Moniker customer explains some of the security holes that may have led to his domains being stolen, including some introduced by the transition from the old Moniker system to a new platform.
So it is sad to say goodbye to Moniker, and to witness the self-destruction of this company that played such a large role in the development of the domain industry.
So writes Nat Cohen, long time domain name investor and owner of perhaps the best portfolio of three character domains around. He was also one of Moniker’s first customers, a customer since before the registrar was even called Moniker.
What finally prompted Cohen to move his domain names was not Moniker’s initial botched transition from the legacy Moniker system to an entirely new platform. It’s the security holes that came with it. It’s the scary fact that some of Cohen’s names were stolen. Even though he got them back, that’s certainly enough to make anyone look for a new registrar.
I don’t mean to make this another “pile-on Moniker” story. I’ve written a lot of negative things about the company lately. That’s partly because of the frustration I’ve personally experienced as Moniker customer. But it’s also important to cover this story from an awareness perspective. Moniker customers need to know what’s going on.
Cohen’s post provides details on a number of security holes at Moniker. These even include security flaws in the company’s paid security add-ons.
He had paid extra for Moniker’s Portfolio MaxLock service, but it was somehow dropped from his account when Moniker did its wholesale transition to the new Moniker platform. After discovering a security breach on his account, he paid to have the “updated” MaxLock service added to his account.
MaxLock requires a couple unique questions be answered whenever you make a change to one of your domains, even changing the TTL setting.
But Cohen found out that, clearly due to oversights at Moniker, MaxLock’s security isn’t invoked when you make certain critical changes in bulk:
The next time I talked to customer service, I told the rep that I had heard that Moniker had recently added a feature that allowed a bulk export of auth-codes. The rep showed me where to find the link in the interface. I clicked the link and received a message that the list of auth-codes would be sent to the account email address. I went to the ‘Jobs’ section where one must go to answer the Portfolio MaxLock security questions. But there was no need. A few minutes later a report with the auth-code of every domain in my account showed up in my inbox.
So even if you have MaxLock, you can request transfer codes in bulk without answering the security questions. Of course, you still need to unlock the domains to transfer them. If you go to an individual domain to unlock it, you are asked the security questions.
However, I noticed on the account summary page that lists all the domain in the account, there is a little ‘lock’ symbol besides each domain. The symbol shows whether the domain is locked or unlocked. A nice feature is that you can click on the ‘lock’ symbol to change its status, from unlocked to locked, or from locked to unlock. When you click on the lock symbol to unlock the domain, you don’t need to answer the Portfolio MaxLock security questions.
So I tested out whether I could move domains to another register without needing to answer the Portfolio MaxLock questions. I chose a few domains, click the ‘lock’ symbol for each one to unlock the domains, and then entered the auth-codes for the domains at the gaining registrar. The auth-codes were accepted, the gaining registrar emailed me to approve the transfer, a little while later Moniker emailed me a link to cancel the transfers if I wanted to keep the domains at Moniker, and a few days later the domains moved to the new registrar.
Cohen details a number of other security flaws as well.
Some people have compared what’s happening at Moniker to what happened at RegisterFly. I don’t think this is a fair comparison. RegisterFly purposely scammed its customers. Moniker is actually trying to run a registrar and wants to be a profitable, stable business. The problem at Moniker isn’t that it’s purposefully trying to rip off its customers. It’s purely an issue of competence.
The company switched from an old system that needed updating to a reseller platform. But it didn’t take the time, make the effort, and spend the amount of money necessary for this to work correctly. Unfortunately, Moniker’s clients are the victims of this shortcut and incompetence.