Dynadot

advice How Safe Are Your Domain Names?

Spaceship Spaceship
Whether you are the king of domains and sitting on countless super valuable domains or someone just starting out who spent days scraping through dropping lists to buy a handful of domains you found that others may have overlooked, our portfolios are special to us. They are a part of who we are and the result of the hard work we have put into them. In many cases they represent years of hard work. Our domains are important and valuable in many ways and they deserve to be protected and safe. We work too hard to build up a domain portfolio to have it taken from us in one day. Even if you are not sitting on a one-letter .com domain, the pain is just as real if you lose your domain you use for your main email address or small business or some of the drops you were able to beat out the competition for.

We all want to think our domains are safe but I know it is in the back of everyone’s mind we wonder, have we done all we can to protect them? I want to share with you some of the best practices I have observed over the years in the hopes that it helps you to protect your domains in the future. I also really encourage you to share in the comments section anything I may have missed that you think would help others.

First let’s deal with some of the common mistakes I have seen that people don’t realize can hurt them until it is too late. You should only let people you have complete trust in have access to your domains. I am surprised by how many people let friends, employees, webmasters, etc register or manage their valuable domains or have access to their account login information. Do you let your Webmaster login to manage your website or DNS? I have seen too many issues where a person doesn’t have complete control over their domains and the other party takes the name or disappears for whatever reason taking the account access with them. Many times this is not malicious but the other party moves or leaves the industry and their old email doesn’t work and now you have no way to contact them to get the account data back.

It is also very important to note that the registrant contact on the Whois is very important. When putting the registrant contact information on your domain, a name like Domain Admin may seem great at the time but when push comes to shove and you want to prove ownership of the domain, try proving in court that your name is domain admin. This can be done if you put in a company name as well but, if you use a company name on the Whois use a real company name not something made up. Again when you need to prove ownership because you can’t access your account, or someone took your domain, it is much harder to get your domains back, (if at all) if you cannot prove you are/were the registrant by valid Whois records. Bottom line, always put Whois information that is tied to you and that you can prove if needed.

Now that you know the importance of having an account and domain Whois under your control, let’s consider the account itself. Many registrars offer 2 factor authentication for logging into the account. If your registrar does not, contact them and ask for it; if it does, I highly suggest enabling it immediately. This is extremely important as a security measure in today’s landscape. I also suggest you use an email address on your registrar account that is different than your public Whois email. It makes it that much harder to have someone trick you if you are using two different emails. If you know that your registrar should only be emailing you at the email that is not on the Whois, then you can be more suspicious of emails sent to the Whois address claiming to be about your account itself. Thieves typically mine the Whois database to try and send phishing emails. Knowing you wouldn’t get an email from your registrar at the Whois email address is a nice additional layer of security. There is also the ability to add privacy to your domain’s Whois. This has pros and cons that I will not weigh here, but it is an option.

I also strongly recommend using an email address from a provider that allows 2 factor authentication as your main email on your registrar account(s). This makes it even harder for someone to access your email to perform account resets that will allow them access to your registrar account(s). This is also a good tip for any email associated with things like your banking info.

Let’s say you get a suspicious email. How do you know it is not legitimate? There are some good rules to follow. First go to the website sending you the email directly vs. clicking any links contained in the email to be safe. If you are unsure of what to do once you login or have any questions about the email that was sent to you, then forward it as an attachment to the company that the email claims to be from and ask them if they sent it. Also feel free to call their support. Do whatever it takes to be safe by taking some extra steps.

Something else you can do is look at the full email header. This is normally hidden in most mail applications, but there is usually a way to view it ("Show original" option in Gmail). It will tell you the real sender and their IP address. Doing a quick search online will show you plenty of articles on how to identify a phishing email. When you discover an email you were sent was a phishing attempt, please help the company out by forwarding it to their abuse department so they can work on taking it down to prevent it from impacting others who are not as savvy as you.

OK so you know all this stuff and you got tricked anyway. I know it happens, we cannot always be on our guard and sometimes things will slip by. This is why the extra steps including 2 factor authentication are so important, but if someone manages to get to your domains and move them out, what should you do?

The first step is to contact your registrar, the one who you had your domains registered with. They will usually have steps in place to assist you with this. The next thing to do is to contact the authorities. A theft has occurred, so contact someone who has authority to deal with Internet crimes. In the United States, it is the FBI.

I would also think about what domains were stolen and how they were stolen, meaning if any of the domains stolen are ones you use for important emails, or if your email was compromised on your account, then you will need to think about what else is tied to those emails. If you have bank accounts tied to them, or other important accounts, the thief who now can access your emails is just a password reset away from draining those accounts.

Lastly, be vocal. Let others know about the domains and share it on forums or blogs or wherever you can. The more people who know about the domains being stolen, the better your chances are at finding some kind of resolution. The less options the thief has to sell the domain(s), the better. It is also important to protect others. For instance, if I do not know a domain I am buying is your stolen domain, I may pay a thief a lot of money for a domain, which may ultimately be returned to you as the rightful owner, and now I am out real money and the thief still has a profit. Sharing the information in as many places as possible helps protect others as well as yourself.

If all else fails and you cannot retrieve your domain through normal channels, there are many competent attorneys in the field who can provide you with good counsel. I would encourage you to contact one you can trust who is familiar with domain law. This is usually expensive and time consuming, so put as much time in updating your security upfront as you can.
 
34
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Great tips, Joe.

I'd also recommend people look into GoDaddy's DTVS (domain transfer verification service). Do you have any more details on who can take part in that program?
 
3
•••
@Joe, Thanks for your time describing the details, I could have just thank you with the link, but you deserve atleast a thanking note :), if not more.

This is really important piece of information.
 
1
•••
GoDaddy has never sent me any code while trying to enable the 2 factor verification. And when I call them to let them know my problem, they simple say that code will arrive 'sooner or later.' Well, it hasn't arrived in 2 months and I am forced not to use this feature. They further added that there might be some problem with your reception but I have no problem receiving codes from other websites.

This is the biggest issue with most people here in India which is still unresolved. Kindly look into it.

Thank you.
 
2
•••
GoDaddy has never sent me any code while trying to enable the 2 factor verification. And when I call them to let them know my problem, they simple say that code will arrive 'sooner or later.' Well, it hasn't arrived in 2 months and I am forced not to use this feature. They further added that there might be some problem with your reception but I have no problem receiving codes from other websites.

This is the biggest issue with most people here in India which is still unresolved. Kindly look into it.

Thank you.
@Joe Styler Please have a look into this issue!
 
0
•••
Great article.

Another point to consider: Take care of who you register your domain with.
I once reg a Domain and all confirmed, the next day my account was deleted, the domain released, and money refunded. Without once contacting me.

All because IP and payment address didn't match. So called "Fraud prevention". So be careful whenever being away from home.
Could have gone bad if a big domain.
 
2
•••
2 factor authentication is really good move by GoDaddy, I typically receives SMS within few seconds.

I found different emails in whois and in login to be good suggestion.
 
1
•••
@Genius327, I'm using 2 factor without any problem. Contact your service provider and check about DND.

Sometimes sms delivered late by 5 mins to 10 mins. It depends upon network delay.
 
1
•••
Great tips, Joe.

I'd also recommend people look into GoDaddy's DTVS (domain transfer verification service). Do you have any more details on who can take part in that program?
Yes anyone who is in our Premier Services can use DTVS, it is an unadvertised service that locks the names down with extra security, but since it is manual you need to be in the premier services group.
If you want to know more about who can qualify to be in premier services and what it is, we are doing a live google hangout in two days, Thursday October 29th at 10 am Pacific time. The video will be archived if you cant make it live. http://no_url_shorteners/pservices
 
5
•••
GoDaddy has never sent me any code while trying to enable the 2 factor verification. And when I call them to let them know my problem, they simple say that code will arrive 'sooner or later.' Well, it hasn't arrived in 2 months and I am forced not to use this feature. They further added that there might be some problem with your reception but I have no problem receiving codes from other websites.

This is the biggest issue with most people here in India which is still unresolved. Kindly look into it.

Thank you.
Please reach out to me when you are requesting it as it is happening and I will see what I can do to figure it out.
 
1
•••
GoDaddy has never sent me any code while trying to enable the 2 factor verification. And when I call them to let them know my problem, they simple say that code will arrive 'sooner or later.' Well, it hasn't arrived in 2 months and I am forced not to use this feature. They further added that there might be some problem with your reception but I have no problem receiving codes from other websites.

This is the biggest issue with most people here in India which is still unresolved. Kindly look into it.

Thank you.


Hi, There is some problem with the mobile provider. If you use TataDocomo or Vodafone , we are getting that problem. Why dont you change your number to Airtel. I am not facing any problem with Airtel.

Give it a try.

Thanks
 
3
•••
1
•••
1
•••
Great article full of knowledge to continue domaining safely, thank you Joe!
 
1
•••
Helpful and timely info.
Particularly, the tip about two different email addresses.
Thanks, Joe!

Looking forward to your next hangout about Premium Services.
BTW, what's the difference between Premium Services and PRO account?
 
1
•••
Thanks.

Pro is geared towards people who build sites for multiple people such as a web developer. Premier services is geared towards our top customers some of which are pros and many are domain investors.
 
0
•••
Great article, Joe. Very informative.

As a registrar, we encourage our customers to utilise as many of our security options as possible.

Fabulous currently offer:
- Challenge Response questions, with question authentication able to be applied to different areas within your account.
- The Executive Lock, which is able to be applied to all or your most valuable domains, which only Fabulous staff can remove under your customisable conditions.
- The Fabulous Security Key, a physical USB key which is an additional authentication mechanism that is used in conjunction with your account password.

Email security is just as important, too. Always check with your email provider for extra security options.
 
1
•••
I also suggest you use an email address on your registrar account that is different than your public Whois email.

I've mentioned this before, but have received no response. Using a different email for the registrar account is the right way to go, however GoDaddy's system is set up to undermine that security measure. Anytime a domain is pushed into my account ( eg after purchasing an expired domain at auction ), the whois is automatically set to reveal to the world my secret registrar account email address rather than correctly displaying the default whois email address defined in the settings. It's really frustrating! This doesn't happen when a domain is transferred in from another registrar so I'm not sure why this needs to be handled this way for pushes. Is there any chance that this could be corrected?
 
1
•••
I've mentioned this before, but have received no response. Using a different email for the registrar account is the right way to go, however GoDaddy's system is set up to undermine that security measure. Anytime a domain is pushed into my account ( eg after purchasing an expired domain at auction ), the whois is automatically set to reveal to the world my secret registrar account email address rather than correctly displaying the default whois email address defined in the settings. It's really frustrating! This doesn't happen when a domain is transferred in from another registrar so I'm not sure why this needs to be handled this way for pushes. Is there any chance that this could be corrected?

I private messaged Joe about the email security hole when buying expired domains earlier this month. He said he would have his developers look into it.
 
1
•••
I private messaged Joe about the email security hole when buying expired domains earlier this month. He said he would have his developers look into it.

Thanks. FYI, it doesn't just happen when purchasing expired domains, it happens anytime a domain is pushed from one account to another.
 
0
•••
I private messaged Joe about the email security hole when buying expired domains earlier this month. He said he would have his developers look into it.
Yes I am looking into this currently with the developers. Thanks for bringing it up.
 
0
•••
I tried Godaddy 2 step today. I have t-mobile service in US and did not get any sms in about 5 hrs now. I have no problem getting it from anyone else.
 
0
•••
Hi @Joe Styler do you have a link to where we can find info on the two stage set-up on the Godaddy website. The Halloween candy is clouding my ability to find it.....
 
1
•••
1
•••
I have an issue about this view on using "Domain Admin" as Registrant being a bad idea when proving ownership in Court.

If a domain is stolen, then it should be returned to the last registrar account where it came from. Because a domain is not a tangible property that you must return it to a physical person whose identity must be clearly verified. You cannot steal a domain from a person. You can only steal a domain from a "registrar account".

And the owner of the registrar account where the domain was stolen, can be proven by verifying credit card information where the validated real name of the owner is indicated. This does not even include the verification that can be done on the email address used by the real owner (which must be hacked separately in such case). If you have control over this email address, then you can validate your ownership. You can even have an IP address trace records for additional proofs.

And lastly, regarding the "Company Name" entry on the whois information, this is actually "Registrant Organization". So you are not required to create a "company" per se, by legal definition. Because a "company" requires shareholders among other securities requirements. So you cannot legally call something as a "company", unless you are registered with the government. You can use an organization name of your own liking instead.

A legal company is good, since you can have paper documentation proving your relationship to a company registered with a government securities commission. But that's just a "lucky" coincidence that you have a way to prove that a "Domain Admin" registrant is being controlled by a "company" whose identity is verifiable via a government issued certification.

The point is, whois data merely said that you can enter an "Organization" name, not specifically a "Company" name. If you have a Toastmaster's Club that owns a domain name, then that Toastmaster's Club can qualify as a Registrant Organization. Unluckily however, such a club is not a company, and therefore you are "unlucky" not to have a government certification to prove ownership of such "organization". But again, you are allowed to use an organization name of your own creation.
 
1
•••
Back