Just like in every other industry, the domain industry has its own scam artists, vandals, and thieves to keep domainers on their toes. There a number of safeguards you can and should use right now to keep something from happening to your domain name in the future. Some of these involve your Registrar and how you use them, while others involve your own management of passwords and user information.
Starting with your Registrar, it’s important to choose a company that guards their information and that of their customers. Not only will your Registrar have records of your credit card numbers and personal contact info, but they’ll be the gatekeeper between your domain and a world of hackers and malicious crooks.
What does your Registrar require in order to change your account or domain name information?
Some Registrars require a simple password upon logging into the site. Others take more precaution. For instance, Moniker.com has an expiring password policy. The Registrant’s password expires every month and it’s up to the customer to keep it updated. Some Registrars require the Registrant to give them their credit card number (the one they use in their reoccurring billing) before making any changes.
The reason it’s important to use such strict policies, is because impersonating the Registrant via the phone is one of the ways a hijacker attempts to steal domain names.
While most people feel that an expiring password is overkill, the measures a Registrar takes to validate information changes is extremely important. Some of the classic email-spoof cases involved domain names that were worth millions of dollars and the original Registrant is often left defenseless when his/her valuable domain name is stolen.
Obviously, every company puts a great deal of effort into keeping their information safe, using whatever modern means available to keep hackers out of the system. There are several companies out there whose sole objective is to check websites, making sure they are ‘hack proof’, and give a ‘seal of approval’ to those who pass their tests. HackerProof and HackerSafe are two such companies. You may want to look for their approved seals when you’re searching for the right Registrar and host.
However, don’t let these types of seals fool you. Many sites have designed their own special ‘Safe Site’ seals. The small graphic looks like something that would make the site trustworthy, but are really just a meaningless image. Still others attach it to their own ‘approval’ sites. When people click on the image, they are taken to a window that says similar to ‘iGoldrush – Approved site by the igoldrush approval team’. If you see a message that a site was approved by itself, leave the site immediately.
We recommend that you play it safe. If you’re looking for a seal, do your research and make sure that when you click on the seal, it takes you to a reputable company.
Here’s an important tip – the word ‘password’ is not a secure password. It’s an invitation to hijackers and identity thieves. Choose your passwords wisely, making sure they are not obvious, contain letters and numbers, and are at least 8 characters long. Additionally, you should change your password on a regular basis for added security.
Don’t leave your passwords anywhere on your computer, especially in your email. If you ever have to have your password emailed to you, save them somewhere secure, then delete the email (delete it from your trash folder as well). It’s even better if you change your password once you log in and then save the new one. A great way to keep your passwords organized and secure is by using free secure password software, such as KeepPass.
Sometimes access to even a single password can open up all kinds of doorways for identity thieves. Getting into to your email, for example, could give them the chance to use the email-spoof hijacking method mentioned previously. Once they’ve done that, they’ll be able to see all of your account information for whichever domain names you hold. And they’ll be able to steal them.
If you use forums and other membership sites, don’t use the same password for these that you use on more important sites, such as your domain name control panel. Forums are a big target for hackers and they steal millions of user names and passwords from them every year.
If you ever get an email or phone call concerning your domain name that you don’t trust, call or email your Registrar directly to double check, using the contact info on their website.
Make sure that your domain name has REGISTRAR-LOCK enabled. Registrar-lock is an status code that can be turned on or off within your account for each domain. Turning it ON prevents unauthorized, unwanted, or accidental changes to your domain name. Only turn this off if you are transferring your domain name to a new registrar and then immediately turn it back on once the transfer is complete.
It’s extremely important that you keep your email account secure to prevent theft. If someone is able to hack into your email, they can easily transfer your domain. So, how do you go about securing your email? First, we advise against using a free email account, such as Yahoo! or Gmail. These free services tend to have more security holes and hacking incidences. Rather than using one of these free services, setup email on your domain. Most registrars offer email services either for free or for a small fee.
Another way to protect your domains is through whois privacy, a service that many registrars offer whereby your personal information is kept private in the whois database. Enabling whois privacy on your domains prevents hackers from gaining sensitive information, such as your administrative email address or phone number, that would aide them in hijacking your domain name.