So this isn’t a new story, and it isn’t even unique, but it is a fairly high profile issue today given the importance of your domain. The summary of the story is that GoDaddy support was able to be social engineered into providing access to a company’s account without any password or extra verification.

Now I own a few domains in addition to this one, so I get how they are setup in terms of contacts, so why a secondary contact could not have been specified and contacted to check, I don’t know. But more importantly, why haven’t the registrars started providing an upsell of some sort of 2FA to protect the accounts? Something simple, like an extra $20-30/year for a token or two that could be provided to the company (or purchased separately and registered).

If this was in place (preferably with 2 tokens), the conversation could be different, like needing to provide the OTP from one of the tokens, and without that, no access. Cut and dried, no token, no access, no social engineering.

GreenRADIUS provides a web API that could be quickly added to any website, both external (for the customers) and internal (for support to be able to verify users manually). We shouldn’t have to be worried about social engineering attacks on critical infrastructure, 2FA should be the standard, whatever form it takes.