NameSilo
Joe Styler

How Safe Are Your Domain Names?

Views:
8,949
Comments:
63
By Joe Styler, Oct 27, 2015
  1. Joe Styler

    Joe Styler Aftermarket Product Manager GoDaddy Staff Afternic Staff PRO VIP

    Posts:
    1,862
    Likes Received:
    3,575
    Whether you are the king of domains and sitting on countless super valuable domains or someone just starting out who spent days scraping through dropping lists to buy a handful of domains you found that others may have overlooked, our portfolios are special to us. They are a part of who we are and the result of the hard work we have put into them. In many cases they represent years of hard work. Our domains are important and valuable in many ways and they deserve to be protected and safe. We work too hard to build up a domain portfolio to have it taken from us in one day. Even if you are not sitting on a one-letter .com domain, the pain is just as real if you lose your domain you use for your main email address or small business or some of the drops you were able to beat out the competition for.

    We all want to think our domains are safe but I know it is in the back of everyone’s mind we wonder, have we done all we can to protect them? I want to share with you some of the best practices I have observed over the years in the hopes that it helps you to protect your domains in the future. I also really encourage you to share in the comments section anything I may have missed that you think would help others.

    First let’s deal with some of the common mistakes I have seen that people don’t realize can hurt them until it is too late. You should only let people you have complete trust in have access to your domains. I am surprised by how many people let friends, employees, webmasters, etc register or manage their valuable domains or have access to their account login information. Do you let your Webmaster login to manage your website or DNS? I have seen too many issues where a person doesn’t have complete control over their domains and the other party takes the name or disappears for whatever reason taking the account access with them. Many times this is not malicious but the other party moves or leaves the industry and their old email doesn’t work and now you have no way to contact them to get the account data back.

    It is also very important to note that the registrant contact on the Whois is very important. When putting the registrant contact information on your domain, a name like Domain Admin may seem great at the time but when push comes to shove and you want to prove ownership of the domain, try proving in court that your name is domain admin. This can be done if you put in a company name as well but, if you use a company name on the Whois use a real company name not something made up. Again when you need to prove ownership because you can’t access your account, or someone took your domain, it is much harder to get your domains back, (if at all) if you cannot prove you are/were the registrant by valid Whois records. Bottom line, always put Whois information that is tied to you and that you can prove if needed.

    Now that you know the importance of having an account and domain Whois under your control, let’s consider the account itself. Many registrars offer 2 factor authentication for logging into the account. If your registrar does not, contact them and ask for it; if it does, I highly suggest enabling it immediately. This is extremely important as a security measure in today’s landscape. I also suggest you use an email address on your registrar account that is different than your public Whois email. It makes it that much harder to have someone trick you if you are using two different emails. If you know that your registrar should only be emailing you at the email that is not on the Whois, then you can be more suspicious of emails sent to the Whois address claiming to be about your account itself. Thieves typically mine the Whois database to try and send phishing emails. Knowing you wouldn’t get an email from your registrar at the Whois email address is a nice additional layer of security. There is also the ability to add privacy to your domain’s Whois. This has pros and cons that I will not weigh here, but it is an option.

    I also strongly recommend using an email address from a provider that allows 2 factor authentication as your main email on your registrar account(s). This makes it even harder for someone to access your email to perform account resets that will allow them access to your registrar account(s). This is also a good tip for any email associated with things like your banking info.

    Let’s say you get a suspicious email. How do you know it is not legitimate? There are some good rules to follow. First go to the website sending you the email directly vs. clicking any links contained in the email to be safe. If you are unsure of what to do once you login or have any questions about the email that was sent to you, then forward it as an attachment to the company that the email claims to be from and ask them if they sent it. Also feel free to call their support. Do whatever it takes to be safe by taking some extra steps.

    Something else you can do is look at the full email header. This is normally hidden in most mail applications, but there is usually a way to view it ("Show original" option in Gmail). It will tell you the real sender and their IP address. Doing a quick search online will show you plenty of articles on how to identify a phishing email. When you discover an email you were sent was a phishing attempt, please help the company out by forwarding it to their abuse department so they can work on taking it down to prevent it from impacting others who are not as savvy as you.

    OK so you know all this stuff and you got tricked anyway. I know it happens, we cannot always be on our guard and sometimes things will slip by. This is why the extra steps including 2 factor authentication are so important, but if someone manages to get to your domains and move them out, what should you do?

    The first step is to contact your registrar, the one who you had your domains registered with. They will usually have steps in place to assist you with this. The next thing to do is to contact the authorities. A theft has occurred, so contact someone who has authority to deal with Internet crimes. In the United States, it is the FBI.

    I would also think about what domains were stolen and how they were stolen, meaning if any of the domains stolen are ones you use for important emails, or if your email was compromised on your account, then you will need to think about what else is tied to those emails. If you have bank accounts tied to them, or other important accounts, the thief who now can access your emails is just a password reset away from draining those accounts.

    Lastly, be vocal. Let others know about the domains and share it on forums or blogs or wherever you can. The more people who know about the domains being stolen, the better your chances are at finding some kind of resolution. The less options the thief has to sell the domain(s), the better. It is also important to protect others. For instance, if I do not know a domain I am buying is your stolen domain, I may pay a thief a lot of money for a domain, which may ultimately be returned to you as the rightful owner, and now I am out real money and the thief still has a profit. Sharing the information in as many places as possible helps protect others as well as yourself.

    If all else fails and you cannot retrieve your domain through normal channels, there are many competent attorneys in the field who can provide you with good counsel. I would encourage you to contact one you can trust who is familiar with domain law. This is usually expensive and time consuming, so put as much time in updating your security upfront as you can.
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. Next Article
    Five Famous Faces Who Don't Own Their .COM - Part 3
    Previous Article
    "We Bought Our Domain for a Box of Chocolates." The Story of BreakTheBubble.Com
  3. Loading...
  4. Joe Styler

    About The Author — Joe Styler

    I have been involved in the domain business in one shape or form since 2005. I bought my first domain in 2005, which I still own, never dreaming that 6 months later I would be working in the domain business. I was interested in domain investing almost at once and have worked in various capacities in that area at GoDaddy over the past ten years. I have been lucky enough to help with the sales, support, and development aspects o ...

    This is Joe Styler's 2nd blog post on NamePros. View all blog posts

    Actions:
    Follow
  5. Comments (63)

  6. FlipperC

    FlipperC Established Member

    Posts:
    52
    Likes Received:
    78
    Great tips, Joe.

    I'd also recommend people look into GoDaddy's DTVS (domain transfer verification service). Do you have any more details on who can take part in that program?
     
  7. bltechno

    bltechno Established Member

    Posts:
    74
    Likes Received:
    35
    @Joe, Thanks for your time describing the details, I could have just thank you with the link, but you deserve atleast a thanking note :), if not more.

    This is really important piece of information.
     
  8. Genius327

    Genius327 Shahil.com VIP

    Posts:
    881
    Likes Received:
    676
    GoDaddy has never sent me any code while trying to enable the 2 factor verification. And when I call them to let them know my problem, they simple say that code will arrive 'sooner or later.' Well, it hasn't arrived in 2 months and I am forced not to use this feature. They further added that there might be some problem with your reception but I have no problem receiving codes from other websites.

    This is the biggest issue with most people here in India which is still unresolved. Kindly look into it.

    Thank you.
     
  9. J9

    J9 A Noob Forever... VIP

    Posts:
    1,527
    Likes Received:
    564
    @Joe Styler Please have a look into this issue!
     
  10. 5dots

    5dots Established Member

    Posts:
    163
    Likes Received:
    176
    Great article.

    Another point to consider: Take care of who you register your domain with.
    I once reg a Domain and all confirmed, the next day my account was deleted, the domain released, and money refunded. Without once contacting me.

    All because IP and payment address didn't match. So called "Fraud prevention". So be careful whenever being away from home.
    Could have gone bad if a big domain.
     
  11. thekiller

    thekiller Top Member VIP

    Posts:
    2,006
    Likes Received:
    2,312
    2 factor authentication is really good move by GoDaddy, I typically receives SMS within few seconds.

    I found different emails in whois and in login to be good suggestion.
     
  12. ramkumaritrvs

    ramkumaritrvs RapidNames.com PRO VIP

    Posts:
    2,402
    Likes Received:
    4,070
    @Genius327, I'm using 2 factor without any problem. Contact your service provider and check about DND.

    Sometimes sms delivered late by 5 mins to 10 mins. It depends upon network delay.
     
  13. Joe Styler

    Joe Styler Aftermarket Product Manager GoDaddy Staff Afternic Staff PRO VIP

    Posts:
    1,862
    Likes Received:
    3,575
    Yes anyone who is in our Premier Services can use DTVS, it is an unadvertised service that locks the names down with extra security, but since it is manual you need to be in the premier services group.
    If you want to know more about who can qualify to be in premier services and what it is, we are doing a live google hangout in two days, Thursday October 29th at 10 am Pacific time. The video will be archived if you cant make it live. http://no_url_shorteners/pservices
     
  14. Joe Styler

    Joe Styler Aftermarket Product Manager GoDaddy Staff Afternic Staff PRO VIP

    Posts:
    1,862
    Likes Received:
    3,575
    Please reach out to me when you are requesting it as it is happening and I will see what I can do to figure it out.
     
  15. DNGear

    DNGear Domainnaut VIP

    Posts:
    3,600
    Likes Received:
    3,685

    Hi, There is some problem with the mobile provider. If you use TataDocomo or Vodafone , we are getting that problem. Why dont you change your number to Airtel. I am not facing any problem with Airtel.

    Give it a try.

    Thanks
     
  16. NPer

    NPer Very Allergic to CURRY PRO VIP

    Posts:
    4,649
    Likes Received:
    6,137
  17. Joe Styler

    Joe Styler Aftermarket Product Manager GoDaddy Staff Afternic Staff PRO VIP

    Posts:
    1,862
    Likes Received:
    3,575
    Thank you.
     
  18. kmnsh

    kmnsh Top Member VIP

    Posts:
    1,388
    Likes Received:
    1,121
    Great article full of knowledge to continue domaining safely, thank you Joe!
     
  19. 80-20

    80-20 Established Member

    Posts:
    433
    Likes Received:
    464
    Helpful and timely info.
    Particularly, the tip about two different email addresses.
    Thanks, Joe!

    Looking forward to your next hangout about Premium Services.
    BTW, what's the difference between Premium Services and PRO account?
     
  20. Joe Styler

    Joe Styler Aftermarket Product Manager GoDaddy Staff Afternic Staff PRO VIP

    Posts:
    1,862
    Likes Received:
    3,575
    Thanks.

    Pro is geared towards people who build sites for multiple people such as a web developer. Premier services is geared towards our top customers some of which are pros and many are domain investors.
     
  21. Fabulous.com

    Fabulous.com Member Fabulous.com VIP

    Posts:
    32
    Likes Received:
    25
    Great article, Joe. Very informative.

    As a registrar, we encourage our customers to utilise as many of our security options as possible.

    Fabulous currently offer:
    - Challenge Response questions, with question authentication able to be applied to different areas within your account.
    - The Executive Lock, which is able to be applied to all or your most valuable domains, which only Fabulous staff can remove under your customisable conditions.
    - The Fabulous Security Key, a physical USB key which is an additional authentication mechanism that is used in conjunction with your account password.

    Email security is just as important, too. Always check with your email provider for extra security options.
     
  22. discobull

    discobull Top Member VIP

    Posts:
    1,135
    Likes Received:
    2,018
    I've mentioned this before, but have received no response. Using a different email for the registrar account is the right way to go, however GoDaddy's system is set up to undermine that security measure. Anytime a domain is pushed into my account ( eg after purchasing an expired domain at auction ), the whois is automatically set to reveal to the world my secret registrar account email address rather than correctly displaying the default whois email address defined in the settings. It's really frustrating! This doesn't happen when a domain is transferred in from another registrar so I'm not sure why this needs to be handled this way for pushes. Is there any chance that this could be corrected?
     
  23. Shimmy

    Shimmy Established Member

    Posts:
    305
    Likes Received:
    337
    I private messaged Joe about the email security hole when buying expired domains earlier this month. He said he would have his developers look into it.
     
  24. discobull

    discobull Top Member VIP

    Posts:
    1,135
    Likes Received:
    2,018
    Thanks. FYI, it doesn't just happen when purchasing expired domains, it happens anytime a domain is pushed from one account to another.
     
  25. Joe Styler

    Joe Styler Aftermarket Product Manager GoDaddy Staff Afternic Staff PRO VIP

    Posts:
    1,862
    Likes Received:
    3,575
    Yes I am looking into this currently with the developers. Thanks for bringing it up.
     
  26. Recons.Com

    Recons.Com Top Member VIP

    Posts:
    5,630
    Likes Received:
    10,836
    I tried Godaddy 2 step today. I have t-mobile service in US and did not get any sms in about 5 hrs now. I have no problem getting it from anyone else.
     
  27. thebutler

    thebutler Established Member ★★★★★★★★★★

    Posts:
    1,547
    Likes Received:
    155
    Hi @Joe Styler do you have a link to where we can find info on the two stage set-up on the Godaddy website. The Halloween candy is clouding my ability to find it.....
     
  28. Joe Styler

    Joe Styler Aftermarket Product Manager GoDaddy Staff Afternic Staff PRO VIP

    Posts:
    1,862
    Likes Received:
    3,575
  29. alien51

    alien51 Take Me To Your Leader VIP ★★★★★★★★★★

    Posts:
    2,472
    Likes Received:
    1,378
    I have an issue about this view on using "Domain Admin" as Registrant being a bad idea when proving ownership in Court.

    If a domain is stolen, then it should be returned to the last registrar account where it came from. Because a domain is not a tangible property that you must return it to a physical person whose identity must be clearly verified. You cannot steal a domain from a person. You can only steal a domain from a "registrar account".

    And the owner of the registrar account where the domain was stolen, can be proven by verifying credit card information where the validated real name of the owner is indicated. This does not even include the verification that can be done on the email address used by the real owner (which must be hacked separately in such case). If you have control over this email address, then you can validate your ownership. You can even have an IP address trace records for additional proofs.

    And lastly, regarding the "Company Name" entry on the whois information, this is actually "Registrant Organization". So you are not required to create a "company" per se, by legal definition. Because a "company" requires shareholders among other securities requirements. So you cannot legally call something as a "company", unless you are registered with the government. You can use an organization name of your own liking instead.

    A legal company is good, since you can have paper documentation proving your relationship to a company registered with a government securities commission. But that's just a "lucky" coincidence that you have a way to prove that a "Domain Admin" registrant is being controlled by a "company" whose identity is verifiable via a government issued certification.

    The point is, whois data merely said that you can enter an "Organization" name, not specifically a "Company" name. If you have a Toastmaster's Club that owns a domain name, then that Toastmaster's Club can qualify as a Registrant Organization. Unluckily however, such a club is not a company, and therefore you are "unlucky" not to have a government certification to prove ownership of such "organization". But again, you are allowed to use an organization name of your own creation.
     
Topics / Tags:
NameWorth
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...