Dynadot

security How To Avoid Domain Theft - Part 3: Managing Personal Information

NameSilo
We discussed how to understand hackers in part 1 and phishing emails in part 2. Now we discuss managing your personal information.

Managing your personal information is an important but often overlooked aspect of security. Unfortunately, many organizations use personal information to establish identity. As a result, details about us that weren't designed to be secure, like birthdates and Social Security numbers, need to be guarded as confidential. An attacker doesn't necessarily need to know your passwords; if they have enough information about your life, they can still steal from you. Electronic theft isn't a distant threat: I'm aware of my information being compromised six times in the past two years. Half of the incidents were data breaches at organizations with which I communicate primarily in person, rather than on the internet; they had received my information on pieces of paper, not electronically. Even if you avoid technology, you are still at risk.

While it's possible to glean a lot of information about a specific person from public records, doing so is slow and expensive. Hackers would much rather go after large databases containing personal information about many individuals: it's more efficient than researching each person individually. They can then sell the information en masse to identity thieves and rival governments.

You can't completely protect your information: you need to provide it to numerous organizations just to receive basic services and citizenship. However, you can monitor how organizations handle your information and break ties with those that are careless. You can also quarantine certain communication channels if they are ever compromised, thereby limiting what hackers can gain from using your information.

The first step is to develop a secure mentality. Assume that every organization you give any of your information to will be compromised. You don't know when it will happen or who will do it, but, at some point, everything is going to get hacked. The more information an organization asks of you, the more likely it is that they will be targeted. You should also assume that you will not be informed when this compromise occurs. History shows that companies usually only acknowledge a breach when the occurrence has already been publicized by security researchers, affected customers, or the hackers themselves. Even then, by the time you hear about it, you could already be a victim. Most incidents go unacknowledged, often even undetected. What are you okay with hackers knowing about you?

Create a database detailing who has your information; this could be as simple as a physical, pencil-and-paper notebook. Every time you give out personal details, add it to your database along with the applicable privacy policy. Websites tend to have the clearest privacy policies. Sadly, most organizations to which you give your information in person won't have strict policies governing their use of your information. For example, schools and government organizations love to hand out personal details to their friends; they rarely keep any record of where your information goes.

Using the same database, look to see what information you can vary between information handlers. For example, it's easy to use a different password for every website on which you have an account. Good password managers will let you store additional information—not just usernames and passwords—so you can use a secure password manager to store your entire database along with the unique passwords. You can also configure wildcard email addresses such that [email protected] forwards to your inbox. This will allow you to give every website a unique email address. If you start receiving spam, you'll be able to tell from the "To" field which information handler either lost or sold your information. Depending on your assessment of the situation, you can then take action by changing passwords, blocking email to that specific address, or replacing your credit card. It's important to note that these tricks might not work if you use predictable patterns; for example, [email protected] would not be a suitable unique email for NamePros because an attacker could guess your email address for other sites. The same goes for passwords. Unique fields should be randomly generated so it's difficult for someone to frame the wrong organization or derive your details for other websites. The recommended approach to this is to use a password manager, which can seem a little inconvenient at first. However, they save a lot of hassle and have the potential to significantly increase your security when used properly.

Credit monitoring is another easy safeguard. If someone is creating new accounts in your name, often the first sign of a problem will be an unexpected credit score decrease. You'll see a slight decrease as soon as someone attempts to open a line of credit, even before they accumulate any debt. Credit monitoring services directly from the four credit bureaus will provide details about why your credit score has changed; keep a close lookout for any unexpected credit checks, as those will be the first decreases that you'll see. Additionally, credit monitoring services usually come with identity theft insurance, which can save a lot of headaches if you're ever targeted.

As a fallback, it's always a good idea to keep up-to-date with the latest security breaches. A quick web search reveals sites such as Privacy Rights Clearinghouse that document publicly disclosed breaches and similar hiccups. Take what you read with a grain of salt, though: many articles written about security breaches are inaccurate. This stems from the technical nature of the topic; reporters rarely understand the concepts they're discussing and incorrectly paraphrase what they're told, changing the meaning of the content in the process.

Your information is valuable. The more carefully your manage your personal information, the less likely you are to be targeted, and the easier it will be to recover if the worst should occur. It only takes a few minutes each day to maintain your records and monitor for problems. As the threat of electronic theft continues to increase, you'll be ahead of the game and prepared for the inevitable.


Previous:
 
24
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
0
•••
Thanks for sharing :)
Two factor authentication can help a lot in preventing hackers from logging to email/registrant account.
It is always a good idea to turn it on when possible.
 
2
•••
Thanks for sharing :)
Two factor authentication can help a lot in preventing hackers from logging to email/registrant account.
It is always a good idea to turn it on when possible.

Just make sure it's not SMS-based. Additionally, don't add a recovery phone number. If SMS can be used to bypass 2FA, then 2FA is mostly useless.

SMS (text messaging) and PSTN (telephone) should never be used for authentication purposes.
 
3
•••
Just make sure it's not SMS-based. Additionally, don't add a recovery phone number. If SMS can be used to bypass 2FA, then 2FA is mostly useless.

SMS (text messaging) and PSTN (telephone) should never be used for authentication purposes.

What are the issues with using SMS for authentication. Thats how GoDaddy and several other registrars do it. Places I bank with, etc.. Is it a flawed way to authenticate? What would you recommend in its place for 2FA?
 
0
•••
Just make sure it's not SMS-based. Additionally, don't add a recovery phone number. If SMS can be used to bypass 2FA, then 2FA is mostly useless.

SMS (text messaging) and PSTN (telephone) should never be used for authentication purposes.

Indeed :)
This is why I avoid this type of two factor authentication method.


What are the issues with using SMS for authentication. Thats how GoDaddy and several other registrars do it. Places I bank with, etc.. Is it a flawed way to authenticate? What would you recommend in its place for 2FA?

Text messages to mobile phones using SMS are insecure and can be intercepted by IMSI-catchers. Thus third parties can steal and use the token.
App based two factor authentication can be a safer alternative.
For example, Google Authenticator.
 
1
•••
What are the issues with using SMS for authentication. Thats how GoDaddy and several other registrars do it. Places I bank with, etc.. Is it a flawed way to authenticate? What would you recommend in its place for 2FA?

Anyone can easily intercept those SMS messages via a variety of methods. Banks do it because their systems are largely antiquated; infosec at most banks is appalling.

A couple good alternatives:
  • OATH, specifically TOTP. Those are those codes generated by an app on your phone. The most common app for this purpose is Google Authenticator, but there are other popular ones such as Authy; it's an open spec, so anyone can create their own app. Some password managers, such as Bitwarden, have integrated TOTP support. You can also get physical TOTP devices; those are more secure than phones, but they're overkill for most people. If you're using 2FA on NamePros, this is probably what you're using. GoDaddy and many other major registrars support it--it's what I use on my GoDaddy account.
  • FIDO U2F or FIDO2. Windows 10 has native support for FIDO2; if you have Windows Hello enabled, you can authenticate to websites with Windows Hello as long as they support FIDO2. FIDO2 has strong industry support, so it's likely to be the future of authentication on the web. Currently, FIDO U2F is more widely supported by websites, but web browsers are pushing FIDO2. If you want something that supports both, and you don't want to use Windows 10/Windows Hello, look into getting a YubiKey. (This isn't going to help you with most registrars, though.)
A couple bad alternatives:
  • KBA, or Knowledge-Based Authentication. This is worse than nothing at all; identity thieves are better at answering these questions than the real people.
  • SMS. It's trivial to hijack someone's phone number. If the attacker is going after a lot of people and doesn't mind dropping a few thousand bucks, they can arbitrarily intercept messages. If the attacker is on a budget--and this is usually what happens in the context of domaining--they can just call up your carrier, request a new SIM, and be good to go.
  • Email. Pretty much every high-profile case of domain theft I see starts with the victim's email account being compromised.
If you have any of these bad alternatives enabled, they completely undermine the security of any better 2FA methods because they can be used to bypass the good methods. If you have them enabled, you need to disable them for the more secure methods to be effective.

All of that was quite technical, so here's a simpler set of steps. It'll be a little different on each site, but I'll give instructions for using it on NamePros:

  1. Install Google Authenticator on your phone. It doesn't send anything sensitive to Google, but if you still don't trust them, try FreeOTP by Red Hat.
  2. On your desktop, while logged in, hover over your account menu. Click the "Two-Step Verification" link.
    upload_2019-9-25_21-0-50.png
  3. Enter your password when prompted.
    upload_2019-9-25_21-1-54.png

  4. Click the button to enable "Verification Code via App". Don't enable the Email one. If you already have the Email option enabled, disable it, or it'll undermine everything else you're doing. (Fun fact: We require 2FA for our staff, and we don't allow them to enable the Email option.)
    upload_2019-9-25_21-5-3.png

  5. There will be two key pieces of information on the next page: a QR code and a secret. Both are confidential--don't share them and don't save them! The idea is that you get them once and are then unable to retrieve them; this differs from a password.
    upload_2019-9-25_21-6-56.png

  6. Open Google Authenticator on your phone.
  7. Tap the + button.
  8. Choose to "Scan barcode". (It's not a barcode, but that's beside the point.)
  9. You'll see a view from the camera on your phone with a green box. Point your phone's camera at the QR code so that it's within the green box. When you succeed, the camera will close.
  10. You'll now see a six digit code; this is the view you'll see every time you open Google Authenticator. In order to log into NamePros, you'll need to enter that code. The code changes automatically ever 30 seconds.
  11. Enter the current code into the form. Don't panic if the code changes after you've entered it; there's a grace period. Once it's entered, click Confirm.
    upload_2019-9-25_21-11-10.png
  12. You need a backup method in case you lose your phone. You could add the code to two phones simultaneously, but most people don't have two phones. That's what you'll now have the option to add backup codes. Click Manage on that option.
    upload_2019-9-25_21-12-22.png

  13. Behold, backup codes! If you lose your phone or you replace it, you can enter one of these backup codes in place of a TOTP code. They don't change. You should save these in a very safe place, preferably somewhere different from your password. You can only use each code once.
    upload_2019-9-25_21-13-41.png
Notice none of this involved a phone number or an email address. Many sites will encourage you to add an email address or a phone number as a recovery option--don't do it!
 
7
•••
Anyone can easily intercept those SMS messages via a variety of methods. Banks do it because their systems are largely antiquated; infosec at most banks is appalling...............

Notice none of this involved a phone number or an email address. Many sites will encourage you to add an email address or a phone number as a recovery option--don't do it!

WOW! Thank you for that wealth of information. I will read through that a couple of times (or more) to fully understand that stuff! I really do appreciate the detailed reply! :)
 
0
•••
Thank you for a very thorough and valuable post in your series, @Paul Buonopane. I hope it gets a wide reading even outside the usual NamePros community as it is a superb guide.

Lots of good ideas. I never thought of using a catch all email to allow one to use lots of different emails - very smart! I many start doing that, although in many ways my email addresses are already so many places:xf.sick:

Also the idea of keeping a log of where all your information is being kept, while a big job, is a smart idea.

The one part I would disagree with, somewhat, at least based on my experience here in Canada including working in an educational organization, is this statement. For quite some years I think both governments and educational institutions have put into place lots of controls.
For example, schools and government organizations love to hand out personal details to their friends
Undoubtedly not perfect, but in general I think they are doing a better job than most businesses, in my opinion (based on Canadian experience). Also concern about even the most anonymous data like a username and password for an online testing system in a university course being stored on a server outside Canada has resulted in the big companies hosting their testing programs inside Canada for Canadians so that immune from US government reach (i.e. Patriot Act).

Thanks again for a superb post, and also the detailed reply above re 2FA. I learned a huge amount from your post.(y)

Bob
 
Last edited:
1
•••
.....Undoubtedly not perfect, but in general I think they are doing a better job than most businesses, in my opinion (based on Canadian experience).....

Re: schools --- when my kids were in daycare the director used to email blast each parent, grandparent, guardian, etc all in the clear on the TO line (not even the CC though it wouldnt have mattered) and so by the time they were done with daycare that list grew to several hundred because the list was never cleaned up. It was absurd. Did not matter how many times we brought it to their attention ("gee, this is not very secure can you please bcc everyone") this is all they would do. THEN....... they get into Elementary school and it was no different there. :)
 
1
•••
The one part I would disagree with, somewhat, at least based on my experience here in Canada including working in an educational organization, is this statement. For quite some years I think both governments and educational institutions have put into place lots of controls.

It tends to vary widely depending on which part of the organization you're in. Having worked for several educational institutions myself over the years, I found that there were strong controls in place throughout most of each organization, but there were always one or two branches that were led by people who just didn't understand their obligations. Furthermore, information always ended up leaking between affiliated organizations, and that caused problems.

Some examples:
  1. At one school for which I worked, I received a $15 parking ticket for parking in the wrong space. That resulted in my personal information being given to a company that handled online ticket payment--and their website's security would've been inexcusable even in the early 2000's.
  2. Massachusetts has a library network called Minuteman. I'm a believer in lifelong learning, so I often take random classes at local schools; the first time I took a class at one particular college, they gave all my personal information to Minuteman, who updated my profile with that information. Much of the information I gave to the college was unique to that college--and even within that college, I was putting unique information on each form--so it was easy to track down exactly which form leaked. The data provided on that form was guaranteed to be kept private and within the college. Any librarian--many of them volunteers--can now access everything I put on that form from almost any library in the state.
  3. If you file a forwarding address with USPS (a government service), even if you explicitly opt out of their information sharing nonsense, ever nearby real estate agent and car dealership gets your information. They then add it to their own systems that leak it everywhere--even Facebook. Facebook lets you see which advertisers have added your information to their advertising account; a single address change results in thousands of advertisers automatically adding a wealth of information about you to their accounts. Even if you don't have a Facebook account, Facebook now knows an awful lot about you.
 
3
•••
Re: schools --- when my kids were in daycare the director used to email blast each parent, grandparent, guardian, etc all in the clear on the TO line (not even the CC though it wouldnt have mattered) and so by the time they were done with daycare that list grew to several hundred because the list was never cleaned up. It was absurd. Did not matter how many times we brought it to their attention ("gee, this is not very secure can you please bcc everyone") this is all they would do. THEN....... they get into Elementary school and it was no different there. :)

Story time!

I was interning at primary schools back when people were still using dialup and schools were only just starting to communicate online. Nobody knew what security was back then. One school system in particular decided to make a website on which they would publish copies of the weekly informational packets they distributed to parents.

Well, the website was developed and maintained by someone with no programming experience. (Who knew what programming was back then?) She made each page in Microsoft Word, then exported them to something remotely resembling HTML and uploaded them via FTP. As if that weren't bad enough, somehow she ended up with comments in the exported HTML containing her FTP credentials. Eventually, the site got hacked, and when parents went to download their weekly information packets, they got a virus instead.

We took down the website until we could resolve the issue. But the superintendent demanded that the site come back online, malware and all. As interns, we couldn't modify anything remotely, and we couldn't get into the building after-hours; we could only turn the server off and on--and even that wasn't something we were supposed to be able to do remotely. We were unable to reach anyone with enough access to resolve the issue. (We didn't know the cause of the incident at the time, or we could've just used the leaked FTP credentials to remove the malware ourselves.)

So I started a tech support business in the same town and got paid to clean up the mess.
 
3
•••
A couple bad alternatives:
  • KBA, or Knowledge-Based Authentication. This is worse than nothing at all; identity thieves are better at answering these questions than the real people.
  • SMS. It's trivial to hijack someone's phone number. If the attacker is going after a lot of people and doesn't mind dropping a few thousand bucks, they can arbitrarily intercept messages. If the attacker is on a budget--and this is usually what happens in the context of domaining--they can just call up your carrier, request a new SIM, and be good to go.
  • Email. Pretty much every high-profile case of domain theft I see starts with the victim's email account being compromised.
Good information here. A quick note. Sometimes the bad alternatives are all that's avalible for two factor auth. If the choice is between a bad method or no two factor auth go ahead and use the bad method, it's *slightly* better than no two factor auth, take my credit union for example, which still uses "security questions" to verify online banking logins from new devices.

There are some tricks to help make these bad methods a little better, but still not as good as the better methods.

For Knowledge based authentication, DON'T use a real answer, in fact don't use a real word or phrase, when I must use this (like for my CU) generate a long random unique string in your password manager, and save it there. For example, the questions might be "What was your highschool's mascot?" and my answer might be something like "L!rXh!*tq*^%8gYbsfOF2y8skzLFN*NMctdx^fWE" (NOTE: DON'T use this exact example). Then it makes this more like a second password.

For SMS, setup a google account with GOOD Two Factor Authentication (you kinda have to work at it to not have SMS backup enabled but it is possible), get a Google Voice number, use that for SMS based verification ONLY on sites that only support that. Don't give out or use that number for anything else.

Email, same thing, a unique email account used solely for that purpose when no other better method is available, and setup good two factor auth on that email account.

That said, these tricks help is these are your only options for two factor auth, but if you can then absolutely use a better method.

Another note for users of authenticator apps, there are apps that allow you to hide some apps behind a secondary lock screen, it can be a good idea to use that for your authenticator app. Another trick is if you have a Yubikey (one brand of hardware security keys avalible) some models have the ability to store your time based authentication codes on the key, which can be accessed though the Yubico Authenticator app on our phone or PC only with the hardware key.

Best overall advice, invest in a hardware security key (they are usually under $50 US) and use that wherever possible, use an authenticaor app where the hardware key isn't supported. And use long random unique passwords for each site stored in a secure reputable password manager (not the one built into your browser!)
 
0
•••
Sometimes the bad alternatives are all that's avalible for two factor auth. If the choice is between a bad method or no two factor auth go ahead and use the bad method, it's *slightly* better than no two factor auth, take my credit union for example, which still uses "security questions" to verify online banking logins from new devices.

Not always. I've encountered cases whereby a victim's account was stolen, and the service refused to restore access, citing successful authentication with 2FA as proof that the transfer was authorized. (This is rare, but it does happen with high profile accounts, and some services are notorious for this issue.)

For Knowledge based authentication, DON'T use a real answer, in fact don't use a real word or phrase, when I must use this (like for my CU) generate a long random unique string in your password manager, and save it there. For example, the questions might be "What was your highschool's mascot?" and my answer might be something like "L!rXh!*tq*^%8gYbsfOF2y8skzLFN*NMctdx^fWE" (NOTE: DON'T use this exact example). Then it makes this more like a second password.

That's different from KBA--KBA is when the bank already knows information about you that you haven't provided. For example, when they ask, "Which of these addresses have you lived at in the past 10 years?"

For SMS, setup a google account with GOOD Two Factor Authentication (you kinda have to work at it to not have SMS backup enabled but it is possible), get a Google Voice number, use that for SMS based verification ONLY on sites that only support that. Don't give out or use that number for anything else.

This is definitely a lot better, but it can still be intercepted.

Email, same thing, a unique email account used solely for that purpose when no other better method is available, and setup good two factor auth on that email account.

This is generally a good idea. Also, make sure you have strong 2FA on your email, and use a reputable service that's known for their security. Both Gmail and Outlook.com are very difficult to compromise if the account operator correctly configures their security settings. Out-of-the-box, Outlook.com is the harder of the two to compromise, but Gmail is better when fully configured. Anything provided by your hosting provider is almost certainly a bad choice.

Another trick is if you have a Yubikey (one brand of hardware security keys avalible) some models have the ability to store your time based authentication codes on the key, which can be accessed though the Yubico Authenticator app on our phone or PC only with the hardware key.

YubiKeys are all-around great security devices, and I strongly recommend this approach to anyone who wants the absolute best security. However, YubiKeys do have limits on the number of OATH seeds they can remember, and you will hit the limit if you have a lot of accounts with 2FA enabled.

And use long random unique passwords for each site stored in a secure reputable password manager (not the one built into your browser!)

This is a very good point that I missed. Generic malware often targets passwords stored in browsers, but rarely targets third-party password managers.
 
0
•••
Not always. I've encountered cases whereby a victim's account was stolen, and the service refused to restore access, citing successful authentication with 2FA as proof that the transfer was authorized. (This is rare, but it does happen with high profile accounts, and some services are notorious for this issue.)

I have not heard of that. Personally I wouldn't risk not having two factor auth myself.

That's different from KBA--KBA is when the bank already knows information about you that you haven't provided. For example, when they ask, "Which of these addresses have you lived at in the past 10 years?"

Well there seems to be a confusion to terms here because what you are describing is something we (when I worked for a bank) called out of wallet questions.

This is definitely a lot better, but it can still be intercepted.

Not intended to be perfect, none of these workarounds are. But it helps make it a little better than pure SMS.

This is generally a good idea. Also, make sure you have strong 2FA on your email, and use a reputable service that's known for their security. Both Gmail and Outlook.com are very difficult to compromise if the account operator correctly configures their security settings. Out-of-the-box, Outlook.com is the harder of the two to compromise, but Gmail is better when fully configured. Anything provided by your hosting provider is almost certainly a bad choice.

I use two factor on everything I can, even mundane seeming services. At a minimum I would recommend its use on email, financial sites, domain and hosting control panels. But hopefully keep going to encompass more services over time.

YubiKeys are all-around great security devices, and I strongly recommend this approach to anyone who wants the absolute best security. However, YubiKeys do have limits on the number of OATH seeds they can remember, and you will hit the limit if you have a lot of accounts with 2FA enabled.

True, I'm sot sure how likely it is for most people to surpass the limit. I have enough accounts to where I do. So I use the Yubikey as my second factor wherever it is supported (unfortunately not enough places still), Yubico Authenticator with he seeds stored on the Yubikey for more most sensitive accounts that don't support Yubikey directly. And a regular authenticator app for all else.

This is a very good point that I missed. Generic malware often targets passwords stored in browsers, but rarely targets third-party password managers.

In general the security of the browser based password managers are a joke. Too easy for someone else to see all your usernames and password in plain text!
 
0
•••
Back