Security Bullet In
Communiques from the security front, sir
Thursday 26 June 2008, 7:35 PM
Caught in the GoDaddy red tape
I blogged on Tuesday that I'm listed on WHOIS as the administrator of a charming site called travel-getaways.com. The problem is that I have absolutely no links to travel-getaways.com at all, and the site is pulling content from a legitimate travel site, to populate travel-getaways.com with content.
Now, looking at the WHOIS entry for travel-getaways.com, it has my name, fake address, and a fake contact email address and number. The owner of the legitimate site -- a ZDNet.co.uk reader -- got in contact with me through the community email, to let me know that a site registered in my name was nicking content off his site.
The domain registrar is GoDaddy.com. I gave them a ring. Ok, I thought, I'll be straight with them -- I told them from the beginning that I am an IT security journalist. I didn't go through their PR, however, as I wanted to get a flavour of the GoDaddy complaints procedure.
So what's my complaint? Someone has used my details, subtly altered, to set up a fake GoDaddy account. While not exactly being identity theft, this is definitely somebody using my name, with my slightly altered work details, to register a dodgy site. Obviously I'm not happy about that.
There's also the small matter of the potential intellectual property infringement by travel-getaways.com against the owner of the legitimate site. I'm not happy about that, either.
I wanted to see how GoDaddy would react, given the nature of my concerns.
I contacted GoDaddy to speak to a person in the GoDaddy support department, who very politely directed me to the office of the president. I emailed my complaint to the office of the president, detailing the situation.
The email I got back contained the line:
"It is the domain registrant's responsibility to review and maintain their WHOIS data."
This made me laugh.
"Ok, fair enough, it's the domain registrant's responsibility to maintain their data, but I AM NOT THE DOMAIN REGISTRANT," I said to the computer, shaking my fists.
The email directed me to log a complaint with GoDaddy Domain services, which I duly did, outlining the situation. I gave them a link to the fraudulent WHOIS lookup, as well as contact details -- my (real) work email and telephone number.
Meanwhile I wrote another letter of complaint, also outlining the situation but in stronger terms, and asking GoDaddy to take my details off its register, and to turn over the payment details for the fake account to law enforcement in the States. I doubt very much whether law enforcement would have the time or resources to do anything, but it's worth asking.
I got an answer back from my original complaint:
DearTom Espiner,
Thank you for your email. Please provide evidence to prove your information is being used in the Whois for the domain travel-getaways.com. We can accept a copy of a utility bill showing your name and mailing address or an email from the email address listed. Once we have this documentation from you, we can move forward with your complaint.
Thank you,
GoDaddy.com, Inc.
Domain Services
I must admit, I'm not good with bureaucracy at the best of times, but this email made me both laugh and get angry. For a start, I'd already provided the link to the fake WHOIS entry. It was in the complaint that Domain Services was replying to.
The work address is fake in the fake entry, so providing proof of my real work address wouldn't help at all. Plus, who gets utility bills to their work address, unless they work from home?
The email address listed in the fake WHOIS entry is also, you guessed it, fake. So I couldn't respond from that email address, unless I fiddled around spoofing the sender details, which I doubt would have helped my case much.
Feeling like I was bashing my head against a brick wall, I rang up GoDaddy. In fairness to the company, the person I dealt with first very patiently escalated me to a polite man in the office of the president. GoDaddy is currently looking into the situation. They did keep me on hold for approximately an hour, but to be fair, they were trying to sort the situation out there and then.
So far as I can tell so far about GoDaddy's complaints procedure, it seems that the people on the other end of the phone are courteous, efficient, and professional, while GoDaddy's processes seem clunky, unhelpful, and bureaucratic to the point of being obtuse.
PreviousComments on this post
Had a similar situation with my utilities. An Npower salesman pretended to come and read our meter (I was at work). He tried to get my wife to sign that he had been but she refused so he forged my wifes signature (didn't even spell her name right) and switched our energy supply.
When I contacted Npower about it they refused to speak to me as the account is in my wife's name. I explained that I am the bill payer and that my wife had not opened an account. They said it doesn't matter the account is in her name.
I eventually got them to investigate and they sent round an investigator that checked everything over. Because it took so long to get them to sort it out I had already switched. We were then told that we would be switched back, wouldn't be charged for energy used with them and would receive some compensation. We then got bills from Npower. Whenever I called up about it I got the same issue - the account is not in my name. Funny how the account didn't need to be in my wife's name for them to take over my Powergen account which was in my name. Even after I advised the operator to check the notes on the account showing that it was a forged account by the sales agent they still insisted on speaking to the "account holder". I said so what if the agent had put it in my 18month old daughter's name - or made up a completely random name? They couldn't give an answer and just said that it wasn't the case in this instance.
From what I can make out from the article, the only thing that matches is your name. There may be plenty of people in the world with your name.
Sounds like go daddy does need to warn or prosecute or whatever they can legally do about copying the other site and maybe eventually clsoing them down, but they cant just change someonelse's details just on your say-so. That would be a "data-prtection" breach.
to the above: couldnt you have just contacted your existing providor and told them to block the request or even just asked them to transfer you back?
BTW I had the exact same situation
Hi mattp
Good point, they do need to go through security checks, yes. The problem is, the security checks they have rely on the original account information being correct - they seem to have no way of dealing with fake accounts.
As for my name - it's unusual. To my knowledge there is only one other 'Tom Espiner' in the world, and he's my distant cousin. I don't think it was him who set up the fake account.
Best,
Tom
Hi Tom
Unlucky about the name then, but the law and procedures still have to apply to all the "John Smiths" of the world as well.
All you do is inform them "as a concerned citizen" that the site has copied content and this is illegal. Maybe even have the person who's content is being copied take legal action against the fake person and Godaddy.
Go daddy then contact the fake person, and get them to remove the copied content.If the authorities contact you, you should be able to prove that you are not the person. Presumably some credit card details have been used to register the site and that is the more likely suspect.
They would go through a process of escalating the situation even in the result of non-response from the fake person, until eventually closing down the site. eg 30 days notice.
You have got to have due process otherwise every fraudster out there will be trying to change legit details to fake ones.
"As for my name - it's unusual. To my knowledge there is only one other 'Tom Espiner' in the world"
Tom I doubt that very much, a quick google search yielded 215,000 results and although many are about you, I also found a profile on IMDB for an actor by the same name, unless this is your distant cousin, I just discovered a 3rd Tom Espiner!
Hi Harpless,
That is the Tom Espiner who is my distant cousin -- he's an actor and a playwright. Good guitar player too. Trust me, it's an unusual name.
However, this is kind of getting away from the central point about the difficulty of correcting erroneous information about somebody's identity on GoDaddy, as opposed to creating an account with fake details.
Tom
Hi Harpless,
That is the Tom Espiner who is my distant cousin -- he's an actor and a playwright. Good guitar player too. Trust me, it's an unusual name.
However, this is kind of getting away from the central point about the difficulty of correcting erroneous information about somebody's identity on GoDaddy, as opposed to creating an account with fake details.
Tom
