Domain Security

[mojoco]

After a recent conversation with a non domainer who was asking about how domains are transferred, I have become a little paranoid about the security of our domain assets.

I completed a transaction recently. I met the buyer at his home. He transferred the funds to my account. I confirmed receipt of the funds on my iPhone. I then initiated the transfer from my iPhone. All done in just a few minutes.

We all do this on a regular basis but we are very vulnerable.

A simple email hack and whoosh, our domains are gone!!

Criminal gangs could easily target our industry. Either stealing our domains in bulk. Or perhaps targeting one or two at a time, so the theft could go unnoticed for some time.

With the value of many domains being five and six figures we are sitting ducks.

To add fuel to my current state of paranoia, this afternoon I received an email for a password reset request from Nominet .

What can be done to add additional layer, or layers, of security?

 

[doodlebug]

I know what you mean, a password reset would be all it takes (quite scary) :-?

Very weak security around domains but how would the hackers know the e-mail address linked to your Nominet account ?

Don't show your e-mail address anywhere.

Would be good if we had a seperate e-mail for receiving transfers.

Also TLDs need to be unlocked through your registrar so this could be implicated on UK domains.

 

[mojoco]

"how would the hackers know the e-mail address linked to your Nominet account"

Having bought and sold names amongst each other, many of us here already the email addresses each other use for transfers.
Someone with criminal intent would only need to do a few low level trades to work it out.

 

[doodlebug]

Make a new one and don't disclose it, that would only work though until you accept a transfer.

I think you should have to initiate the transfer in your registrar account aswell because then the hackers would have to know the password to that but again if they have hacked your e-amil account then ???

Here's a idea > when a transfer is initiated, there is a 3 hour delay and immediately you get an SMS telling you about the transfer request.

Obviuosly you would need to attach a number to your Nominet account and even if the number is changed by someone else, it still sends the text message to the original number.

The 3 hours would give you time to act

 

[mojoco]

The SMS idea could possibly work.

With Fabulous.com you have to answer to 5 personal questions, mothers maiden name etc, before you can make even nameserver changes.

Perhaps Nominet could introduce something similar.

 

[Systreg]

When you have to answer security questions for anything online, do you always use real answers, such as, Q: What car do you drive? A: Jaguar

Or, do you do you put something else like, Q: What car do you drive? A: Banana

I tend to use the second option, makes it harder for anyone to guess your details etc.

 

[mat]

They should set up a system like ebay now uses.

When you transfer a domain name, if your ip is not recognised as an ip address you usualy use then you simply get a call to your mobile with a code, which you type in on screen to continue...

 

[mojoco]

When you have to answer security questions for anything online, do you always use real answers, such as, Q: What car do you drive? A: Jaguar

Or, do you do you put something else like, Q: What car do you drive? A: Banana

I tend to use the second option, makes it harder for anyone to guess your details etc.

Good idea as long as you can remember that you drive a banana and not a pineapple

 

[Pred]

.uk are about the safest tbh
think about it
if someone does pinch a name and pushes without you noticing, they still have to do a nominet transfer, which involves paying. no paypal, so there is a paper trail and a payment trail
for .coms you can get a 'lockdown' at some registars, even godaddy etc but it means lockimng them bigtime so is a pain if buyimg and selling all time
so, to recap, i think .co.uk are pretty damn safe, for non uk, have one account with best names in and lock those puppies down so you got to go through security and phonecalls to transfer
keep the 'shit' in another account

although i do share your fears about security
another tip is to redirect all emails to another email address so you get heads up if other email hacked
also one thing i forgot, at least nominet email is not revealed in whois, it bloody is for other non ,.uk domains!

 

[mojoco]

.uk are about the safest tbh
think about it
if someone does pinch a name and pushes without you noticing, they still have to do a nominet transfer, which involves paying. no paypal, so there is a paper trail and a payment trail
for .coms you can get a 'lockdown' at some registars, even godaddy etc but it means lockimng them bigtime so is a pain if buyimg and selling all time
so, to recap, i think .co.uk are pretty damn safe, for non uk, have one account with best names in and lock those puppies down so you got to go through security and phonecalls to transfer
keep the 'shit' in another account

although i do share your fears about security
another tip is to redirect all emails to another email address so you get heads up if other email hacked
also one thing i forgot, at least nominet email is not revealed in whois, it bloody is for other non ,.uk domains!

i'm sure criminals could easily get the payment sorted with a stolen credit card

 

[Pred]

true
but that helps when trying to get name back as can be proven was a fraudulent payment etc or looked into

only problem comes when name has gone through a few people
when someone at other end maybe 3 people down line has genuinely bought it for a big sum

moniker and godaddy offer option to lockdown with full security all domains
not a traditional place for .uk domains, but lets face it, uk registrars are pants

i would imagine tagholders are a lot safer? more control?

 

[doodlebug]

Systreg >

I say things like, your mothers surname and use something like reddinosaur, problem is some sites remember which particular security question you asked and I just randomly picked any and forget

A site I'm on ask for your log in number and then says 'for security please enter your DOB' wow that's hard for a scammer to find out (not)

 

[Pred]

like the new avatar Doodle
broken in her back door yet?

 

[doodlebug]

like the new avatar Doodle
broken in her back door yet?

No mate, I can't undo her PVC sub/dom suit :lol:

 

[Nigel]

I think the security at Nominet is very weak and only a matter of time until someone loses a large number of domains.

Of real concern to me is the ability to cancel domains without any notification being sent to the account holder. I have written to Nominet about this and suggested that they implement a system whereby an email gets sent when domains are cancelled. That was some time ago and nothing has happened. It's handy being able to cancel a domain when it is no longer required but there should be some delay i.e. 48 hours and an email should be sent to the account holder immediately to let them know. It wouldn't be that difficult to implement and should have been done a long time ago. It wouldn't be hard for an account to be hacked and for a large number of prime domains to be cancelled without the account holder being aware. In the meantime the domains would get registered by all and sundry and it would be an enormous task for nominet to rectify. Imagine the problems if nominet questioned the account holders security procedures and refused to re-register them to the rightful owner.

 

[domainseller200]

"how would the hackers know the e-mail address linked to your Nominet account"

Having bought and sold names amongst each other, many of us here already the email addresses each other use for transfers.
Someone with criminal intent would only need to do a few low level trades to work it out.

This has crossed my mind many months ago, and I do something which I believe covers me quite well.

I have an email address set up, which I request the domain transfers to be sent to, but this is nothing to do with, or resembles my nominet log in or account, as I merely click the link in the nominet email, and then log in to my "real" nominet account. This way NO ONE knows which email address / account I use to transfer my names into - only my wife

Would be nice if there were much stronger measures in places though, I 100% agree !

 

[doodlebug]

As Nigel said you can easily cancel domains, I have cancelled a domain and 40 mins later seen it available.

Domainseller200 > you trust your wife with personal info, you're mad, my long term gf knows nothing about my passwords and that.

Nah, most people do trust their partner, It's just we fall out a lot and she does silly things, so my domains could easily dissapear just like my clothes did, only she can't burn my domains :smile:

 

[foz]

Is the following scenario a weakness in the system?

Another Nominet member requests a TAG change on a domain they do not have control over or owns and pays £10.

Once under their control, they change the administrative contact email address and initiate a Registrant transfer.

 

[doodlebug]

Is the following scenario a weakness in the system?

Another Nominet member requests a TAG change on a domain they do not have control over or owns and pays £10.

Once under their control, they change the administrative contact email address and initiate a Registrant transfer.

How can you request a tag change if you don't own it, it won't be in your control panel :-?

 

[rob]

Is the following scenario a weakness in the system?

Another Nominet member requests a TAG change on a domain they do not have control over or owns and pays £10.

Once under their control, they change the administrative contact email address and initiate a Registrant transfer.

Yes, and there have been a couple of names where I think that has happened.

Cant publically say which but I am sure others have spotted them!