Subscribe to Inc. magazine
SECURITY

Protect Your Domain Name from Cybertheft

Advertisement

You've finally registered that domain name for your business. Now nobody can take it away, right? Wrong. A wave of domain name hijacking is sweeping the Web, and your name could be next.

Recently, domain name thieves have been taking over hundreds of Web addresses registered with Network Solutions, the biggest and oldest name registrar. How are they doing this? They're doing it by masquerading as the administrative contacts of the target companies and using that authority to change the ownership of the names.

If your domain name is stolen, the least you will have to do is spend time, energy, and money to prove that the name is yours and to recover ownership. If the domain name thieves have more ambitious plans, they might also change the server associated with the domain name. This will confuse your customers and cause you major traffic problems by redirecting visitors away from your site.

If the crooks redirect your e-mail server address too, they could impersonate you by sending mail using your address, and you will lose e-mail messages sent to you by your customers. In any case, losing your domain name to cyberthieves is a serious hassle and could put your business operations in jeopardy while you try to recover it.

Brian Milburn, president of a Santa Barbara, Calif., software company called WhoAmI.com, was a hijacking victim. He went to work one day and discovered an e-mail message from Network Solutions, confirming that someone in Albania now owned his company's Web address. Only after a full week of actively denying that he'd requested the changes made to his account did he fully reestablish ownership of the name and get his business running normally again.

The recent name theft trend has exposed some major security flaws in the current registration system. Based on the thefts that have occurred, DomainCaddy has declared 80% to 90% of all domain names at risk for hijacking - and this includes domain names belonging to active Web businesses. With security so low, it's no wonder that domain name thieves are helping themselves.

Here's how theft of a domain name happens, and what you can do to keep your name safe.

Hijackers: Like Kids in a Candy Store

How can the hijackers do this? They can do it because changing ownership of a domain name is simple. To illustrate their scheme, let's first look at what it takes to establish ownership of a domain name.

To register a name, you give a domain registrar your credit card number and contact information, such as your name, physical address, e-mail address, and telephone number. Then you invent a password for your domain name account. From then on, you can gain access to your account and change your contact information by logging on to the registrar's site using the password.

But under Network Solutions' commonly used "Mail-From" security setting for domain accounts, name holders can also request changes to their account by sending Network Solutions an e-mail message.

It's this latter option that the cyberthieves are easily exploiting. To steal your name, they simply look up your contact information on BetterWhois.com, a public database that allows anybody to find out who owns a domain name. Then they fake your identity by using your e-mail address with the Mail-From designation.

The crooks send an e-mail message, instructing the registrar to change the contact and server information on the account to whatever new contact and server they specify. With the Mail-From security level, it doesn't matter what the routing information is on this e-mail, as long as the message has your e-mail address in the "From" field. That's how the thieves impersonated Warren Sly, director of DomainCaddy and owner of trades.com, and steal his domain name.

Victims then receive a message from Network Solutions about 30 days after the thieves have faked their e-mail addresses, notifying them of the "successful completion of the administrative changes" they didn't even request.

Domain Names Vulnerable by Default

Network Solutions offers a three-level security option called Guardian for your domain name account. If you register a name with Network Solutions, you can choose to use Guardian, which involves selecting one of three security levels for your account: the Mail-From option, the encrypted password option, or the Pretty Good Privacy program option.

That sounds good, but the catch is that if you don't choose to use Guardian, your domain name is basically defenseless by default. That is, if you don't have Guardian's protection, and a domain name thief sends a request to make changes to your account, according to Network Solutions' FAQ, "the request will be processed and neither you [ nor your site's technical contact] will be notified at any time during the transaction."

But enrolling in the supposed protection plan under the Mail-From security option doesn't guarantee any defense against the hijackers either. It certainly didn't work for Warren Sly, whose domain name trade.com was stolen by Serbian thieves.

In the past, Sly said, Network Solutions would send him a Modification Acknowledgment Request, which enabled him to stop such thievery. But he did not receive one that last time. Instead, he got an e-mail message after the changes had already been completed. By that time, the changes were already reflected in the BetterWhois.com database, and he had "lost control of the name."

Guardian's security measures also didn't work for Joe Hamelin, the Seattle-based owner of Nethead, who lost his domain name to thieves in a similar way. But Hamelin said that the technical contact person for his domain name account did receive the Modification Acknowledgment Request (such notification is promised in Network Solutions' policy). And Hamelin even replied to the notice, saying that the request for the change was illegitimate. But the order not to make the changes had no effect, and Hamelin lost control over his domain name too.

Four Steps to Protect Your Domain Name

You can do some things to minimize your risk of being a hijacking victim. So before thieves help themselves to your domain name, take these measures to defend it:

Make sure you choose the highest security level possible for your domain name account, no matter which domain name registrar you use. If you have already registered a domain name, contact your registrar by telephone and ask to upgrade your account's security settings. Make sure that changes made to your account will be made only if authorized directly by you first. That is, the registrar should either send you an e-mail message or contact you by telephone to confirm that you want the changes. If you haven't registered your domain name yet, contact the registrar you want to use to ask how changes to accounts are made. Then request the highest possible security setting when you register.

Consider using a registrar that offers one of the new "hijack-proof" security services, such as register.com, which charges $99 for its Domain Lockdown service. But if you do decide to register with Network Solutions, request the encrypted password option. This allows you to choose a password, which the registrar then scrambles for you. Alternatively, you could choose the PGP account option. Both of these are more secure than the MAIL-FROM option.

Make sure you do not use an After-Update or Not-Care option for managing your domain name account. According to Network Solutions' notification policy, under those settings you either will not be notified of changes to your account until after they've already been made, or you won't get any notification at all. To avoid that, set your account to Before-Update, so that any changes to your domain name account will be made only if they are authorized by you first.

Be careful when you move your domain name account. A simple domain name transfer to another hosting service may leave your domain name vulnerable to theft too. At Network Solutions, when you initiate such a transfer, a new account number, or "NIC handle," is created for your account, and your security settings are changed automatically to Mail-From. Warren Sly recommends that you insist on doing any name transfer over the telephone, and request to keep the same account number.

Copyright © 1995-1999 Pinnacle WebWorkz Inc. All rights reserved. Do notduplicate or redistribute in any form.




Register on Inc.com today to get full access to:
All articles  |  Magazine archives | Livestream events | Comments
EMAIL
PASSWORD
EMAIL
FIRST NAME
LAST NAME
EMAIL
PASSWORD

Or sign up using: