advice Keeping Domain Names Safe After Equifax Breach

[EJS]

GoDaddy Chief Information Security Officer Todd Redfoot wrote an article to share actionable advice on how to protect domain names after the Equifax data breach. The tips that Todd shares are invaluable given the amount of personally identifying information that may have been taken during the Equifax breach.

The article can be found here:

https://domaininvesting.com/protect-domain-investments-equifax-breach/

 

[xynames]

You and the author of that article seem to imply that there is some connection between the Equifax data breach and securing our domains. There is not. Nor is any info that might have been obtained from that breach relevant to accessing our domain accounts. I could know everything about you, your name, address and SSN, and that would not get me into your domain registry account. How many Equifax credit profiles have you seen in your life? There’s not even a record of a person’s email addresses or anything close on that report. No passwords nothing like that. And starting about fifteen years ago complete credit card and other account numbers stopped appearing on credit profiles - such numbers were all displayed in a jumbled, coded order. The point being that stolen credit profiles are useful for opening new identity fraud credit accounts but not for accessing a victim’s domain registrars.

That article includes general advice about keeping online accounts secure. That’s good. But his statement about trying to match stolen personal identifying information with domain registry records is a stretch, and even if that could be done, he doesn’t explain how such info could get anyone into your domain account.

It’s good to be vigilant but no need to worry needlessly either.

 

[Kate]

The connection is tenuous, but any information that can facilitate identity theft can in theory be applied to domain registrations.
For example some sites may allow you to reset your password (or possibly change the E-mail address on record ?) if you are able to answer predefined 'secret' questions.
Those rely on the knowledge of semi-private personal information like DOB or your mother's maiden name. Maybe that's the kind of personal information that can be found in the Equifax dump. Wouldn't be surprised if it's put on sale on the dark web.

 

[EJS]

You and the author of that article seem to imply that there is some connection between the Equifax data breach and securing our domains. There is not. Nor is any info that might have been obtained from that breach relevant to accessing our domain accounts. I could know everything about you, your name, address and SSN, and that would not get me into your domain registry account. How many Equifax credit profiles have you seen in your life? There’s not even a record of a person’s email addresses or anything close on that report. No passwords nothing like that. And starting about fifteen years ago complete credit card and other account numbers stopped appearing on credit profiles - such numbers were all displayed in a jumbled, coded order. The point being that stolen credit profiles are useful for opening new identity fraud credit accounts but not for accessing a victim’s domain registrars.

That article includes general advice about keeping online accounts secure. That’s good. But his statement about trying to match stolen personal identifying information with domain registry records is a stretch, and even if that could be done, he doesn’t explain how such info could get anyone into your domain account.

It’s good to be vigilant but no need to worry needlessly either.

I believe one of the ways people can verify their identity to their domain registrar is by sending a copy of their driver's license. According to this CNBC article, "Exposed data includes names, Social Security numbers, birth dates, addresses, and in some cases, driver's license numbers" My presumption is someone could make a pretty good copy of a driver's license if they went to the trouble, and someone might go through the trouble if a domain registrar account had a few super high value domain names.

In any event, I think any account security reminder is good. I bet there are quite a few domain investors who don't even use 2 factor authentication even though it is easy to set up and free at most registrars.