Tips for preventing domain theft

[discobull]

I've been thinking about steps to take to prevent domain theft and thought it might be worthwhile to start a thread where we can share ideas on how to best secure our domain assets. I'll start the ball rolling with some ideas of my own ( some of them might be overly paranoid ) and hopefully others can add to the discussion.

1. The email address in your whois info should be different from the administrative email address you use for your registrar. Hackers will sometimes try to get into your email account so that they can then unlock your registrar account by going the "forgot password" route and intercepting the reset password email. If a hacker doesn't know what email address you use for your account, that makes their job that much more difficult. Domain privacy can add an additional layer of security here since your whois information won't provide any clues about who you are and what email addresses you tend to use.

2. The email account you use for your registrar should be an address you don't use for any other purpose. This will prevent hackers from being able to research you and deducing your administrative email address based on publicly available information.

3. Use 2 factor authentication for both your registrar account and your email account.

4. Use strong passwords for your email and registrar accounts and don't use the same password for both.

5. Don't use an easy to guess username for your accounts ( eg firstname/lastname or company name are a bad idea ).

6. Keep your computer secure and free of malware. If a hacker gains access to your computer, they can potentially gain access to your accounts. I've personally switched over to Linux since protecting a Windows based machine seems like a never ending battle.

7. Pay extra attention when receiving emails that seem to be coming from your registrar and that have you clicking links. If the link takes you to a page that requests your username and password, it's most likely a hacker site.

Any other suggestions?

 

[NamesCost]

2FA ENABLE IT!
(this must be in the thread already but lets put it out there again)

and like @Bertrell told us the sms versions are not as secure (for many reasons)

so use google auth

and backup your seed qr code or numbers incase you lose your phone
or use an alternative OTP app that cloud backups your codes so you can restore on a new phone
if you lose the phone (OTP apps like authy for example can do this) while google authentication does not

 

[Charlie J]

TIP: Never use mobile 2-factor authentication, possible for people to do 'simswapping' and get your domain. I'd always advise the normal 2fa way (via an app, such as authy).

 

[Rob Monster]

TIP: Never use mobile 2-factor authentication, possible for people to do 'simswapping' and get your domain. I'd always advise the normal 2fa way (via an app, such as authy).

Or combine multiple methods:

- IP allow
- App/Google Authenticator
- 2-factor SMS
- MaxLock
- WHOIS privacy (to prevent identity theft)

 

[Bertrell]

TIP: Never use mobile 2-factor authentication, possible for people to do 'simswapping' and get your domain.

I believe this to be a good tip. But, in the event only mobile 2-factor authentication is available (this used to be the case with Namecheap, but they recently added a more secure means), it's probably better than nothing at all.

The only reason I say I believe this to be a good tip...I've used Namecheap's original method for over a year with no issues (NC wasn't the registrar I was referring to in my previous comment).

The only difference is, my phone doesn't contain a SIM card (wifi only, using Google Voice). I wonder if the "simswapping" being mentioned is applicable in my circumstances.

 

[NamesCost]

I recommend recycling a really old & "dumb" smart phone as an exclusive 2fa device
losing your "phone" tends to happen to some more often than others
If that sounds like you consider a cheap old smart phone for your exclusive "OTP" 2fa device.

There are many ways to compromise the sms methods best avoid registrars that only provide that method.
If you have Namecheap SMS as your 2FA method you can now change to OTP as they now support this method

Take note as Rob points out above you can further secure your account by using 3FA (or even 4FA+ with IP restrictions etc) and thanks again @Rob Monster and the whole team at epik for adding google auth to the 2fa options @EPIK so prompty upon request (ages ago now) I have never seen such a responsive REGISTRAR you guys rock!

 

[Rob Monster]

I recommend recycling a really old & "dumb" smart phone as an exclusive 2fa device
losing your "phone" tends to happen to some more often than others
If that sounds like you consider a cheap old smart phone for your exclusive "OTP" 2fa device.

There are many ways to compromise the sms methods best avoid registrars that only provide that method.
If you have Namecheap SMS as your 2FA method you can now change to OTP as they now support this method

Take note as Rob points out above you can further secure your account by using 3FA (or even 4FA+ with IP restrictions etc) and thanks again @Rob Monster and the whole team at epik for adding google auth to the 2fa options @EPIK so promptly upon request (ages ago now) I have never seen such a responsive REGISTRAR you guys rock!

All good -- Keep those suggestions coming. As you are likely aware, Joseph Peterson and I are both big fans of continuous improvement when it comes to the Epik platform. Feature-wise, if we can give it for free, we will always do that, e.g. privacy, forwarding, domain management, WHOIS lookup data, domain parking, etc. We recently started charging commissions on marketplace for selling/leasing/escrow. We had to do it simply to offset the mounting losses from fraud -- both fraud mitigation and fraud losses.

As for product superiority, from what I know, many registrars have had a revolving door of engineers or they simply gutted their engineering teams long ago when they ran out of ideas. We never stopped investing in the platform and are always on the lookout for ideas to help domain investors make their portfolios work harder for them. We fully know that it is tough out there. As such, our job is to help domain investors monetize their portfolio. Our profits come when domain investors sell to retail customers.

 

[Slanted]

During my time at Epik (as Director of Operations and as a domainer customer), I've only seen 1 case of domain theft. Fortunately, we were able to reverse the transfer quickly. A few points:

• Rob (CEO) and I both got involved immediately to reverse the transfer. This helped convince our counterparts at the other registrar to return the domain promptly. Ask yourself: If you run into trouble at your current registrar, will you get support like that – from the very top?
  
  
• 2FA is crucial. In this 1 episode, 2FA wasn't enabled. We suspect that the customer's personal inbox was compromised, or else a password was obtained through phishing or social engineering. That can happen to anyone. So it's important to have a second line of defense.
  
  
• Registrars are only as secure as their customers' habits. From time to time, it's important to take stock of our personal practices. That's why this NamePros thread is a great idea. Share the experience!
  
  
• Domain theft is relatively rare. As domain investors, we know that most of our names – even quality names – take months or years to sell. Domain thieves often want to cash out quickly before their theft can be detected and overturned. So they focus on a very limited kind of domain inventory – names with obviously high value or with instant liquidity. For example, short numerical or acronym .COMs (which are quickly sellable, thanks to the Chinese market) or premium dictionary .COMs. If you have any names that meet this description, you're definitely a target.
  
  
• Even though criminal domain theft targets mostly just a small subset of domains, there are OTHER RISKS. You'd be surprised how often registrars receive messages from someone who falsely claims to be the owner of a domain ... or someone designated by the owner ... or the real owner who merely allowed an employee or web designer to act as the registrant. Usually they're not lying, and they're not domain thieves. They're simply confused about the facts or had bad habits with regard to domain access and ownership. Upon review, we realize that this person was a PAST owner, or a real employee / web designer (who has not been approved by us for access), or someone who is confused about which domain they really own (it's the singular not the plural, or it has a hyphen, or it's a different TLD), or else they really believe that the domain belongs to them because they backordered it somewhere.
  
  You need a registrar whose staff is trained to handle these claims properly. But it's always possible the registrar employees will be duped or will make a mistake. They might push or transfer your domain without any hacker or domain thief involved, merely responding to someone's story about access rights. The general public is confused about domain names in general; and some of your domains generate inquiries, which can confuse a novice registrar employee. As domain owners, you need a backup. Note: 2FA will not be any defense in these cases because it's a registrar staff member taking action without anybody logging in.
  
  
• Prevent accidental domain loss – that's the goal. Domain theft is actually the LEAST likely way this can happen. What's the most likely? Expiration without renewal. By far the most important thing you can do as domainers is log into your registrar(s) once or twice per month to audit all the domains and expiration dates. At Epik, there is a link to export a CSV. So this is can be really quick. Just use a simple Excel function to compare the actual list to the expected list, and you'll see any discrepancies within 60 seconds.
  
  If you are using 2 dozen scattered registrars for the sake of small price differences, then this task of managing your domains becomes much more difficult. It's worthwhile to consolidate at 1 or 2 registrars. While you're still in the process of consolidating, I would suggest importing a list of all your domains at Epik. It's as easy as copy and paste. We have a tool for managing external domains too. It's not perfectly accurate with expiration dates (after domains are renewed elsewhere), but it helps to see all your domains in 1 place and prioritize transfers.
  
  
• Overturning a domain transfer can be hard work, sometimes involving UDRPs, lawsuits, drawn-out discussions, or even public scandal. Remember, any 2 registrars are competitors. And they each have a different customer demanding to keep 1 domain. Under those circumstances, there can be obstacles, foot-dragging, confusion, and lack of cooperation. This situation is even worse if the transfer crosses national borders, resulting in different legal jurisdictions and language barriers. And the dispute is compounded if the domain is sold to a 3rd person (at a 3rd registrar) before the theft is detected. Don't let it get that far! An ounce of prevention is worth a pound of cure.
  
  
• Be vigilant! Audit your domains once or twice per month, in case anything went missing or in case any expiration date isn't what you expected. From the registrar's perspective, an unauthorized transfer looks just like an authorized transfer. I mean, if someone logs into your account and initiates the transfer just as you would do, how are we to know it wasn't you who did it? Most of the time, registrars depend on the customer to notice a problem. If you are checking your portfolio monthly, then you will always detect a problem within hours or days – not months or years. And that makes a huge difference.

A few other tips:

• Be careful with public or shared computers.
• If you leave your computer open with friends, relatives, and significant others, don't assume they aren't inside your inbox and other accounts digging around.
• Be alert for phishing scams, which impersonate registrars, ICANN, banks, email providers, et al. They can spoof the email address and mimic the web design. And they will steal your password without even needing to hack your inbox.
• Make a habit of direct navigation. Type the domain of your destination site directly into the browser. Or at least search online. Pages that rank well are probably more trustworthy than links in emails.
• Look carefully at URLs in links, and don't assume that the text you see – even if it looks like a URL – is really the URL in the hyperlink. Inspect the URL before clicking.
  
• If you do click a link, confirm the URL in your browser bar before logging into a sensitive account.
• Change your passwords regularly.
• Don't use the same password for multiple sites.
• Use 2FA. Perhaps consider using 2 forms of 2FA – both SMS and app-based. (Epik offers both.)
• Pay attention to email notifications from registrars. You may detect an unauthorized transfer based on an email you receive.
• Before clicking a link to approve a transfer, pause to ensure it's really a transfer you approved.
• When there's a valid auth code and an unlocked domain, transfers will usually be approved automatically after a few days if you don't DENY the transfer.
• So check your email inbox frequently. Ideally at least once per week.
• Ensure all your domains are locked. (Some TLDs don't allow locks.)
• Use whois privacy. It's not just about protecting your identity, avoiding spam, and telemarketing calls. It's also about not broadcasting what email inbox you use, since hackers might be looking for that information. Whois privacy is important, and you've got a lot of domains. So you should pick a registrar where it's free. (Epik for instance.)
• Even if you don't anticipate needing good security features, you should pick a registrar that has them. If you suddenly find yourself hacked, then you might suddenly need to enable them. And that's not a good time to be worrying about transferring all your domains to a new registrar with better security. You will want to act right away. And if you were hacked, then auth codes might be intercepted via email. So ideally your registrar can implement a hard lock on outbound transfers (like Epik's MaxLock) as well as 2FA.
• Ask your registrar about their process when you lose your phone and need 2FA disabled. If that process is weak, then hackers can get around your 2FA merely by impersonating you and asking it to be turned off.
• If your registrar allows you to create security questions to confirm your identity (Epik does), then pick answers that you will remember AND that nobody else can guess merely by knowing you are stalking your social media posts. In other words, don't choose the name of your pet dog. Answers are only secure if they're both memorable and secret. You might even need to rely on these if you're traveling or your phone battery is dead – to get your registrar to take action quickly when you can't log in. So it matters.
• If you do have advanced security features like 2FA or IP whitelisting or MaxLock enabled, then don't make a habit of disabling and re-enabling them constantly. That will only habituate the registrar staff to seeing changes to your security settings. If you're constantly bypassing your own security for the sake of convenience, then registrar staff may not be as vigilant when someone else (claiming to be you) asks for security to be bypassed.

Good news: You don't need to be unduly paranoid. If you check your domains a couple of times per month, then you know where they are. Most problems occur because customers don't log in.

 

[Charlie J]

Or combine multiple methods:

- IP allow
- App/Google Authenticator
- 2-factor SMS
- MaxLock
- WHOIS privacy (to prevent identity theft)

Of course, the more protection the better. Sadly it isn’t hard for people to find your number in leaked DBS and such. Still best to do whatever you can to prevent such.

I believe this to be a good tip. But, in the event only mobile 2-factor authentication is available (this used to be the case with Namecheap, but they recently added a more secure means), it's probably better than nothing at all.

The only reason I say I believe this to be a good tip...I've used Namecheap's original method for over a year with no issues (NC wasn't the registrar I was referring to in my previous comment).

The only difference is, my phone doesn't contain a SIM card (wifi only, using Google Voice). I wonder if the "simswapping" being mentioned is applicable in my circumstances.

Thanks for your response, yeah I use namecheap myself but I don’t like the thought that it’s using my number. I hear time and time again (note, mainly in the social media area) of people being easily simswapped and are able to do a reset to the phone number by text.

Pretty scary, and as someone who also owns a premium domain - I don’t want that risk of losing it.

 

[vikki88]

The email address in your whois info should be different from the administrative email address you use for your registrar.

How do I edit the email address on whois?

 

[Bertrell]

How do I edit the email address

That's usually done via a control panel where your domain is registered. From what I remember, you're asked to provide that contact info when you first create an account, and there are generally 4 separate contact sections:

• Registrant
• Administrative
• Technical
• Billing

There are cases where you might have different contacts for each section (e.g., a company with many divisions). Or, you can use the same info for all. Even if you opt for privacy, you still have to supply contact info, as certain extensions don't allow for privacy (e.g., a .us domain).

Which registrar(s) do you use for your domains? If that's known, then the chances are good that someone might be able to offer more specific instructions, if necessary.

 

[vikki88]

Which registrar(s) do you use for your domains? If that's known, then the chances are good that someone might be able to offer more specific instructions, if necessary.

Thanks @Bertrell for taking the time to reply, I use godaddy for now

 

[Bertrell]

Thanks @Bertrell for taking the time to reply, I use godaddy for now

For GoDaddy, the instructions are at the following link:

https://www.godaddy.com/help/change-my-domain-contact-information-418?

Hope this helps.