During the past several weeks, there have been quite a few articles that broach the topic of domain theft. From email hacking to phishing to security breaches, there are many ways a domain name can be stolen from its rightful owner. The security of my domain names is the top priority for me when choosing a domain registrar.
With domain names being an intangible asset that I cannot physically protect, I rely heavily on the domain registrars I choose to help me protect my domain names. I have a responsibility to ensure my password is strong and added security like two factor authentication is enabled when possible, but there are other aspects to domain name security beyond what I can control. The domain registrar is responsible for ensuring that their database and technology is secure and does not allow for unauthorized access. They need to be sure their systems work properly, and they need to be proactive against threats.
On Labor Day, I wrote an article covering Namecheap’s “urgent security warning.” In its blog post, the company reported that it had “determined that the username and password data gathered from third party sites, likely the data identified by The Register (i.e. not Namecheap) is being used to try and gain access to Namecheap.com accounts.” At the time, I was thankful that I have 2 factor authentication enabled on my registrar accounts where I have my valuable domain names.
Recently, I received emails from Moniker regarding a password reset at my accounts. I looked into my accounts, and I noticed one had an IP address log in that I did not recognize as my own. This account did not have any domain names in it, and the email address on file is one I hardly ever use for anything. After a bit of research, I recalled that I had used this email address to create pdfs on the Adobe website a long time ago, and that website had notoriously been hacked with email addresses and passwords stolen a while ago. Luckily because I had no domain names associated with the account, this is more of a wake up call for me, and I have no idea if the log-in IP and Adobe website hack are related at all.
According to a Washington Post article, a cyber gang has a database containing “4.5 billion stolen Internet credentials,” and I presume that quite a few of these accounts are also associated with domain registrar accounts. With that said, I think a domain registrar needs to be proactive in helping to protect domain registrant accounts. Yes, domain owners need to have strong passwords and protect their associated accounts (ie email address connected with accounts), but I also think there should be countermeasures put into place to prevent hackers from using stolen email addresses and passwords to access accounts. I am hopeful the domain registrars I use are proactively monitoring log-ins to prevent unauthorized access.
As Mike Berkens noted this morning, “Domain security is the most important service a domain registrar provides and the lack thereof should give rise to De-Accredited faster than anything else.” I agree with Mike. Pricing and customer support are also important, but without proper domain security, I wouldn’t use a particular domain registrar in the first place.
As a domain name owner, the security of my domain names is the top priority and I need to trust that my registrars are proactive about keeping them secure. If I lose trust in a particular domain registrar, I will transfer my domain names out in order to protect them. There are only so many ways I can protect my domain names, and the domain registrar plays a critical role in keeping my domain names safe.
I put a lot of trust in my domain registrars, and I expect them to protect my domain name assets and ensure that I am doing my part in protecting them as well.
I almost ignored your advice but only took a few minutes to set up at the two registers I use. Thanks for the warning.
Which advice? 2fa?
yep – 2fa better than doing nothing
I think domain owners should be equally concerned about the Registrars they use that push expiring domains to auction for a cut of the sale.. If your Registrar does not sort your domains by date by default, this is a sign you should move, another sign is when they don’t send you a renewal notice or your domain(s) are expiring… Sadly, Domain hijackers are not the only crooks in our industry.
I would rather them push expired domain names to auction rather than keep them.
That being said, if you want to keep your domain names, you should renew them.
Renew them? naturally they would do that if they knew their domains were expiring, sometimes they don’t know because the Registrar in their clever ways, intentionally makes it hard for the registrant to know their domains are expiring.. It happened to me awhile back before I moved all my domains to another Registrar.
“I would rather them push expired domain names to auction rather than keep them.”
I’d rather let them go through the entire Redemption and Pending Delete process which allows the registrant a lot MORE time to retrieve his/her domains.
At ISPCircle.com we have built several rings of security to minimize similar incidents, including:
* enforcing strong passwords
* IP restriction (with IP logging)
* Two Factor Authentication (2FA)
* SSL-protected Control Panels
* Call-in Pin
I think many domain investors have always considered security when choosing domain registrars. Some surveys have shown that price and customer service were among other factors. But I think security beats price in certain ways. Security allows you to sleep well at night. 2-factor authentication might be the future of domain registrar security.
Elliot can I ask you please whats your revenue percentage comes from domain sales and from sites you own (dogwalker, this site, etc)
You said that a few times in the past but I am interested how this situation looks like today. How things work for you.