Domain Names are valuable digital properties, and from time-to-time, they are stolen or compromised. If you’re actively using your domain name for a business or personal website and email, imagine noticing your website is down and that you can no longer send or receive emails. After digging further, you may discover this isn’t a technical issue with your webhost, instead, you no longer have control over the DNS of your website! This would be catastrophic to most business owners. However, you can prevent domain name theft if you follow the simple tips included in this article.
What Is Domain Name Theft
Domain name theft consists of transferring a domain name illegally to another registrar without the domain name owner being aware. Domain Theft is sometimes referred to as Domain Hijacking. Tactics that hackers use to complete a Domain Theft include Social Engineering, Email Vulnerability, Phishing Websites, or malware like KeyLoggers. The item users have the most control over is Email Vulnerability – so I’m focusing on Email Security for this article.
How Does Domain Name Theft Happen?
A domain name is typically stolen when an unauthorized person gains access to the email account that is used to login to the domain name registrar. If the email address you use to log into your domain name registrar is the same as the email address listed as your contact information, then this information may be available publicly via a WHOIS lookup. Even if you don’t use the same email address, if you use the same email address to login to your GoDaddy account as you use to post on any other internet forum, then it’s probable that the email address associated with the user account will become a target for hacking. Once a hacker gains access to your email address, they then may be able to access your domain name registrar simply by using the forgot password feature on the registrar’s website. You could make it easier for the hacker if the password for your email account is the same as your domain name registrar password, but that’s really just one step – a simple password reset email will give them all the access they need regardless. Once they have access to your domain via the registrar, they can unlock your domains and transfer them to an account they have legal ownership of. Once they have ownership of the domain, they can list and sell the domain to another buyer.
Steps to take to Prevent Your Domains From Being Stolen
Enable Multi-Factor Authentication
Mult-Factor Authentication (MFA) requires basic authentication (typically a
password) plus some other form of authentication. You can typically find this in “your account” or “account settings”. Whether it’s a code sent via text to your phone, or a authenticator app like Google Authenticator or Duo, this additional step will stop most hacking attempts dead in their tracks. A potential hacker would need access to your mobile device to retrieve the second-factor authentication code, which they most likely would not have.
I highly recommend using two forms of authentication on any account you have registered online, whether it’s Gmail or GoDaddy or something in-between. This gives you many layers of protection – for example, if a hacker were to somehow gain access to your email, if they attempted to reset the password of your domain registrar account (or any other account), they would be prompted for that second factor authentication. If you have MFA enabled, this feature typically can’t be reset by the user by just having access to the email on the account. For this reason, immediately enable MFA on these accounts, at a minimum:
- Name Registrar account/s
- Web hosting Accounts
- Email accounts
- Social media accounts
- Software management tools
Use Different Email Addresses
When you register a domain name, you must provide contact information for the domain. You typically must provide registrant, technical, billing and admin contact information. For most users, these contacts are all the same person. This information can be available online via a WHOIS lookup if you don’t have privacy enabled on the domain.
When you add the domain, be sure to make the contact email address different than the email for your login. The most secure option would be to make a new email account specifically and only for use for the contact of your domain. Be sure to enable MFA for that email account. By doing so, this gives you a third layer of protection – Admin contact will receive notifications regarding transfers. So, if a hacker gained access to your email, was able to break-through the MFA on your domain registrar account, you would be notified via the alternate email address (Admin Contact) that there is an attempt to transfer your domain. Here are the roles of each of your domain name contact information, according to DirectNic:
The Organization Contact is the registrant, or legal owner of the domain name. This can be an individual or an organization.
The Admin Contact will receive notifications regarding the domain name expiration and will need to approve any transfers for the domain name. This is also the contact listed with the Whois database unless Direct Privacy is enacted.
The Technical Contact is responsible for maintaining and updating the DNS name servers associated with the domain name.
The Billing Contact is responsible for accounting issues associated with the domain name, including payment for the domain name’s license and renewals.
Use Unique and Good Passwords for everything
The minimum requirements are never enough in life and in passwords. Just because the minimum states it must be
at least 7 characters long and contain a Upper and Lower Case number and a Special Character such as !@#$%^& – does not mean you should follow these minimum guidelines. According to Wired, your password should be at least 12-15 characters long, but many experts agree the number one factor in a secure password is length. I recommend a minimum length of 20 characters, and include complexity and upper and lower case letters.
To help you keep track of these robust passwords, I recommend using a password manager like LastPass. This will allow you to easily generate, securely store, and track passwords to multiple sites. The work flow of using a password generator may take some getting-used-to by the uninitiated, but it will save you lots of time and money in the future.
Domain Name Security Conclusion
My hope is that you were inspired to immediately take action to secure your domain names to prevent domain name theft. This simple process, outlined above includes the following:
- Using Muli-Factor Authentication on all user accounts you register on the internet. If the website does not offer MFA, do not use the website.
- Use a separate email address for your user login, account contacts, and any other email address you use publicly on the internet.
- Use unique and good passwords for all your user accounts everywhere.