirect programmers for writing Web site code which exposed their password.
“Authorize.net cannot police the management of login IDs by a merchant,” he said. But the company does “valiantly struggle to make sure merchants are aware of what best practices are.”
ICANN: NOT FOR CONSUMER PROTECTION
The security hole — and the lack of customer response from NamesDirect.com — is particularly troublesome because it involves an Internet domain registrar. There are about 150 such registrars, each one formally accredited by the Internet’s governing body, the Internet Corporation for Assigned Names and Numbers (ICANN). The registrars are entrusted with critical functions that keep the Internet functioning properly.
Dan Halloran, chief registrar liaison for ICANN, said the agency regularly receives complaints about individual registrars at its Web site. On occasion, he will contact registrars if he hears of significant problems, such as a major security flaw. In this case, Peter did not attempt to contact ICANN. But generally, those who complain to ICANN are often disappointed.
“We don’t set customer service policies and there’s nothing in the agreement that says you must take care of customers, answer the phone within 3 rings or anything like that,” Halloran said. ”(Registrars) are free to compete on customer service and on price. It’s pretty much laissez-faire. ... Some people want us to be a consumer protection agency, but we’re not. We’re a technical coordination body.”
That means ICANN won’t step in if an individual registrar won’t respond to e-mails or answer the phone.
Peter, meanwhile, said he just wanted to be sure access to his personal credit card information wasn’t leaked to a criminal by NamesDirect.
“I have 39 domains there on two different credit cards, and this put me at risk,” he said.
There is no evidence that a criminal found the security hole and exploited it. Clements, who operates a database of known stolen credit card numbers said none of the NamesDirect card numbers he viewed were in his stolen card database.