Tips for preventing domain theft

Located in Warnings and Alerts started by discobull, Dec 28, 2014.


  1. NamesCost

    NamesCost Established Member

    Likes Received:
    (this must be in the thread already but lets put it out there again)

    and like @Bertrell told us the sms versions are not as secure (for many reasons)

    so use google auth

    and backup your seed qr code or numbers incase you lose your phone
    or use an alternative OTP app that cloud backups your codes so you can restore on a new phone
    if you lose the phone (OTP apps like authy for example can do this) while google authentication does not
    Last edited: Nov 30, 2018
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. Chazza

    Chazza Established Member

    Likes Received:
    TIP: Never use mobile 2-factor authentication, possible for people to do 'simswapping' and get your domain. I'd always advise the normal 2fa way (via an app, such as authy).
  3. Rob Monster

    Rob Monster CEO, Epik Staff PRO Gold Account VIP

    Likes Received:
    Or combine multiple methods:

    - IP allow
    - App/Google Authenticator
    - 2-factor SMS
    - MaxLock
    - WHOIS privacy (to prevent identity theft)
  4. Bertrell

    Bertrell Cannabolical Gold Account

    Likes Received:
    I believe this to be a good tip. But, in the event only mobile 2-factor authentication is available (this used to be the case with Namecheap, but they recently added a more secure means), it's probably better than nothing at all.

    The only reason I say I believe this to be a good tip...I've used Namecheap's original method for over a year with no issues (NC wasn't the registrar I was referring to in my previous comment).

    The only difference is, my phone doesn't contain a SIM card (wifi only, using Google Voice). I wonder if the "simswapping" being mentioned is applicable in my circumstances.
    Last edited: Nov 30, 2018
  5. NamesCost

    NamesCost Established Member

    Likes Received:
    I recommend recycling a really old & "dumb" smart phone as an exclusive 2fa device
    losing your "phone" tends to happen to some more often than others
    If that sounds like you consider a cheap old smart phone for your exclusive "OTP" 2fa device.

    There are many ways to compromise the sms methods best avoid registrars that only provide that method.
    If you have Namecheap SMS as your 2FA method you can now change to OTP as they now support this method

    Take note as Rob points out above you can further secure your account by using 3FA (or even 4FA+ with IP restrictions etc) and thanks again @Rob Monster and the whole team at epik for adding google auth to the 2fa options @EPIK so prompty upon request (ages ago now) I have never seen such a responsive REGISTRAR you guys rock!
  6. Rob Monster

    Rob Monster CEO, Epik Staff PRO Gold Account VIP

    Likes Received:
    All good -- Keep those suggestions coming. As you are likely aware, Joseph Peterson and I are both big fans of continuous improvement when it comes to the Epik platform. Feature-wise, if we can give it for free, we will always do that, e.g. privacy, forwarding, domain management, WHOIS lookup data, domain parking, etc. We recently started charging commissions on marketplace for selling/leasing/escrow. We had to do it simply to offset the mounting losses from fraud -- both fraud mitigation and fraud losses.

    As for product superiority, from what I know, many registrars have had a revolving door of engineers or they simply gutted their engineering teams long ago when they ran out of ideas. We never stopped investing in the platform and are always on the lookout for ideas to help domain investors make their portfolios work harder for them. We fully know that it is tough out there. As such, our job is to help domain investors monetize their portfolio. Our profits come when domain investors sell to retail customers.
  7. Slanted

    Slanted Member ICA Member VIP

    Likes Received:
    During my time at Epik (as Director of Operations and as a domainer customer), I've only seen 1 case of domain theft. Fortunately, we were able to reverse the transfer quickly. A few points:
    • Rob (CEO) and I both got involved immediately to reverse the transfer. This helped convince our counterparts at the other registrar to return the domain promptly. Ask yourself: If you run into trouble at your current registrar, will you get support like that – from the very top?

    • 2FA is crucial. In this 1 episode, 2FA wasn't enabled. We suspect that the customer's personal inbox was compromised, or else a password was obtained through phishing or social engineering. That can happen to anyone. So it's important to have a second line of defense.

    • Registrars are only as secure as their customers' habits. From time to time, it's important to take stock of our personal practices. That's why this NamePros thread is a great idea. Share the experience!

    • Domain theft is relatively rare. As domain investors, we know that most of our names – even quality names – take months or years to sell. Domain thieves often want to cash out quickly before their theft can be detected and overturned. So they focus on a very limited kind of domain inventory – names with obviously high value or with instant liquidity. For example, short numerical or acronym .COMs (which are quickly sellable, thanks to the Chinese market) or premium dictionary .COMs. If you have any names that meet this description, you're definitely a target.

    • Even though criminal domain theft targets mostly just a small subset of domains, there are OTHER RISKS. You'd be surprised how often registrars receive messages from someone who falsely claims to be the owner of a domain ... or someone designated by the owner ... or the real owner who merely allowed an employee or web designer to act as the registrant. Usually they're not lying, and they're not domain thieves. They're simply confused about the facts or had bad habits with regard to domain access and ownership. Upon review, we realize that this person was a PAST owner, or a real employee / web designer (who has not been approved by us for access), or someone who is confused about which domain they really own (it's the singular not the plural, or it has a hyphen, or it's a different TLD), or else they really believe that the domain belongs to them because they backordered it somewhere.

      You need a registrar whose staff is trained to handle these claims properly. But it's always possible the registrar employees will be duped or will make a mistake. They might push or transfer your domain without any hacker or domain thief involved, merely responding to someone's story about access rights. The general public is confused about domain names in general; and some of your domains generate inquiries, which can confuse a novice registrar employee. As domain owners, you need a backup. Note: 2FA will not be any defense in these cases because it's a registrar staff member taking action without anybody logging in.

    • Prevent accidental domain loss – that's the goal. Domain theft is actually the LEAST likely way this can happen. What's the most likely? Expiration without renewal. By far the most important thing you can do as domainers is log into your registrar(s) once or twice per month to audit all the domains and expiration dates. At Epik, there is a link to export a CSV. So this is can be really quick. Just use a simple Excel function to compare the actual list to the expected list, and you'll see any discrepancies within 60 seconds.

      If you are using 2 dozen scattered registrars for the sake of small price differences, then this task of managing your domains becomes much more difficult. It's worthwhile to consolidate at 1 or 2 registrars. While you're still in the process of consolidating, I would suggest importing a list of all your domains at Epik. It's as easy as copy and paste. We have a tool for managing external domains too. It's not perfectly accurate with expiration dates (after domains are renewed elsewhere), but it helps to see all your domains in 1 place and prioritize transfers.

    • Overturning a domain transfer can be hard work, sometimes involving UDRPs, lawsuits, drawn-out discussions, or even public scandal. Remember, any 2 registrars are competitors. And they each have a different customer demanding to keep 1 domain. Under those circumstances, there can be obstacles, foot-dragging, confusion, and lack of cooperation. This situation is even worse if the transfer crosses national borders, resulting in different legal jurisdictions and language barriers. And the dispute is compounded if the domain is sold to a 3rd person (at a 3rd registrar) before the theft is detected. Don't let it get that far! An ounce of prevention is worth a pound of cure.

    • Be vigilant! Audit your domains once or twice per month, in case anything went missing or in case any expiration date isn't what you expected. From the registrar's perspective, an unauthorized transfer looks just like an authorized transfer. I mean, if someone logs into your account and initiates the transfer just as you would do, how are we to know it wasn't you who did it? Most of the time, registrars depend on the customer to notice a problem. If you are checking your portfolio monthly, then you will always detect a problem within hours or days – not months or years. And that makes a huge difference.
    A few other tips:
    • Be careful with public or shared computers.
    • If you leave your computer open with friends, relatives, and significant others, don't assume they aren't inside your inbox and other accounts digging around.
    • Be alert for phishing scams, which impersonate registrars, ICANN, banks, email providers, et al. They can spoof the email address and mimic the web design. And they will steal your password without even needing to hack your inbox.
    • Make a habit of direct navigation. Type the domain of your destination site directly into the browser. Or at least search online. Pages that rank well are probably more trustworthy than links in emails.
    • Look carefully at URLs in links, and don't assume that the text you see – even if it looks like a URL – is really the URL in the hyperlink. Inspect the URL before clicking.
    • If you do click a link, confirm the URL in your browser bar before logging into a sensitive account.
    • Change your passwords regularly.
    • Don't use the same password for multiple sites.
    • Use 2FA. Perhaps consider using 2 forms of 2FA – both SMS and app-based. (Epik offers both.)
    • Pay attention to email notifications from registrars. You may detect an unauthorized transfer based on an email you receive.
    • Before clicking a link to approve a transfer, pause to ensure it's really a transfer you approved.
    • When there's a valid auth code and an unlocked domain, transfers will usually be approved automatically after a few days if you don't DENY the transfer.
    • So check your email inbox frequently. Ideally at least once per week.
    • Ensure all your domains are locked. (Some TLDs don't allow locks.)
    • Use whois privacy. It's not just about protecting your identity, avoiding spam, and telemarketing calls. It's also about not broadcasting what email inbox you use, since hackers might be looking for that information. Whois privacy is important, and you've got a lot of domains. So you should pick a registrar where it's free. (Epik for instance.)
    • Even if you don't anticipate needing good security features, you should pick a registrar that has them. If you suddenly find yourself hacked, then you might suddenly need to enable them. And that's not a good time to be worrying about transferring all your domains to a new registrar with better security. You will want to act right away. And if you were hacked, then auth codes might be intercepted via email. So ideally your registrar can implement a hard lock on outbound transfers (like Epik's MaxLock) as well as 2FA.
    • Ask your registrar about their process when you lose your phone and need 2FA disabled. If that process is weak, then hackers can get around your 2FA merely by impersonating you and asking it to be turned off.
    • If your registrar allows you to create security questions to confirm your identity (Epik does), then pick answers that you will remember AND that nobody else can guess merely by knowing you are stalking your social media posts. In other words, don't choose the name of your pet dog. Answers are only secure if they're both memorable and secret. You might even need to rely on these if you're traveling or your phone battery is dead – to get your registrar to take action quickly when you can't log in. So it matters.
    • If you do have advanced security features like 2FA or IP whitelisting or MaxLock enabled, then don't make a habit of disabling and re-enabling them constantly. That will only habituate the registrar staff to seeing changes to your security settings. If you're constantly bypassing your own security for the sake of convenience, then registrar staff may not be as vigilant when someone else (claiming to be you) asks for security to be bypassed.
    Good news: You don't need to be unduly paranoid. If you check your domains a couple of times per month, then you know where they are. Most problems occur because customers don't log in.
  8. Chazza

    Chazza Established Member

    Likes Received:
    Of course, the more protection the better. Sadly it isn’t hard for people to find your number in leaked DBS and such. Still best to do whatever you can to prevent such.

    Thanks for your response, yeah I use namecheap myself but I don’t like the thought that it’s using my number. I hear time and time again (note, mainly in the social media area) of people being easily simswapped and are able to do a reset to the phone number by text.

    Pretty scary, and as someone who also owns a premium domain - I don’t want that risk of losing it.

Want to reply or ask your own question?

It only takes a minute to sign up – and it's free!
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice