Two-Factor Authentication is Not Enough Link
From the FastMail blog:
We discovered that Gandi received a paper email change form (pdf) claiming to be from a “Robert NORRIS” (the name which appears on our whois data), along with pictures of a passport of said “Robert NORRIS” and company registration documents also claiming to be for FastMail Pty Ltd.
Then later:
The problem we have is that we didn’t expect that the account email address could be changed without any reference to our two factors at all. Maybe nobody at Gandi realised either. That’s a security flaw – even if it doesn’t mean everything is totally broken.
First thing: This is great visibility and is one of the reasons I like FastMail
Second thing: It’s scary how much importance gets placed on “classic” paper documents in the age of easy photo editing
Third thing: The carefree internet is long over. Everyone should be thinking about this stuff with everything they do. Every email, app, phone call, and file is a potential sieve of information. There is no safe haven.