Membership is FREE, giving all registered users unlimited access to every Acorn Domains feature, resource, and tool! Optional membership upgrades unlock exclusive benefits like profile signatures with links, banner placements, appearances in the weekly newsletter, and much more - customized to your membership level!
Sedo Global Domain Report

Domain Security

Status
Not open for further replies.
M

mojoco

Joined
Mar 11, 2006
Posts
1,496
Reaction score
108
After a recent conversation with a non domainer who was asking about how domains are transferred, I have become a little paranoid about the security of our domain assets.

I completed a transaction recently. I met the buyer at his home. He transferred the funds to my account. I confirmed receipt of the funds on my iPhone. I then initiated the transfer from my iPhone. All done in just a few minutes.

We all do this on a regular basis but we are very vulnerable.

A simple email hack and whoosh, our domains are gone!!

Criminal gangs could easily target our industry. Either stealing our domains in bulk. Or perhaps targeting one or two at a time, so the theft could go unnoticed for some time.

With the value of many domains being five and six figures we are sitting ducks.

To add fuel to my current state of paranoia, this afternoon I received an email for a password reset request from Nominet .

What can be done to add additional layer, or layers, of security?
 
I know what you mean, a password reset would be all it takes (quite scary) :-?

Very weak security around domains but how would the hackers know the e-mail address linked to your Nominet account ?

Don't show your e-mail address anywhere.

Would be good if we had a seperate e-mail for receiving transfers.

Also TLDs need to be unlocked through your registrar so this could be implicated on UK domains.
 
Last edited:
"how would the hackers know the e-mail address linked to your Nominet account"

Having bought and sold names amongst each other, many of us here already the email addresses each other use for transfers.
Someone with criminal intent would only need to do a few low level trades to work it out.
 
Make a new one and don't disclose it, that would only work though until you accept a transfer.

I think you should have to initiate the transfer in your registrar account aswell because then the hackers would have to know the password to that but again if they have hacked your e-amil account then ???

Here's a idea > when a transfer is initiated, there is a 3 hour delay and immediately you get an SMS telling you about the transfer request.

Obviuosly you would need to attach a number to your Nominet account and even if the number is changed by someone else, it still sends the text message to the original number.

The 3 hours would give you time to act :cool:
 
The SMS idea could possibly work.

With Fabulous.com you have to answer to 5 personal questions, mothers maiden name etc, before you can make even nameserver changes.

Perhaps Nominet could introduce something similar.
 
When you have to answer security questions for anything online, do you always use real answers, such as, Q: What car do you drive? A: Jaguar

Or, do you do you put something else like, Q: What car do you drive? A: Banana

I tend to use the second option, makes it harder for anyone to guess your details etc.
 
They should set up a system like ebay now uses.

When you transfer a domain name, if your ip is not recognised as an ip address you usualy use then you simply get a call to your mobile with a code, which you type in on screen to continue...
 
Systreg said:
When you have to answer security questions for anything online, do you always use real answers, such as, Q: What car do you drive? A: Jaguar

Or, do you do you put something else like, Q: What car do you drive? A: Banana

I tend to use the second option, makes it harder for anyone to guess your details etc.
Click to expand...

Good idea as long as you can remember that you drive a banana and not a pineapple ;)
 
.uk are about the safest tbh
think about it
if someone does pinch a name and pushes without you noticing, they still have to do a nominet transfer, which involves paying. no paypal, so there is a paper trail and a payment trail
for .coms you can get a 'lockdown' at some registars, even godaddy etc but it means lockimng them bigtime so is a pain if buyimg and selling all time
so, to recap, i think .co.uk are pretty damn safe, for non uk, have one account with best names in and lock those puppies down so you got to go through security and phonecalls to transfer
keep the 'shit' in another account :D

although i do share your fears about security
another tip is to redirect all emails to another email address so you get heads up if other email hacked
also one thing i forgot, at least nominet email is not revealed in whois, it bloody is for other non ,.uk domains!
 
pred said:
.uk are about the safest tbh
think about it
if someone does pinch a name and pushes without you noticing, they still have to do a nominet transfer, which involves paying. no paypal, so there is a paper trail and a payment trail
for .coms you can get a 'lockdown' at some registars, even godaddy etc but it means lockimng them bigtime so is a pain if buyimg and selling all time
so, to recap, i think .co.uk are pretty damn safe, for non uk, have one account with best names in and lock those puppies down so you got to go through security and phonecalls to transfer
keep the 'shit' in another account :D

although i do share your fears about security
another tip is to redirect all emails to another email address so you get heads up if other email hacked
also one thing i forgot, at least nominet email is not revealed in whois, it bloody is for other non ,.uk domains!
Click to expand...

i'm sure criminals could easily get the payment sorted with a stolen credit card
 
true
but that helps when trying to get name back as can be proven was a fraudulent payment etc or looked into

only problem comes when name has gone through a few people
when someone at other end maybe 3 people down line has genuinely bought it for a big sum

moniker and godaddy offer option to lockdown with full security all domains
not a traditional place for .uk domains, but lets face it, uk registrars are pants

i would imagine tagholders are a lot safer? more control?
 
Systreg >

I say things like, your mothers surname and use something like reddinosaur, problem is some sites remember which particular security question you asked and I just randomly picked any and forget :(

A site I'm on ask for your log in number and then says 'for security please enter your DOB' wow that's hard for a scammer to find out (not)
 
I think the security at Nominet is very weak and only a matter of time until someone loses a large number of domains.

Of real concern to me is the ability to cancel domains without any notification being sent to the account holder. I have written to Nominet about this and suggested that they implement a system whereby an email gets sent when domains are cancelled. That was some time ago and nothing has happened. It's handy being able to cancel a domain when it is no longer required but there should be some delay i.e. 48 hours and an email should be sent to the account holder immediately to let them know. It wouldn't be that difficult to implement and should have been done a long time ago. It wouldn't be hard for an account to be hacked and for a large number of prime domains to be cancelled without the account holder being aware. In the meantime the domains would get registered by all and sundry and it would be an enormous task for nominet to rectify. Imagine the problems if nominet questioned the account holders security procedures and refused to re-register them to the rightful owner.
 
mojoco said:
"how would the hackers know the e-mail address linked to your Nominet account"

Having bought and sold names amongst each other, many of us here already the email addresses each other use for transfers.
Someone with criminal intent would only need to do a few low level trades to work it out.
Click to expand...

This has crossed my mind many months ago, and I do something which I believe covers me quite well.

I have an email address set up, which I request the domain transfers to be sent to, but this is nothing to do with, or resembles my nominet log in or account, as I merely click the link in the nominet email, and then log in to my "real" nominet account. This way NO ONE knows which email address / account I use to transfer my names into - only my wife :)

Would be nice if there were much stronger measures in places though, I 100% agree !
 
As Nigel said you can easily cancel domains, I have cancelled a domain and 40 mins later seen it available.

Domainseller200 > you trust your wife with personal info, you're mad, my long term gf knows nothing about my passwords and that.

Nah, most people do trust their partner, It's just we fall out a lot and she does silly things, so my domains could easily dissapear just like my clothes did, only she can't burn my domains :smile:
 
Is the following scenario a weakness in the system?

Another Nominet member requests a TAG change on a domain they do not have control over or owns and pays £10.

Once under their control, they change the administrative contact email address and initiate a Registrant transfer.
 
foz said:
Is the following scenario a weakness in the system?

Another Nominet member requests a TAG change on a domain they do not have control over or owns and pays £10.

Once under their control, they change the administrative contact email address and initiate a Registrant transfer.
Click to expand...

How can you request a tag change if you don't own it, it won't be in your control panel :-?
 
foz said:
Is the following scenario a weakness in the system?

Another Nominet member requests a TAG change on a domain they do not have control over or owns and pays £10.

Once under their control, they change the administrative contact email address and initiate a Registrant transfer.
Click to expand...

Yes, and there have been a couple of names where I think that has happened.

Cant publically say which but I am sure others have spotted them!
 
Status
Not open for further replies.

Similar threads

it.com
it.com How it.com Domains Prevents Abuse and Fraud
Replies
0
Views
104
it.com
it.com
Helmuts
Security Updates Important Announcement: Data Security Incident - User Full Names
Replies
10
Views
2K
Adam H
Adam H
it.com
it.com Industry News Digest: January 2025
Replies
0
Views
160
it.com
it.com
Acorn Newsbot
Nominet Nominet helps Merchants’ Academy overcome socioeconomic barriers using VR technology
Replies
1
Views
739
Helmuts
Helmuts
it.com
it.com ICANN81 Annual General Meeting
Replies
0
Views
227
it.com
it.com
Domain Summit Europe 2025

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Members online

Total: 327 (members: 5, guests: 322)
IT.com

Premium Members

Sedo Global Domain Report
Aucdom Auctions
Catch Club
dot Hiphop

Latest Comments

Upcoming events

New Threads

Domain Forum Friends

DNForum
ConsultDomain.de
Domaineforum.fr
Domainforum.ro
DN.ca
DomainFragen.de
Inforum.in

Our Mods' Businesses

DomainUI Mod
*the exceptional businesses of our esteemed moderators
General chit-chat
Help Users
  • No one is chatting at the moment.
      There are no messages in the current room.
      Top Bottom