Domain portfolios getting stolen ???

[doridori]

i saw a thread on another domain forum and it said there domains got stolen.....

how is this happening ? can you protect against it ?

if someone breaks into my name registrar account and transfers domains to their account, can't the registrar stop and reverse it ?

 

[Kate]

Well, many registrars are not very helpful actually because the transfer may appear (to them) to have been authorized by you, and it could a private dispute between a buyer and a seller - so they won't intervene.
Also, the domain thieves usually try to flip the stolen domain names very quickly, so that even if the names are recovered later the buyer is left holding the bag. If you see someone selling a LLL.com for 3K because he needs funds in a hurry, be careful.

 

[DubDubDubDot]

There was a huge infection at GFY yesterday through an ad banner exploit. It's possible that this could turn into stolen domains being put onto the market. Use caution when buying for awhile.

 

[doridori]

Well, many registrars are not very helpful actually because the transfer may appear (to them) to have been authorized by you, and it could a private dispute between a buyer and a seller - so they won't intervene.
Also, the domain thieves usually try to flip the stolen domain names very quickly, so that even if the names are recovered later the buyer is left holding the bag. If you see someone selling a LLL.com for 3K because he needs funds in a hurry, be careful.

okay so what hapens if i buy a stolen domain.... ?

 

[Michael Purse]

Avoid this even being able to happen. Once you get to a decent amount of names (150+) or you have a portfolio reseller value of $10,000 or more, you should be using Moniker's E-Lock/Maxlock on your whole portfolio, or even better, with a registrar that offers all this as free/standard.

Case in point: Fabulous offers portfolio holders free E-Lock and their choice of either Challenge Question or USB Passkey to unlock domains, push domains, etc etc. The USB passkey basically generates a unique one time use key each time you need to make a change by pressing a button on a USB key they send you.

E-Lock basically means you have to meet the conditions you set to make the changes; ie. you can say you must call Fabulous during their office hours and quote "The cat has left the basket" and then sing Mary Had a Little Lamb before any domains can be unlocked. (I'm being silly, but you choose how secure you want it. The reason security is an issue with people: You. People are the weakest link.)

 

[Domagon]

Ditto on Fabulous.

Another choice for high value portfolio holders is MarkMonitor - they are the only registrar, that I'm aware of, which offers VeriSign's registry lock service - for more details on registry lock see Domain Name Registrar Tools - Registry Lock Service from VeriSign, Inc.

Ron

 

[El Bandolero]

Another thing guys that needs to be added to this is always make strong passwords for your accounts mix them with letters and numbers and change them once a month if possible.

 

[TestCase]

Another thing guys that needs to be added to this is always make strong passwords for your accounts mix them with letters and numbers and change them once a month if possible.

Yeah, what he said!!! AND make them REALLY, REALLY LONNNNNNNNNG!!!

I recommend a bare minimum of at least 16-20+ characters. Ideally more, MUCH more...

 

[DubDubDubDot]

Yeah, what he said!!! AND make them REALLY, REALLY LONNNNNNNNNG!!!

I recommend a bare minimum of at least 16-20+ characters. Ideally more, MUCH more...

You must be assuming that registrars are stupid enough to not detect brute force attacks.

16 characters of upper, lower and numbers means there are exactly 47,672,401,706,823,533,450,263,330,816 combinations. And you want "MUCH" more?

Even if the hacker had a bot net of 10 million computers that did 100 trillion attempts each (totally not possible even if the registrar didn't block it), that would still be only 1,000,000,000,000,000,000,000 attempts.

47,672,401,706,823,533,450,263,330,816
         1,000,000,000,000,000,000,000

A 1 in 47 Million chance even with that impossible computing power.

 

[TestCase]

You must be assuming that registrars are stupid enough to not detect brute force attacks.

16 characters of upper, lower and numbers means there are exactly 47,672,401,706,823,533,450,263,330,816 combinations. And you want "MUCH" more?

Even if the hacker had a bot net of 10 million computers that did 100 trillion attempts each (totally not possible even if the registrar didn't block it), that would still be only 1,000,000,000,000,000,000,000 attempts.

47,672,401,706,823,533,450,263,330,816
         1,000,000,000,000,000,000,000

A 1 in 47 Million chance even with that impossible computing power.

What can I say, I'm just a "belt and suspenders" kinda guy...

 

[Domagon]

Many domains are stolen using keyloggers and/or security exploits of various email providers (ie. gmail, yahoo, hotmail, etc) to change the admin email / transfer out. Long passwords won't help in such instances.

Furthermore, a long password is only as secure as its weakest leak, which often is the security question / answer, which many services utilize to help people reset their accounts when they forget their password. Often the security answer(s) people choose is a simple one, such as a pet's name, that's easily found using social networking sites and/or guessing.

Password length of at least 7 characters is sufficient, if using mixed case plus numbers, along with preferably, at least one special symbol (%,$,#, etc).

Fabulous is among the most "secure". MarkMonitor is a league by itself - it's the only one, far as I'm aware, that currently offers registry lock, which prevents even the registrar itself from making changes.

Ron

 

[lexcollect]

I have recently been a victim, 25 of my LLLL.coms were transferred to someone in Egupt with out my consent. I had to change my godaddy account and complete a bunch of forms to get it back.