Good summary of the standard “best practices” for securing one’s domain names, Brett.

I’d disagree with the need for WHOIS Privacy services, though. I believe that can work against you. People who use the “WHOIS History” feature of services like www.domaintools.com to check the good provenance of a domain name will have a much harder time to trace the ownership path of a domain name when there is a proxy WHOIS involved. Indeed, how do you prove you were the true registrant of a domain name 6 months ago, when the WHOIS history 6 months ago shows only a proxy WHOIS? With a proxy WHOIS, anyone can claim they were the real registrant during that time.

Indeed, when I’m purchasing a valuable domain name, it raises a red flag when I see the use of a WHOIS Privacy service, as it could mean that the domain name was hijacked already, and the thief is covering their tracks by hiding behind the proxy WHOIS. In those cases, other evidence is needed to ensure a safe transaction.

Instead, I consider it better practice to keep your true WHOIS visible, and make sure that the WHOIS gets cached in the WHOIS history by manually performing a WHOIS at places like DomainTools.com (which also have automated monitoring tools to email you if the WHOIS has changed, as do GoDaddy and others).

Having a good relationship with your registrar is also important so that they can initiate a transfer dispute under the mechanism provided by ICANN’s transfer dispute resolution procedure. Consolidating all your domains with that registrar might be wise, instead of having domains with dozens of different registrars.

Furthermore, .com and .net recently switched to EPP, which has “auth_info” codes for each domain name (other TLDs have been using EPP for years). Registrants should ensure they have unique codes for each domain name that are hard to guess (e.g. 10+ characters in length, with a mix of uppercase, lowercase, numeric digits, and even symbols).

For your most valuable domains, you should also renew them well in advance of expiry (many of my company’s most valuable domains are renewed up to the 10 year maximum). Some of the slimier registrars can’t wait to get their dirty little hands on your valuable domain names once they expire, and will auction them off or keep them for themselves. A stronger Redemption Grace Period policy is needed (ICANN has a habit of writing loopholes into its policies).

Lastly, one might want to become one’s own reseller, to have greater control and make it harder for hijackers. For example, at Tucows (my preferred registrar), the reseller is able to totally disable the lock/unlock capability by registrants. Thus, being my own reseller with that option set appropriately, it would not be sufficient for a hacker to hijack the end user account/password for a domain name. To unlock the domain, they’d have to hijack the reseller account too. Hacking 2 independent systems is a lot harder than hacking just 1 (making sure to use different email addresses, etc. will make the systems more independent).

Looking to the future, PayPal and eBay recently announced that they intend to give security keys to customers (these 2-factor authentication systems have been widely used in the financial industry, using RSA SecurID keys for years). If VeriSign or other registries were to implement such a security feature on a valued-added opt-in basis, they’d have my support (no registrar that I know of offers these at the registrar level, yet).

Add to Brett’s list:

Avoid accessing your domain registration account from internet cafe’s while travelling.

Hackers love to leave keyloggers on public computers.  It’s even better when the hackers run the local network.

George,

You make some very interesting and insightful comments.

As to whois masking, I am not sure that I fully agree with your comments, although I can see your point.  First, if an individual or company registers a domain name to use it and keep using it, rather than to sell it, there is far less benefit to having archived whois records.  It is better for these people that their email addresses remain unknown, rather than risk having their domains stolen. 

As to entities in the business of buying and selling domain names, your concerns are not invalid, but by leaving the email address exposed, you invite hijackers to try to steal your domains.  As an alternative, sellers should proactively print and keep records from their domain name accounts, showing them listed as the actual registrants of the domain names.  Also, the registrars, themselves, keep records of who the proper holder of a domain name is, and could be a source of verification.  Further, any changes in Whois would be reflected by Name Intelligence, so any recent changes from a named individual to masked whois would need extra scrutiny. 

B.E.L.

Another reason not to keep your domain name masked via a registrar proxy service is that you don’t lose valuable time in the event of a UDRP or other legal process. If the registrar is slow or negligent in forwarding relevant emails, faxes, mailed documents, etc., conceivably a registrant could find themselves in default and lose a domain name without even knowing about it. Given that the proxy contracts are typically very one-sided and written in favour of the registrar’s interests, one can find oneself with no good recourse in the event the registrar screws up.

Perhaps your introductory paragraph should be amended to include the “bright rooms in corporate law offices”, where overly aggressive lawyers see little downside in engaging in reverse domain name hijacking.

Reverse domain hijacking is a different problem.  I have not heard of a situation yet where someone lost a domain name via a UDRP from using a proxy service, though if it has happened, I would be interested to know.

First, most attorneys want to name the actual registrant and request that the proxy whois be unmasked.  Registrars do not want to be involved in UDRP proceedings, or incur the cost, and will unmask the whois records upon request.

Second, a UDRP against a whois proxy service should fail every time because the proxy service did not “register” the domain name—the actual registrant did.  Proving bad faith in such a situation, as against a proxy agent, should be impossible.

Third, using a reputable registrar will assure that 99.9% of the time proper process is followed and mail and email do not slip through the cracks, due to use of a whois proxy.  Using some of the outlyers in the industry, domain holders are taking chances anyway.

B.E.L.

I agree with Brett Lewis: The best defense is to register or transfer your domains to a reputable registrar.

Only one registrar I know requires a “double” auth code to proceed with a transfer, and they are ferocious about protecting their customers’ domains.  That’s Moniker.com.

One area of concern not mentioned here (no disrespect to the other posters) is the problem of rogue registrars who sign up with expiring domain auction sites such as Snapnames and Pool, TDNAM (how about that company for not know what domain name to buy that makes quick sense ? LOL) and Enom.

Check out this scenario, which I have personally experienced, and from my discussion on other domain forums, seems to be a common problem:

1. You win a bid for a domain name on Pool.com that cost you $2,000.

2. You find out the domain is owned by domainmonkeys.com (not a fake name, truly… I’m not kidding.. it’s a registrar)

3. You try to remember to transfer the domain out after 60 days, and if you do, you find there is no easily obtained EPP code. In fact, you can’t find a domain management page that even allows you to UNLOCK your domain.

4. Let’s say you forget to transfer your domain out from domainmonkeys.com and 11 months goes by. You might expect that 30 days out, the registrar will send you a renewal notice or two. No renewal notice is sent.

5. Let’s say 14 days from your domain expiring, no “renewal notice” is sent to you from Domainmonkeys.com.

6. Let’s say that one week before your premium domain is set to expire, no renewal notice is sent to you from Domainmonkeys.com.

7. Let’s say that on the day your domain name is set to expire, Domainmonkeys.com does not send you a renewal notice for your domain that you paid $2,000 for a year earlier.

8. Let’s say that 30 days later, you start getting renewal notices from Domainmonkeys.com. However, the renewal notices require you to fill out an attached document that asks for your credit card info, including your CVV code, and a lot of other information you might feel uncomfortable providing. The email from Domainmonkeys.com states you MUST RENEW your domain for THREE YEARS at $14.95 and pay a “reinstatement fee” of $40. You realize that your domain has expired and is heading into the RGP—days from being resold in auction.

9. Let’s say you think “what a scam, I’ve been forced to pay over $80 for a domain that I could have renewed if I received renewal notices even 14 days before its expiration”.  Some people might say “you should have transferred it out—and you say “see # 3 above”.

10. Let’s say you fill out the form, scan it to a jpg file, and try to send it to Domainmonkeys.com’s support email address, using the exact links provided for you to do so.

11. Let’s say that the link they provided bounces your email back as “undeliverable”

12. Let’s say that you try two other email addresses for Domainmonkeys.com, and those emails bounce back as “undeliverable”

13. Let’s say you leave a message on their voicemail, and another email appears from a NEW email address from Domainmonkeys.com, and you again reply with your document and your credit card info. (sending documents that can be stored or printed with your credit card info PLUS your CVV number is dangerous). You’re nervous at this point.

14. Just to follow up, you finally FAX your credit card info to the fax number provided in order to secure the renewal of your valuable domain. The fax comes back as “UNDELIVERABLE”.

However, lucky for you, the last email address provided worked, they got your credit card info and charged the renewal fees to your card. You were able to save your domain and it only cost you $84.85 and hours of time and infinite frustration.

There are about a fifty registrars/resellers out there right now that we all can say fit the profile of the above scam process. This occurs because there is a lack of a uniform system of required proper and fair processing of domain names by registrars. I’ve already received almost a hundred responses from domainers complaining about this very same thing—- but many weren’t as lucky. Some registrars don’t sent out anything at all to remind you to renew your domain because they know they can resubmit it on the auction block and make more money in the resale of the domain. This is actually more common than you think.

So if you buy your domains from an expiring domain company at an auction, be sure to set some sort of ALARM program up to beep you after 60 days to start transfer efforts if you don’t recognize the registrar. You may still have to jump through flaming hoops to get your domain transferred out, but at least you’re 10 months away from actually having the registrar recapture the domain and resell it through the auction sites. This type of activity just makes the domain industry look like we still don’t have our sh*t together. And you know what? We don’t.

Just a heads up.

Anyone can contact me for discussion about this at http://www.dnforum.com—my handle is “successclick”

I’m ready to kick ass for domainers. Anyone ready to join up?

Stephen Douglas
Successful Domain Management™
DomainRelevance.com
“Own Your Competition™”
Executive Producer
Domain Roundtable Conference
NameIntelligence.com

my domain was just stolen and i do not know what i am doing. I have had the domain http://www.muahs.com for 4 years with no problems till last week when i logged in my ftp and it was not working. Turns out someone got in my email and just transferred it to dodaddy. i have contacted ic3.gov and have heard nothing back. I have looked into wipo and as soon as i saw 1,500 $ i was very scared. I cant afford some top lawyer for my 19.99 site. But i would like it back any help is appreciated.-Sibyl

This is unreal my domain is still hijacked. I have been going after my registar instead of godaddy
Melbourne.it has not contacted me back yet they are supposed to help me file a domain dispute transfer and send a foa to godaddy proving the site was mine.

noone has helped me and i dont think theres any hope ;o(

I don’t know if this is considered domain hijacking - maybe pre-emptive hijacking, but a customer recently asked me to register 5 domains names and wanted to know if they were avaialable. They were not common sounding domains, so I was was reasonably certain they would be avaialable, but I checked any way and they were, all using the same regiastar, Godaddy. When I went back to register them the very next day, to my dismay they were all registered!. A whois check showed me they were all registered by the same party. This also happened to my client **** but we checked again after 2 weeks and they party had dropped the domain name and we were able to register.

It is very unsettling if a domain registrar is doing this but I aslo wonder if it perhaps some kind of spyware on on’es computer and they can see where you surf and what you attempt to register. Surely, this practice must be illegal. Has anyone heard of a registrar or spyware program doing this?