Consider these eight safeguards to keep thieves away from your domain names.
If you own domain names–particularly good names–you are at risk of having your valuable assets stolen from you.
Thieves will try to compromise your domain registrar account (sometimes by first compromising your email account) and transfer the domains to another registrar. Sometimes they won’t change your nameservers, so you might not realize the domain name is stolen until much later. This makes it harder to recover the domain name.
Here are some tips to protect yourself from domain theft:
- Use two-factor authentication at your domain name registrar. Any reputable domain name registrar offers two-factor authentication. A thief then needs access to a secondary device (such as your phone number) if they want to crack into your account.
- Use secure email with two-factor authentication. A common way thieves get into your registrar account is by compromising your email. Once they have access to your email they can reset the password at your registrar. I’ve heard some advice that suggests you shouldn’t use free email services for your domain accounts. I disagree; web-based email services can be some of the most secure options. Consider using Gmail with a physical security key as secondary authentication.
- Use a different email address for your registrar account than Whois. While many registrars have masked email addresses in Whois, some still show it. Thieves use the email address on a Whois record as a starting point. They try to hack that email account to access the registrar account. One way to stump them is to use a different email address for your registrar account.
- Use a password manager. Another way thieves get into your registrar account is by phishing. They use your email address from Whois to ask you to log in to a fake site. They grab your credentials when you do this. Two-factor authentication (see #1) can stump them even if they have your username and password. Using a password manager can stop you from falling for the phishing scam because it won’t allow you to auto-fill your credentials on the wrong site.
- Remember that Whois privacy is a double-edged sword. While thieves use public Whois info to try to break into your account, masked Whois records aren’t always better. After all, if your domain is stolen it might not be reflected in the public database. It will be more difficult for you to discover that your domain is stolen.
- Use GoDaddy’s domain transfer verification services. This only applies to GoDaddy customers that have Premier Services account managers. The minimum to be considered is 300 domains but there are other qualifications, too. (Here are the qualifications from 2013.) With this added service, your account representative will call you to verify all domain transfers that aren’t Afternic fast transfer sales. It slows down the process but it’s a very good layer of additional security.
- Add transfer lock to your domains at your registrar.
- Track your domains. Use a service like DomainTools to track your domains. You’ll get alerts when a domain is unlocked, transferred to another registrar, etc.
Feel free to comment about additional safeguards you take to protect your domain name portfolio.
Charles Christopher says
9) If you have a large enough portfolio, or one of substantial value, consider becoming a registrar. If you are not offering domains retail, it becomes fairly easy to manage your own registrar. Registries have a reduced function admin panel similar to your Registrar. And as a Registrar, you get to vote on ICANN budgets. 🙂
hedge says
at what number of domains do you reckon the breakeven for that is?
George Kirikos says
10) Add Registry-lock for one’s most valuable domain names. That locks domain names down at the registry level (as opposed to the registrar level), and typically requires out-of-band communications between the registrar and the registry, and between the registrant and the registrar, to change
11) Don’t use SMS as the 2nd factor in 2FA.
Symon Rhuano says
This is not the case with “.br” domains, since the only way to transfer a .br domain from one Registrant to another is by means of a letter signed by a notary accredited by the court of the domain owner, and sending the letter to NIC.br.
Even if someone can hack into an account at Godaddy, the attacker will not be able to steal the “.br” domains.