I appear to have been hacked, but to what purpose, I have no idea . . .

[britechguy]

Last night I decided I'd hop on to my Namecheap account to take a look at what's there for email records, even though I do not have any email routed through my domain. I had logged in probably 2 weeks ago.

Imagine my surprise when, after entering my userid and password, I was being prompted for an OTP. I've put MFA on quite a few of my accounts, but not this one, at least not yet. That's when the cycle of identity verification and ownership began.

I've submitted my payments via my credit card directly as well as via PayPal - not good enough/"doesn't match what we have." I've now been forced to submit my driver's license through a service called veriff.

My website's still up and there's definitely no ultra-sensitive information in that account that's not a matter of public record. The fact that my existing username and password still work, but I'm being hounded for an OTP is even stranger. I've only ever used Google Authenticator and 2FAS, with the latter being my current "go to" and neither has anything for Namecheap. Someone, somewhere obviously does.

Since I renewed for 5 years in 2022, we'll see how this all plays out. I've even checked my email archive as I keep notifications regarding MFA being enabled, and I've got nothing.

Strange.

The fact that I have 2 separate ID theft monitoring services from my involvement in the Anthem and Equifax breaches some years back gives me a bit of comfort as far as anyone attempting ID theft. Nothing's shown up as notifications from either regarding suspicious activity.

 

[Markverhyden]

Haven't logged into namecheap in ages. This is what I saw when I did. The number they had is a valid cell number. For grins did you try an incognito page? How about firing up your old machine and trying from there?

 

[britechguy]

@Markverhyden

What you show is what those using SMS verification get, but that's not what I'm getting. For me, this is what shows:



Initially, I thought, "Oh, there must be a code coming in email." When it didn't show up was when I initially made contact with Namecheap support. They've certainly been responsive as far as turnaround time at each stage, but it's gotten beyond ridiculous what they're demanding as far as proof that I'm the person who paid and a government issued ID.

The payment records I sent are clearly to Namecheap and correspond to the dates shown in whois for expiration of my domain name based upon when I renewed. And that payment was only last August, not 100 years ago.

I may try the old computer just for the fun of it, but at this point I'm likely locked out nine ways to Sunday!

 

[Markverhyden]

@Markverhyden

What you show is what those using SMS verification get, but that's not what I'm getting. For me, this is what shows:

View attachment 15032

Initially, I thought, "Oh, there must be a code coming in email." When it didn't show up was when I initially made contact with Namecheap support. They've certainly been responsive as far as turnaround time at each stage, but it's gotten beyond ridiculous what they're demanding as far as proof that I'm the person who paid and a government issued ID.

The payment records I sent are clearly to Namecheap and correspond to the dates shown in whois for expiration of my domain name based upon when I renewed. And that payment was only last August, not 100 years ago.

I may try the old computer just for the fun of it, but at this point I'm likely locked out nine ways to Sunday!

What did Backup Code do? More of the same? Does your domain have a separate control panel login?

 

[britechguy]

Well, you can't use backup codes if you don't have backup codes. I never set MFA up, so I never generated or copied backup codes.

I was just readmitted to my account a few minutes ago and now, when actually setting up MFA, a new "interesting wrinkle" has occurred. The QR code from Namecheap has generated an entry when scanned for an entity named "Heap." I'm in live chat with them right now about that!

 

[britechguy]

Well, we've verified that I can use the "Heap" branded OTP to get in, but they can't explain why Namecheap branding is not what's getting generated. I can change this by hand, and have, but it's still very, very weird.

 

[britechguy]

And after all that, the folks at Namecheap have said that I need to contact the folks at 2FAS, which I just tried to do.

In this case, that strikes me as a reasonable request, as I suspect that, somehow, 2FAS is not recognizing Namecheap as Namecheap at the moment. They definitely have the correct logo in their logo collection, but if the entity identified when the QR code is scanned is not correct, then you can't map it to the correct name/logo.

 

[britechguy]

I'm also infuriated (even though I had my access restored, after producing my driver's license) at the insanity of the proof of payment requirements used at Namecheap. And I doubt they're alone. I'll just post something I sent to in the exchanges I've had with customer support based on their telling me that it was the expiration date of my card on file not matching the current expiration date as being the dealbreaker. The prior expiration date on file was 10/22, which is the typical 5-year cycle for this card:
------
You wrote, in part: "There is indeed a saved credit card with XXXX last 4 digits, but unfortunately, the 10/27 expiration date does not match our records."

Do you really think that every user is going to remember to go in to every account on which they've been using a given credit card, often for years, and remember to change expiration dates prior to the time when they next try to run a charge against that card from that account? They don't. Not only that, but for any given credit provider, you can "work backwards" to figure out if someone's giving you the current expiration date, what the last one had to have been.

These verification systems have to work based upon what real people do, and have access to at the time they are necessary.

In addition, I sent images of my PayPal statement, my Discover Card statement, as well as the online records of those same transactions, with all data that can be seen for all of those, and I double checked after the first set of screenshots were rejected.

Again, there is a limit to what anyone can produce at the drop of a hat, and if what's coming from the very entities that processed the payments is not enough, that indicates that Namecheap really needs to both review and change it's policies about what is "sufficient proof of payment" for verification.

You are, without doubt, creating unnecessary barriers to reestablishing legitimate access.
------

 

[Markverhyden]

To be honest I'm not surprised about the level of customer disservice you're experiencing. It's pretty much everywhere. Even in person. I do know that I'll get notifications about my expired credit card but only the sub is close to renewal. Don't mean to pry but how long before the exp date did you renew. I'd bet it was long before 10/22 I'm with you on the monitoring. I don't bother keeping track of my CC's on all the sites. They want my money. So if the charge fails one can be sure I'll hear about it.

 

[britechguy]

I did my 5-year re-up in August 2022. But this is not the first place where I've had an expired credit card on file where, if I could provide the actual CC number, and clear proof of transactions with the entity using that card, that was more than enough, regardless of the expiration date.

They were provided this:


and this (though not quite so redacted) . . .



Because I used funds that were sitting in my PayPal account, plus my credit card, as a split payment. Who in their right mind would consider this "not enough to match our records" because the credit card on file had an expiration date AFTER the transaction date, and the same card number. For the love of heaven, people, use your heads!

They've never addressed, at all, why I was having an OTP code demanded when I never, and I know I never, had MFA on that account prior to adding it today, after I had been granted access again.

I value reasonable attempts at security, but NOT unreasonable ones. Theirs are utterly unreasonable. The preponderance of evidence, sans my ever having provided a driver's license, was overwhelming proof of my ownership. How in the heck could I even produce the statements if I was not who I said I was. The probability of some random hacker having simulataneous access to all these accounts, unless someone used 1234 as their sole password, which has pretty much been forbidden for years now, is just astronomically small!

It's not "customer protection" when it's not really protecting the customer. And this absolutely is not, and I followed up with them in no uncertain terms about that.