Classic WTF: Security By Letterhead
It's a holiday in the US, so we're turning back the clock a bit.
How do you make sure nobody issues an unauthorized request for a domain transfer? This registrar has serious security to prevent just that kind of event. You know this must be a classic, because it involves fax machines. Original -- Remy
Security through obscurity is something we've all probably complained about. We've covered security by insanity and security by oblivity. And today, joining their ranks, we have security by letterhead.
John O'Rourke wrote in to tell us that as a part of his job, he often has to help clients transfer domain names. He's had to jump through all kinds of crazy hoops to transfer domain names in the past; including just about everything except literally jumping through hoops. After faxing in a transfer request and receiving a rejection fax an hour later, he knew he was in for a fight.
John called the number on the rejection letter to sort things out.
John: Yes, I'm calling to find out why request number 48931258 to transfer somedomain.com was rejected.
ISP: Oh, it was rejected because the request wasn't submitted on company letterhead.
John: Oh... sure... but... uh, just so we're on the same page, can you define exactly what you mean by 'company letterhead?'
ISP: Well, you know, it has the company's logo, maybe a phone number and web site address... that sort of thing. I mean, your fax looks like it could've been typed by anyone!
John: So you know what my company letterhead looks like?
ISP: Ye... no. Not specifically. But, like, we'd know it if we saw it.
John: And what if we don't have letterhead? What if we're a startup? What if we're redesigning our logo?
ISP: Well, you'd have to speak to customer-
John (clicking and typing): I could probably just pick out a semi-professional-looking MS Word template and paste my request in that and resubmit it, right?
ISP: Look, our policy-
John: Oh, it's ok, I just sent the request back in on letterhead.
The transfer was approved. John smiled, having successfully circumvented the ISP's security armed with sophisticated hacking tools like MS Word templates and a crappy LaserJet printer.
[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!