Although we rely on technology for many common aspects of our lives, I’d always rolled my eyes at the notion that we rely on it too much. Technology is a tool, like a hammer, or a measuring cup, that is a means to an end. The most reviled technology — social media — fits this pattern: it’s human beings looking to connect with other human beings, and finding that we’re all horrible at it. But technology itself isn’t a terrible thing, except when it does go horribly, horribly wrong.
While out grocery shopping this past Sunday, I received several emails letting me know that my brand new domains were set up and ready. Considering I hadn’t registered any new domains since this one you’re visiting now, this was quite a shock. When I logged into my registrar’s account, I found that there were literally dozens of new, nonsense domains attributed to me. Making matters worse, whoever had done this had purchased these names using the credit card I have on file with the registrar for auto-renewal.
It should go without saying that panic mode ensued. I chatted with a rep at the registrar who suggested I fill out a form for the fraud department. Being as this was the weekend, I didn’t hear back from them that day. On Monday morning I attempted to log into my registrar account, but was unable to do so; I had changed all of my security credentials the day before and was now afraid that however this unauthorized party gained access to my account, they were still able to do it. A call to the fraud department assured me that their S.O.P. was to lock the account while they investigated accusations of fraud, so everything was being fixed on their end: the rogue domain names were being removed, and the charges to my credit card were being reversed. In addition to the registrations, there had been wholesale changes to the domain’s name servers that had also been applied to my domains, pointing them away from their legitimate host destinations and toward whatever illicit endpoint this organization intended to use these names for. All weekend and for some of Monday, this site was unavailable.
Although I am a fan of technology, this has brought a few things to light. The first is that yes, I am primarily to blame for this debacle. My registrar had been a victim of a data breach in the past, and while I suspect I did change my password in the wake of the revelation, my password was obviously not up to snuff. Believe me when I say that it most certainly is now. Although there might be a tendency to use “friendly” passwords in an age when we have so many passwords to remember, the result can be catastrophic if someone has the time, skill, or opportunity to use such decisions against us. The second revelation is that my registrar doesn’t take their security far enough. There are additional steps they can take that they do not take that can help add an additional layer of security on what is undoubtedly such a critical resource in the Internet Era. Data breaches tend to focus on addresses and financial information as if those who would exploit a breach are only interested in buying TVs and casing your home. Here, someone used my credentials to register domain names that they could use for so many reasons. Since most of them looked like nonsense to me, I expect that these names would somehow serve as a pool to be deployed in phishing scams whenever someone needed one. In an era when international and state-level actors are constantly trying to direct attention towards their agendas, supposing that having several dozen endpoints ready for content intended to confuse and interfere isn’t as tin-foil-hat crazy now as it would have been 10 years ago.
I have been looking through my password manager over the past few days, and the sense is that this was really just bound to happen. I have so many forgotten accounts out in the world that my database is as much a trip down memory lane as it is a horrifying reminder that I really need to double-up on doubling-up my thoughts on security. It’ll take some time to go through all of these accounts to weed out the ones that are obviously dead, the ones that are still active but otherwise unused, those which are active, and those which are critical. I have always supplemented my account credentials with the assumption that I was one, overlooked person in a digital sea of far more attractive targets, but “security through anonymity” is foolish in an age when “smash and grab” scenarios seem to happen every other week.