The fax arrives as a normal domain name renewal reminder, indicating that the customer domain is about to expire, and urges them to renew it. But aside from just listing the domain name in question, the fax also lists the domain name password and Melbourne IT registry key. These are the two pieces of information required to delegate the domain to a domain name server (DNS). Anyone with access to the customers' fax machine would consequently be able to hijack its corporate domain.
Bruce Tonkin, the chief technology officer of Melbourne IT, says that management were told about the faxes last week, and they immediately stopped sending them.
"We were aware of it late last week, everyone has been told to cease," he said.
Tonkin says that groups within Melbourne IT had started sending the fax to reduce the load on the technical support team because many people would request their keys and passwords after a renewal notice was sent.
"A lot of people have been requesting their keys... the people involved thought this would make it easier," he said.
The CEO of the .au domain regulator auDA, Chris Disspain, said that the move was "not standard practice" and consequently would be "something that the auDA will look into".
The chief operations officer of one of Melbourne IT's competitors, domain name registrar Enetica, Bennet Oprysa, says he is not aware of any other companies engaging in the questionable marketing tactic. "A lot of people do send the renewal notices. but not with the passwords in them," he told ZDNet Australia.
Oprysa says that Enetica will not send out passwords without first authenticating the customer.
"We certainly don't do it without being asked," he said.
Larry Bloch, CEO of NetRegistry, says that Melbourne IT have risked damaging their reputation.
"I think obviously it's not the cleverest way to go about things," he said.
"Particularly with all the history in the domain industry with scammers sending out scam renewal notices; they risk putting themselves in the same basket," he added.
Bloch says that although small companies might not encounter problems with the wrong person accessing the notice, large companies might find it problematic.
"For larger organisations the issue is compounded because it's that much harder to secure a fax... the fax number wasn't provided [to Melbourne IT] for the transmission of secure information," he said.
Melbourne based security consultant Nathan Macrides agrees. He says that faxing passwords to a corporate fax line could lead to trouble.
"Anyone can come along and pick it up," he said.
Macrides told ZDNet Australia that if passwords are to be sent at all the sender must ensure they are received by the intended recipient only.
"It should be sent by registered mail or something, not through a fax," he said.
Hi,
this post refers to your use of a quotation regarding Melbourne based security consultant Nathan Macrides agrees. He says that faxing passwords to a corporate fax line could lead to trouble.
"Anyone can come along and pick it up," he said.
No ****!