123reg WARNING

[RobM]

Ok judging by some posts here and what I've just seen 123reg have screwed up royally.
I logged into a friends account because he was complaining he couldn't change nameservers. He has 235 domains in his account. They are ALL showing as renewed (in his 123reg account) until at least 2013.

However doing a dac check it turns out that out of those 235 domains 187 are available at this moment! Out of the remaining domains 40 have been picked up by other domainers in the last 4 months and only 8 remain in his name.

So please check your 123 accounts and then check the whois SOMEWHERE ELSE. They may be showing as yours and paid up at 123 but it seems possible that it's simply not the case.

I don't know what his recourse will be - I have told him to contact 123 and sent him the relevant information but I'm sure he will have lost the 40 that have now been picked up by other people.

This is a pretty major screwup.

 

[Edwin]

You're right, that's very bad. Even worse if they happily billed him for services they didn't provide (if not, then the lack of CC charges might be a tiny clue though of course a very insufficient one!)

 

[Lovekraft]

Same has happened to me and others i know recently. There should be a simple functionality check so that when they automatically bill you for domains that they check it is actually on their TAG and in the persons account that they are billing. Seems quite deliberate to me and as far as i know they have been doing this for years now.

A few people i've sold domains to have had their domains kindly renewed for them at my expense because of this, I've now removed any stored payment details from my account to avoid this.

 

[RobM]

Interestingly one of the domains that is in his account is also showing a 123REG tag but to another owner. It seems that the 123 internal database is not directly linked to nominet. I suspect they sent the renew command but, for some reason it didn't go through, and they then updated their own system to show a renewal.
I know he has lost income now - not sure why he took so long to notice but he is 70 years old and I guess the financial loss wasn't enough to register at first.

 

[Alien]

That's bad news indeed.

Out of interest, did your friend not receive the renewal e-mails directly from Nominet to alert him of possible probs?

 

[RobM]

A good question Alien. I don't know yet - he's just got back from being abroad for a few months. I will get more info later and keep everyone updated. The way I see it there should have been some kind of warning from nominet and/or sedo a few months ago. As far as I know he was billed for the renewals so probably just assumed (as we all would) that everything was ok.

 

[rwinslow]

Request for information

Hi there, I work with 123-reg, this does not sound normal, and we have no issues currently, can you let me know the account username and a list of those domains and I can investigate?

For security, you can email me directly [email protected]

Thanks, Richard.

 

[RobM]

Thanks Richard I will pass the information on as this is obviously not my account. I'm sure having a direct email contact will help him greatly.

 

[Lovekraft]

Hi there, I work with 123-reg, this does not sound normal, and we have no issues currently, can you let me know the account username and a list of those domains and I can investigate?

For security, you can email me directly [email protected]

Thanks, Richard.

If you don't mind i will be in touch too as i am due a refund for the exact same reason.

 

[rwinslow]

No problem at all, include your username and list of domains and will help with that.

Richard.

 

[RobM]

Ok Richard he's given me permission to deal with it on his behalf. I've taken screenshots of his account in it's current state and will email you all the relevant information.

Edited to add: Email sent with all information including DAC output for the domain list.

 

[rwinslow]

If you don't mind i will be in touch too as i am due a refund for the exact same reason.

Just had an email, worked on this one and think was yourself, so all should be sorted there.

Richard.

 

[rwinslow]

Ok Richard he's given me permission to deal with it on his behalf. I've taken screenshots of his account in it's current state and will email you all the relevant information.

Edited to add: Email sent with all information including DAC output for the domain list.

Have your email, quite a bit list so will process that today / tomorrow and get back to you. Thanks, Richard.

 

[Lovekraft]

Just had an email, worked on this one and think was yourself, so all should be sorted there.

Richard.

Yes you did, thanks for the swift reply. Hopefully the systems can be improved to avoid this in future though.

 

[rwinslow]

Yes you did, thanks for the swift reply. Hopefully the systems can be improved to avoid this in future though.

That is the plan, we have a lot of stuff going on right now that I am involved in to clean up what is in place. As the UK's largest domain company and having a system that has grown and developed over the past 10 years, the result is that we have a lot of improvements we can make ;-)

Let me know in general any ideas you have to improve things as we go along, it will be a slow process, but in the end I hope we have the best systems in place.

 

[David]

Richard,

One thing I've noticed for years is that when you login to 123 the password you enter doesn't have to be exactly correct.

For example - if your password is "domain" then entering "domain123" is sufficient.

 

[rwinslow]

Richard,

One thing I've noticed for years is that when you login to 123 the password you enter doesn't have to be exactly correct.

For example - if your password is "domain" then entering "domain123" is sufficient.

This will be changing in the next few weeks, so certainly in the plan, something yourself and others have had concerns about for years. I hope to be testing this in QA in the next couple of weeks, ready for live by end of the month (April).

The http auth is limited to 8 characters, so as long as the first 8 are correct, anything else was ignored.

Richard.

 

[Edwin]

As the UK's largest domain company and having a system that has grown and developed over the past 10 years, the result is that we have a lot of improvements we can make ;-)

This will be changing in the next few weeks, so certainly in the plan, something yourself and others have had concerns about for years. I hope to be testing this in QA in the next couple of weeks, ready for live by end of the month (April). The http auth is limited to 8 characters, so as long as the first 8 are correct, anything else was ignored.

Wow! There's an insane amount of cognitive dissonance between those 2 statements. So you're the largest domain company in the UK, but you're running a knowingly weak password system, an issue you've been aware of for years?

 

[rwinslow]

Wow! There's an insane amount of cognitive dissonance between those 2 statements. So you're the largest domain company in the UK, but you're running a knowingly weak password system, an issue you've been aware of for years?

You could put the negative spin on it, but an 8 character password can be just as secure as any other password, up to the user and what they include in the password. We know that with http-auth methods a longer password is ignored after 8 characters.

When we knew this we adjusted the order process to only allow an exactly 8 character password, thus ensuring that no one creating a password would encounter the same problem as someone who thought they had created a longer password, if that makes sense.

We are the largest, so my goal is to bring things up to spec on a design and usability basis. I do not see this as a security risk, but usability, and I hope that the changes we have coming soon will improve that usability, giving customers the choice of password based on more flexibility.

Richard.

 

[Bailey]

Give Richard his due - appears the original problem was delt with pretty swiftly, though I can't see how the 40 or so domains that got re-registered by others could ever be recovered - wonder how that is going to be resolved

Must admit i'm pretty uncomfortable with 123-regs billing/renewal processes at times. lost a few myself. (my very late payment didn't help) Still building a (hopefully small) list where receipt issued, but domain lost. It shouldn't happen.