- Impact
- 2,959
*
In light of the recent domain hijackings, I thought I would start a thread that could build on two levels of security for protecting our domains from thieves:
I think that we can all agree that we want all our domains to be as safe as possible, and, therefore, I believe that both owner and registrar ought to bear some reasonable responsibility to make that happen.
Feel free to add and even challenge my suggestions--I tend toward more draconian measures to protect my assets--you may feel differently, and that's okay.
So here are some suggestions that I made to my account rep (The Registrar Level):
At the Domain Owner Level:
1. Never use free email addresses, such a gmail, yahoo, etc. for a Whois address. Use personal domain-based address, even if you have to pay for it. It's cheap insurance.
2. If possible, use different email addresses for your registrar account/billing info and your Whois information.
3. Forward another address to your Whois email address, but make sure that you "test" it first. You need to receive your emails from the registrar.
4. Be sure to put your registrar email addresses on your "allow" list.
5. Use a forward address in your whois--that way, you will still receive queries, but your actual Whois email address will be less public. Keep your real Whois email as private as possible by using (as the public address) a forwarding address. The PUBLIC Whois email would "mask" the real address from scammers.
6. Don't use your Whois and account addresses for anything but Whois business and account business; in other words, don't give it to friends, family, forums, gaming sites, free products, and strangers. Use a "fun" email for those activities.
7. Use strong virus, etc. protection. It doesn't pay to be cheap here. that way, if you end up on a malware site, your protection will disable the offending page.
8. Avoid logging in on strange computers (internet cafes and unsecured wireless accounts).
9. Use strong passwords.
10. Never click on an email link, no matter how professional or familiar it looks, for example, eBay, GoDaddy, your bank, etc. Go straight to the site itself for more information.
11. Answer whois queries using a different email. I actually set up a Query Box (courtesy of widgetbox, bless them) on my sales landing page (domainmaybeforsale [dot] com), using a different email from my whois. If the potential buyer is just nosy, it won't matter; if he/she is a scammer, it matters a lot. The idea is to keep your "real" Whois email as secret as possible, while still being accessible via Whois
If you have anything else to add, please feel free. I think we all want the same thing and that is to stop these scammers from stealing our domains.
:bingo:
*
In light of the recent domain hijackings, I thought I would start a thread that could build on two levels of security for protecting our domains from thieves:
1. The Registrar Level
2. The Domain Owner Level
2. The Domain Owner Level
I think that we can all agree that we want all our domains to be as safe as possible, and, therefore, I believe that both owner and registrar ought to bear some reasonable responsibility to make that happen.
Feel free to add and even challenge my suggestions--I tend toward more draconian measures to protect my assets--you may feel differently, and that's okay.
So here are some suggestions that I made to my account rep (The Registrar Level):
1. To warn customers that using "freebie" email addresses from gmail, yahoo, and other free providers may cause a security breach. I would suggest to customers that they should use a personal domain-based email, easy enough and well-protected if one uses a different password for each Godaddy email.
Evidently, gmail is especially vulnerable to hacking.
Of course, if one falls for a phishing email or jumps on a malware website without virus protection, well there isn't much you can do about stupidity.
As I was updating my Whois records, I found the process all too easy; given where I am, I would have thought that my IP would have raised a huge red flag, but apparently not. Only at Dynadot did I have to do another step to verify my account info (but not my Whois info).
2. Registrars might want to consider requiring that the account email be different from the Whois email and create another step before one can make changes on Whois, account records, or initiate transfers, which would require one to do another sign-in, using the account email as the user name and yet another password. Of course, this would require due diligence on the customer's part not to use an account email that is splattered all over the web. That way, hacking would be all that much more difficult. With all the free emails (free with each domain) that some registrars offer, this shouldn’t be a problem. One just has to keep good records and create strong passwords.
3. When you send out the email that warns of changes made on one's whois and/or account or transfer initiations, REQUIRE the owner to acknowledge those changes via the OLD email contact before the change can actually take place.
If that's not possible (dead email address or password breach, for example), require the owner to call in (to a special 800 number or international number) with that pin number or secret word that we all set up and account email.
If there has been a password breach that has precipitated the change, then the owner should call in to a special number for such problems where the domain representative can help the owner.
I would be willing to put up with this level of security if I felt that my domains were being protected. Making the warning email merely passive just opens up an entire area of vulnerability for everyone.
For example, some customers may end up losing their domains during a time when they are away from an internet connection (which is why I never announce on the internet vacations where I know I won’t have internet access, but maybe others aren’t so paranoid).
Evidently, gmail is especially vulnerable to hacking.
Of course, if one falls for a phishing email or jumps on a malware website without virus protection, well there isn't much you can do about stupidity.
As I was updating my Whois records, I found the process all too easy; given where I am, I would have thought that my IP would have raised a huge red flag, but apparently not. Only at Dynadot did I have to do another step to verify my account info (but not my Whois info).
2. Registrars might want to consider requiring that the account email be different from the Whois email and create another step before one can make changes on Whois, account records, or initiate transfers, which would require one to do another sign-in, using the account email as the user name and yet another password. Of course, this would require due diligence on the customer's part not to use an account email that is splattered all over the web. That way, hacking would be all that much more difficult. With all the free emails (free with each domain) that some registrars offer, this shouldn’t be a problem. One just has to keep good records and create strong passwords.
3. When you send out the email that warns of changes made on one's whois and/or account or transfer initiations, REQUIRE the owner to acknowledge those changes via the OLD email contact before the change can actually take place.
If that's not possible (dead email address or password breach, for example), require the owner to call in (to a special 800 number or international number) with that pin number or secret word that we all set up and account email.
If there has been a password breach that has precipitated the change, then the owner should call in to a special number for such problems where the domain representative can help the owner.
I would be willing to put up with this level of security if I felt that my domains were being protected. Making the warning email merely passive just opens up an entire area of vulnerability for everyone.
For example, some customers may end up losing their domains during a time when they are away from an internet connection (which is why I never announce on the internet vacations where I know I won’t have internet access, but maybe others aren’t so paranoid).
At the Domain Owner Level:
1. Never use free email addresses, such a gmail, yahoo, etc. for a Whois address. Use personal domain-based address, even if you have to pay for it. It's cheap insurance.
2. If possible, use different email addresses for your registrar account/billing info and your Whois information.
3. Forward another address to your Whois email address, but make sure that you "test" it first. You need to receive your emails from the registrar.
4. Be sure to put your registrar email addresses on your "allow" list.
5. Use a forward address in your whois--that way, you will still receive queries, but your actual Whois email address will be less public. Keep your real Whois email as private as possible by using (as the public address) a forwarding address. The PUBLIC Whois email would "mask" the real address from scammers.
6. Don't use your Whois and account addresses for anything but Whois business and account business; in other words, don't give it to friends, family, forums, gaming sites, free products, and strangers. Use a "fun" email for those activities.
7. Use strong virus, etc. protection. It doesn't pay to be cheap here. that way, if you end up on a malware site, your protection will disable the offending page.
8. Avoid logging in on strange computers (internet cafes and unsecured wireless accounts).
9. Use strong passwords.
10. Never click on an email link, no matter how professional or familiar it looks, for example, eBay, GoDaddy, your bank, etc. Go straight to the site itself for more information.
11. Answer whois queries using a different email. I actually set up a Query Box (courtesy of widgetbox, bless them) on my sales landing page (domainmaybeforsale [dot] com), using a different email from my whois. If the potential buyer is just nosy, it won't matter; if he/she is a scammer, it matters a lot. The idea is to keep your "real" Whois email as secret as possible, while still being accessible via Whois
If you have anything else to add, please feel free. I think we all want the same thing and that is to stop these scammers from stealing our domains.
:bingo:
*