Domain Manage

123reg WARNING

Discussion in 'Domain Name Registrars' started by RobM, Mar 26, 2012.

Thread Status:
Not open for further replies.
  1. RobM

    RobM Well-Known Member Exclusive Member

    Joined:
    Mar 2012
    Posts:
    1,089
    Likes Received:
    36
    Ok judging by some posts here and what I've just seen 123reg have screwed up royally.
    I logged into a friends account because he was complaining he couldn't change nameservers. He has 235 domains in his account. They are ALL showing as renewed (in his 123reg account) until at least 2013.

    However doing a dac check it turns out that out of those 235 domains 187 are available at this moment! Out of the remaining domains 40 have been picked up by other domainers in the last 4 months and only 8 remain in his name.

    So please check your 123 accounts and then check the whois SOMEWHERE ELSE. They may be showing as yours and paid up at 123 but it seems possible that it's simply not the case.

    I don't know what his recourse will be - I have told him to contact 123 and sent him the relevant information but I'm sure he will have lost the 40 that have now been picked up by other people.

    This is a pretty major screwup.
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
     
  3. Edwin

    Edwin Well-Known Member Exclusive Member

    Joined:
    Apr 2005
    Posts:
    8,460
    Likes Received:
    261
    You're right, that's very bad. Even worse if they happily billed him for services they didn't provide (if not, then the lack of CC charges might be a tiny clue though of course a very insufficient one!)
     
  4. Lovekraft United Kingdom

    Lovekraft Well-Known Member Full Member

    Joined:
    Mar 2010
    Posts:
    1,066
    Likes Received:
    13
    Same has happened to me and others i know recently. There should be a simple functionality check so that when they automatically bill you for domains that they check it is actually on their TAG and in the persons account that they are billing. Seems quite deliberate to me and as far as i know they have been doing this for years now.

    A few people i've sold domains to have had their domains kindly renewed for them at my expense because of this, I've now removed any stored payment details from my account to avoid this.
     
  5. RobM

    RobM Well-Known Member Exclusive Member

    Joined:
    Mar 2012
    Posts:
    1,089
    Likes Received:
    36
    Interestingly one of the domains that is in his account is also showing a 123REG tag but to another owner. It seems that the 123 internal database is not directly linked to nominet. I suspect they sent the renew command but, for some reason it didn't go through, and they then updated their own system to show a renewal.
    I know he has lost income now - not sure why he took so long to notice but he is 70 years old and I guess the financial loss wasn't enough to register at first.
     
  6. Alien

    Alien Well-Known Member

    Joined:
    May 2006
    Posts:
    5,921
    Likes Received:
    57
    That's bad news indeed. :(

    Out of interest, did your friend not receive the renewal e-mails directly from Nominet to alert him of possible probs?
     
  7. RobM

    RobM Well-Known Member Exclusive Member

    Joined:
    Mar 2012
    Posts:
    1,089
    Likes Received:
    36
    A good question Alien. I don't know yet - he's just got back from being abroad for a few months. I will get more info later and keep everyone updated. The way I see it there should have been some kind of warning from nominet and/or sedo a few months ago. As far as I know he was billed for the renewals so probably just assumed (as we all would) that everything was ok.
     
    • Like Like x 1
  8. rwinslow

    rwinslow Member

    Joined:
    Jan 2010
    Posts:
    35
    Likes Received:
    1
    Request for information

    Hi there, I work with 123-reg, this does not sound normal, and we have no issues currently, can you let me know the account username and a list of those domains and I can investigate?

    For security, you can email me directly richard.winslow@123-reg.co.uk

    Thanks, Richard.
     
    • Like Like x 1
  9. RobM

    RobM Well-Known Member Exclusive Member

    Joined:
    Mar 2012
    Posts:
    1,089
    Likes Received:
    36
    Thanks Richard I will pass the information on as this is obviously not my account. I'm sure having a direct email contact will help him greatly.
     
  10. Lovekraft United Kingdom

    Lovekraft Well-Known Member Full Member

    Joined:
    Mar 2010
    Posts:
    1,066
    Likes Received:
    13
    If you don't mind i will be in touch too as i am due a refund for the exact same reason.
     
  11. rwinslow

    rwinslow Member

    Joined:
    Jan 2010
    Posts:
    35
    Likes Received:
    1
    No problem at all, include your username and list of domains and will help with that.

    Richard.
     
  12. RobM

    RobM Well-Known Member Exclusive Member

    Joined:
    Mar 2012
    Posts:
    1,089
    Likes Received:
    36
    Ok Richard he's given me permission to deal with it on his behalf. I've taken screenshots of his account in it's current state and will email you all the relevant information.

    Edited to add: Email sent with all information including DAC output for the domain list.
     
    Last edited: Mar 26, 2012
  13. rwinslow

    rwinslow Member

    Joined:
    Jan 2010
    Posts:
    35
    Likes Received:
    1
    Just had an email, worked on this one and think was yourself, so all should be sorted there.

    Richard.
     
  14. rwinslow

    rwinslow Member

    Joined:
    Jan 2010
    Posts:
    35
    Likes Received:
    1
    Have your email, quite a bit list so will process that today / tomorrow and get back to you. Thanks, Richard.
     
  15. Lovekraft United Kingdom

    Lovekraft Well-Known Member Full Member

    Joined:
    Mar 2010
    Posts:
    1,066
    Likes Received:
    13
    Yes you did, thanks for the swift reply. Hopefully the systems can be improved to avoid this in future though.
     
  16. rwinslow

    rwinslow Member

    Joined:
    Jan 2010
    Posts:
    35
    Likes Received:
    1
    That is the plan, we have a lot of stuff going on right now that I am involved in to clean up what is in place. As the UK's largest domain company and having a system that has grown and developed over the past 10 years, the result is that we have a lot of improvements we can make ;-)

    Let me know in general any ideas you have to improve things as we go along, it will be a slow process, but in the end I hope we have the best systems in place.
     
  17. mattyr45 India

    mattyr45 Active Member

    Joined:
    Feb 2012
    Posts:
    577
    Likes Received:
    2
  18. David

    David Active Member

    Joined:
    Feb 2006
    Posts:
    103
    Likes Received:
    2
    Richard,

    One thing I've noticed for years is that when you login to 123 the password you enter doesn't have to be exactly correct.

    For example - if your password is "domain" then entering "domain123" is sufficient.
     
  19. rwinslow

    rwinslow Member

    Joined:
    Jan 2010
    Posts:
    35
    Likes Received:
    1
    This will be changing in the next few weeks, so certainly in the plan, something yourself and others have had concerns about for years. I hope to be testing this in QA in the next couple of weeks, ready for live by end of the month (April).

    The http auth is limited to 8 characters, so as long as the first 8 are correct, anything else was ignored.

    Richard.
     
  20. Edwin

    Edwin Well-Known Member Exclusive Member

    Joined:
    Apr 2005
    Posts:
    8,460
    Likes Received:
    261
    Wow! There's an insane amount of cognitive dissonance between those 2 statements. So you're the largest domain company in the UK, but you're running a knowingly weak password system, an issue you've been aware of for years?
     
    • Like Like x 1
  21. rwinslow

    rwinslow Member

    Joined:
    Jan 2010
    Posts:
    35
    Likes Received:
    1
    You could put the negative spin on it, but an 8 character password can be just as secure as any other password, up to the user and what they include in the password. We know that with http-auth methods a longer password is ignored after 8 characters.

    When we knew this we adjusted the order process to only allow an exactly 8 character password, thus ensuring that no one creating a password would encounter the same problem as someone who thought they had created a longer password, if that makes sense.

    We are the largest, so my goal is to bring things up to spec on a design and usability basis. I do not see this as a security risk, but usability, and I hope that the changes we have coming soon will improve that usability, giving customers the choice of password based on more flexibility.

    Richard.
     
Thread Status:
Not open for further replies.

Share This Page