It is vital that any change requests which are potentially service affecting are requested via a method which is both secure (to protect the you/ the customer) and also have an audit of the request (to cover us).
Please remember that these processes are as much to protect you as they are to cover us.
Obviously important requests can't be made via the telephone or email as neither of these methods ensures that it is the account holder/customer who is making the request as an incoming telephone call could be initiated by anyone and does not have an audit of the request. An email is also unsuitable as they are easy to spoof/recreate (and often have a less secure password than an admin panel).
However there are other methods which can be used which are easy/quick to do and also secure.
1. Online Admin Panels
Most settings can be changed or updated via your hosting panel or client portal as this is performed over SSL and also requires your user/password to access either. For example if you need to order or cancel either a service/product or domain name this can all be done from your client portal.
To assist you with using our hosting panels and client portal we have a comprehensive list of tutorials available which are organised into sections for example the Client Portal tutorials section includes tutorials for ordering and cancellation of services.
However there are some things* that are very important and will need to be performed via the Manual Secure Request Method to ensure that we have a formal record of the request and also that we can check and record that it is definitely the account holder making the request.
* For example changing domain contact or registrant details or releasing domains to other providers or changing DNS settings where these cannot be made from a control panel.
NB: Anything which can be done via your admin panel can also be requested using the Manual Request method so if you lose your admin login details and you are not able to recover them using the lost password function of the admin panels you still have a back up method of making the request.
2. Manual Secure Request Method
In order to protect our customers (and also cover us) some types of request need to be made in writing and also need to be signed (a digitally typed signature is not acceptable) by the domain/account owner or a principal of the business.
Note that this is not the only aspect of the process as we also have to ensure that the signed request is not spoofed (ie we will check the source of the request by making a quick validation call to the account holders existing contact details). However from the customer point of view once you do this we can handle the request and will let you know if anything further is required.
As a result of these processes we have never processed a fraudulent request (We have had in excess of six attempts to date). The other reason for this is that it also covers ourselves.
As an example a past customer (now back with us) lost their domain* as a result of moving to an automated registrar. They then contacted us to advise us that they would be pursuing us for damages....until we supplied the signed and verified request regarding the domain transfer to another provider from their MD. This process covered us but equally this same process has also protected customers from having domains fraudulently removed/transferred away.
* Fortunately as it was a .co.uk we were able to assist them in recovering it.
Examples:
- Changing domain contact or registrant details or releasing domains to other providers.
- Updating domain DNS records (if DNS management is not available in a control panel for your domain).
- Updating name servers (if not available in your client portal).
- Changing security settings on web site folders.
- Changing authorised contacts for a company.
- Reboot requests and Firewall changes (dedicated/colo customers only).
Secure Requests can be made via letter or scanned PDF which is then dated and signed (a digitally typed signature is not acceptable) by the domain owner or company principle*.
The request should be on headed paper (if applicable) and include all the relevant details of the request. For example, requests relating to a domain name should include the domain name(s) in question and full details of the change or request applicable.Emails cannot be used for this type of request as they are extremely easy to spoof and it is impossible to verify who sent them.
Although this means an extra process a less secure process may result in permanent loss of your site/domain so we trust you understand that this is as much for your own protection as it is to cover ourselves.
* For Limited Liability companies or Publicly listed organizations this should be a director and for partnerships a majority of the partners.
Footnote: There was recently a high profile case where a council didn't check that the new payment details sent from one of their suppliers actually came from the supplier. This resulted in them losing several million pounds as they then paid the fraudster rather than the correct company.
If you are unsure of the best method or require more information on why secure requests are needed, please do not hesitate to contact us.
