123reg WARNING

[rwinslow]

Give Richard his due - appears the original problem was delt with pretty swiftly, though I can't see how the 40 or so domains that got re-registered by others could ever be recovered - wonder how that is going to be resolved

Must admit i'm pretty uncomfortable with 123-regs billing/renewal processes at times. lost a few myself. (my very late payment didn't help) Still building a (hopefully small) list where receipt issued, but domain lost. It shouldn't happen.

I can't discuss full details of the case raised here for obvious privacy issues.

What I can say is that the initial investigations are showing that the domains were renewed with Nominet as they were renewed with us, and that the problem is relating to an admin issue with Nominet after that fact.

I am still waiting to confirm this applies to all domains in question, but seems there is a logical reason here.

If you want me to check anything out on your own account let me know and I can do that and get back to you directly, just drop an email to me with details ([email protected]).

Thanks, and have a good evening. Richard.

 

[monaghan]

I still look on at these issues (after all it is almost weekly when we see an issue with someone) and wonder why...

Given the after-market value of domains, why are more domainers not Nominet members?

A few half decent names will pay for membership and these days the Nominet website even has a domain manager so no need to write your own system if you don't want to, it's not as though you need to crank out PGP signed emails to manage your domains directly any longer. As a member and TAG holder, you have complete control over your portfolio with no 3rd party to cause you grief.

 

[Bailey]

If you want me to check anything out on your own account let me know and I can do that and get back to you directly, just drop an email to me with details ([email protected]).

Thanks, and have a good evening. Richard.

Thank you Richard, thats very kind of you - will be intouch later this week

 

[sdsinc]

What I can say is that the initial investigations are showing that the domains were renewed with Nominet as they were renewed with us, and that the problem is relating to an admin issue with Nominet after that fact.

I understand you are trying to help but stories like these involving 123reg seem to be common.
It is scary that the "UK's largest domain company" has such a poor record.

My own first (and last) experience with 123reg dates back to 2006 and is very similar.
123reg failed to register a domain, yet it would show up in my CP... so your scripts are buggy. Script errors can and do occur but they must be handled properly.
The least you expect from a registrar is security and reliability. You don't want to lose your valuable domains.

I think your website is quite old, not to mention some oddities like HTTP authentication (which means customer passwords must be stored in reversible form like base64).
What you should do IMO is:

1. request an external audit of your code
2. fix all the bugs
3. have a penetration test performed against your systems, I'm confident you're not the toughest nut to crack

By the way, even your DNS is screwed up. Out of 4, 2 of your NS are incorrect...

As a member and TAG holder, you have complete control over your portfolio with no 3rd party to cause you grief.

Bingo. Any serious .uk domainer should be a tag holder.

 

[jim1]

I also lost 7 domains in 2008 (to the same issue rasied here) and then around this time questioned the huge password security problem.

The first 8 characters I used for my password were just words which took up the 8 charictors then i used numbers and upper and lower case letters.

The numbers and uppercase and lowercase letters which secured the password get ignored, so where I changed my password ever few months to keep it secure it did nothing.

The other thing is there system does not lock you out after a few incorrect log in attempts you can do as many as you like???

I spoke to a friend at work who runs the it and it security for one of the largest retailers in the UK and he said due to the above a pro hacker could perform a dictionary attack on account and get in no problem especially as they use your name as the user name (but even without this he said it wouldn’t be a problem).

I got worried when I saw this and also saw their own blog got hacked and there hosting for word press allowed hackers to get in???

http://www.123-reg.co.uk/blog/news/how-our-wordpress-blog-was-hacked/

http://www.wpsecuritylock.com/tag/123-reg-co-uk-malware/

The link to http://www.123-reg.co.uk/ is not working now as there site has been down for the last 30 min (did a http header check and ping it and its down for sure crazy).

 

[sdsinc]

The other thing is there system does not lock you out after a few incorrect log in attempts you can do as many as you like???

I spoke to a friend at work who runs the it and it security for one of the largest retailers in the UK and he said due to the above a pro hacker could perform a dictionary attack on account and get in no problem especially as they use your name as the user name (but even without this he said it wouldn’t be a problem).

Exactly, a tool like Brutus or Hydra will do the job.
The length of the password is fixed and already known.
Maybe they log or monitor the traffic (I doubt) but the security holes are still there and waiting to be exploited.

In an intranet environment that kind of weak authentication scheme would be more tolerable, but not in a hostile environment like the Internet.

 

[tifosi]

You could put the negative spin on it, but an 8 character password can be just as secure as any other password, up to the user and what they include in the password. We know that with http-auth methods a longer password is ignored after 8 characters.
...
I do not see this as a security risk, but usability, and I hope that the changes we have coming soon will improve that usability, giving customers the choice of password based on more flexibility.

Crikey! If you think that's just a usability error and not a gaping security issue I'm astonished!

 

[Rob_F]

we have no issues currently

Thanks, Richard.

I doubt many Acorn members would agree.

Has that several year old problem of domains remaining in the previous registrants account post drop been fixed yet?

Anyway. Hope you get this sorted Rob – sounds like a right royal cock-up on 123-reg's part.

- Rob

P.S. Fair play to you Richard for coming here and trying to sort this out. Nice to have a representative on the forum – I'm sure you'll be kept very busy .

 

[RobM]

Ok really game over for 123. He stupidly forgets that we are all tagholders and *well aware* of nominet's policies.
This is his 'explanation' for the non-renewal of 235 domains that, at this moment, have been charged for and are *still* showing up in my friends account as paid for:

'I can confirm that we received your renewal request, you were invoiced for the renewal fees and these were settled with Nominet. However, the domain name was cancelled because it was registered incorrectly and in breach of the Terms and Conditions of registration.

The xxdomainxx domain name was registered to xxregistrant of hundreds of domainsxx, which we believed was not a legally identifiable person or company. On the *date*, email notice was issued to the contact details held against the domain name that the registrant name needed to be corrected to avoid suspension and cancellation of the domain name. This was copied to your default notification email address.

On the *later date*, further notice was issued warning that the domain name would be suspended in 7 days time and this was followed by an email on the *later date* confirming that the domain name had been suspended. The suspension notice also advised that the domain name would be suspended in approximately 30 days if the registrant name had still not been corrected.

A cancellation notice was sent on the *later date* warning that the domain name would be cancelled in 7 days time and as the registration were still not corrected, the domain name was scheduled for cancellation on the *later date*. The domain name was cancelled by our systems at random shortly after being scheduled for cancellation.'

Really 123 is that the best you have? As a tagholder I will now be bringing this up further with nominet.

This raises THREE obvious questions:
1) when were 123 going to inform my friend of this 'unheard-of' nominet policy (I know it's rubbish because I have domains with WAY less registration information than most of these)
2) WHY was my friend charged for every domain and nothing said until several months after the query?
3) If, as you email, 'the domain name was cancelled', why were 123 seeminly unaware of ANY of this until my post today.

A word of advice Richard - you are on CO.UK forum with TAGHOLDERS who know the NOMINET policies inside out. I would think carefully or at least take some legal advice before responding further. You are simply admitting that 123reg are breaking nominet policies. This will become a court action now.

 

[Edwin]

You could put the negative spin on it, but an 8 character password can be just as secure as any other password, up to the user and what they include in the password. We know that with http-auth methods a longer password is ignored after 8 characters.

I have used hundreds of other sites (no exaggeration) with completely random passwords between 20-25 characters long using lowercase, uppercase, numbers and symbols and A) they don't have a problem with such lengthy passwords and B) If I randomly change a character deep in the password, it FAILS.

(If anyone's wondering, I don't have a photographic memory - I use a password manager which itself is secured by a very long complicated password but one which I actually DO remember...)

 

[RobM]

Honestly Edwin this stinks. The email began 'I chose the first domain on the list and investigated on our side....' and then we get this bullshit explanation. I have since spoken to a contact at nominet and this is quite simply not the case.
123 are claiming that NONE of the renewals were accepted due to some feeble registrant issue. However they still took the money, renewed the domains in their own system, and FAILED to tell my friend that his renewals were not allowed and would miraculously drop at the end of his renewal period.
Every single one of his domains has his own address and email in his whois, and registration, information. Quite simply Richard is trying to feed us bollocks without realising that most of us have been doing this longer than him.
From this I would advise every co.uk holder to avoid 123 Reg. They are a fraudulent company. As a tagholder I *will* be taking this further. Lets hope we aren't sent idiots from 123 further who don't think we know how tags work.

 

[Edwin]

I gave up using 123-Reg a long time ago (apart from one name I've been too lazy to move so far) because I registered names that never showed up in the control panel, and on other occasions "registered" stuff that then got manually registered (properly this time) by other registrars many hours later.

 

[js1]

Has that several year old problem of domains remaining in the previous registrants account post drop been fixed yet?

One of my .com domains registered to me somehow left my 123-reg account (not a very important domain) and I didn’t notice it.

I got a renewal sent to my email associated with the domain and by the time I got round to trying to renewing it someone else had : D.

I had it parked but now there’s a site up on it, checked the whois and its still in my name.

Phoned 123-reg about it and the answer I got after speaking to 3 people was

"I don’t know how that’s happened"

So I explained I’m not bothered about it and also said if you want to get someone else to renew my parked domains and invest time and money in building a site no worries (joking).

The last guy I was speaking to also laughed and so did I and it was left there as I said I wasn’t worried (9 months later its still the same in my name and the domain is now ranking well).

Madness.................

 

[sdsinc]

So is 123reg the new registerfly ?

 

[Edwin]

So is 123reg the new registerfly ?

No, in the sense that the problems go back years and years, are ongoing, and yet they're still thriving today. I'm sure any long-timer in the industry who's used them has their own horror story to share.

A Google search for site:acorndomains.co.uk 123-reg shows 1,870 threads in which they get mentioned, and paging through the first few results it's clear most of it is negative!

 

[Bailey]

Edwin, RobM and others right but, It's a shame - I just believe 123-reg got spoilt by its own success. While the bottom line looked good why bother trying to fix anything.

And indeed thats why it appears to be a brave Richard from 123-reg. IMO who's putting himself in the firing-line here on Acorn,

Kudos for that , But, I Wonder if he will be able to stay standing

 

[Edwin]

There's really only 2 ways this can go.

Richard can try and bluster and make more excuses and ignore the weight of evidence of 1,870 threads going back a decade.

Or the whole company can step up and squash problem after problem after problem while remaining humble and contrite about their failings, and gradually try and rehabilitate 123-Reg's reputation.

 

[RobM]

Interesting that, as Richard claims, nominet say the registration info (on 235 domains) is invalid. The reason it's interesting is because they've all been registered in 2003 or 2005 and the registration info has NEVER changed. I really think 123 are screwing themselves now. Should also point out that the registrant in question has about 50 domains on my tag (as he's my friend) with *exactly* the same info that 123 claim nominet are claiming as invalid. Hmmm now why would they mention this now when they've clearly dropped the ball? I should point out that nominet never had any problem renewing the same registrant on my tag.

 

[Rob_F]

.

 

[js1]

Interesting that, as Richard claims, nominet say the registration info (on 235 domains) is invalid. The reason it's interesting is because they've all been registered in 2003 or 2005 and the registration info has NEVER changed. I really think 123 are screwing themselves now. Should also point out that the registrant in question has about 50 domains on my tag (as he's my friend) with *exactly* the same info that 123 claim nominet are claiming as invalid. Hmmm now why would they mention this now when they've clearly dropped the ball? I should point out that nominet never had any problem renewing the same registrant on my tag.

Shocked to the core...

My blood pressure is going up just reading this thread, I truely hope (RobM) that none of your friends company domains got lost.