With domain hijackings seemingly at an all time high, I think now is the time for a public domain registrar to take action. I believe security key fobs are a nearly impenetrable line of defense that should be put into action by a responsible registrar. This would curtail domain hijackings, potentially saving registrants thousands of dollars in legal fees and hundreds of hours fighting to have their domain names returned.
Domain hijackings can occur when a hacker gains access to a person’s domain registrar account. This can be done by hacking into someone’s email account using a variety of methods or by hacking into the actual domain account. Either a weak password or a multitude of other factors can potentially lead to this outcome. Once a hacker is in possession of the registrar account, there are many ways he can control the domain names without raising the attention of the domain owner. If the domain names are transferred to another registrar, it may be too late for the rightful owner to take action, and the process of getting the domain names returned can be costly and time consuming.
Domain names are intangible assets, and the loss of one can be fatal to a business. It can mean missed sales, lost emails sent to addresses linked to the domain name, confused customers, and it can be emotionally draining on the registrant. While we are able to secure our tangible assets such as jewelry or property deeds, it is more difficult to secure our domain assets. For example, if I lose the key to my safety deposit box, the bank doesn’t simply permit the finder to access the box. As it currently stands in the domain business, if a hacker gains access to my domain account though unscrupulous actions, he may be able to take control of my domain names. I don’t think its fair to be held accountable for something that may be out of my control.
With that said, I think a security key fob with a changing passcode (similar to what Paypal offers) could help secure a domain registrar account. I would pay a premium for this service, and I am sure others would as well. Having good security is a unique selling point that distinguishes some registrars from others. Having the best security system in place before competitors would certainly give one registrar a major competitive advantage. Most registrants wouldn’t want multiple security key fobs, so consolidating all domain names at the most secure registrar would be the most likely outcome.
I urge all registrars to take action, no matter how secure you believe your system is.
Great post, as someone working at a registrar I would be very interested in seeing just how many people would be willing to pay a premium for a registrar offering this type service. Any chance of you pooling your readers?
Business Development Manager
***UPDATED BY ELLIOT***
I will put a poll up in a couple of hours to see what people think. It’s unscientific, but the poll only allows people to vote once from a particular IP address, so it would give you an idea.
I think the best protection would be to return to the old system where paperworks are required to transfer ownership of a domain name. By that I mean: if a domain needs to be transfered away, the owner has to really put his signature on a paper and fax it.
If this system were used, one can even break into someone’s mailbox but won’t be able to steal his domain because to do that he needs to access the documents sent to the domain owner’s actual letterbox (contrary to an email sent to a virtual mailbox)
If there would be any registrars who still require paperworks for all transfers, I would be very interested to hear about it.
Fax papers didn’t stop sex.com from being hijacked way back when. I bad brainstormed a way to incorporate the fobs you mentioned along with using faxed paperwork. The way I envision this working is as follows. The secured registrar would require a notarized signed application when a fob is issued. The fob would be required to make any DNS changes whatsoever. In the event of a sale the current owner would initiate a change in ownership with the fob, print the change of ownership documentation, have it notarized and mail it to the registrar for approval. Yes it sounds like a major PITA but it’s safe and almost hijack proof. I hear you can start your own registrar for under 100K – I’ve already picked out some gem domain names for this project. Anyone interested in going into business? Ideally the secured registrar could partner with every existing registrar and offer the service and premium security. Thoughts?
I have one of the PayPal fobs, and for the one time charge of about $5, I think it was WELL worth it. Registrars don’t have to raise prices to support such technology, they simply need the desire of the clients.
@WeBuyThe.com: Some great ideas there.
@LewR: Actually implementing such a system on a continuous basis costs more, since you not only need to pay for the keyfobs, but the service itself – I’ve done a lot of research on this topic. But yes, registrars could possibly decide to eat the cost, depending on how low cut their margins are. Compared to other industries, the margins in the domain name retail industry are quite low already.
I think I’ll post on DomainNameNews.com about this as well.
I completely agree with your blog post. As a registrar, domain security is something we feel very strongly about and have recently implemented a number of initiatives to secure domains within our registry. We also have further features we plan to roll out in the New Year.