Today’s security article is about a fundamental and often overlooked component of your online identity: domain registration. Of the three “pieces” of a domain name registration, DNS service, and web services (website and email) registration is the most straightforward: you purchase a domain, point it at your webserver, and begin building your web presence. Since so little can go wrong with it, people sometimes forget it even exists separately from DNS.
However, registration is the most important part of your domain name: the registration controls the domain’s delegation, which controls the DNS services, which controls the web services. If someone were to gain control of your domain’s registration, they would have full power over the domain from top to bottom, leaving you at the mercies of a potentially arduous recovery process with no firm guarantee of regaining ownership.
Large or small, domain hijacking can happen to anyone if they’re not careful. Consider the following two high-profile domain hijackings in the past year or so:
- In mid-December 2007, the registrar account of popular imageboard 4chan.org was broken into, and the domain was delegated to new nameservers. The hijackers redirected 4chan to their own website, where the culprits mocked 4chan’s owner and visitors for three full days (when the registrar was finally convinced to revert control).
- In May 2008, at the same registrar, two hackers gained control over Comcast.net. While it took Comcast only a few hours to regain control, the hackers could have stolen the usernames and passwords of every Comcast customer attempting to log in during that timeframe; fortunately, they chose to simply chastise the ISP juggernaut for ignoring their earlier warnings about their security vulnerability.
To help protect your domain from hijacking, we recommend several actions to take or things to keep in mind.
- Ask your registrar about their security policies. According to WIRED, social engineering was partly to blame for the Comcast.net incident, implying a problem in the registrar’s ownership identity procedures. It is important to know your registrar’s account recovery policies to ensure that a third party can’t smooth-talk their way into your account, and also to be prepared in the unfortunate event that something does happen. For example, DynDNS.com only sends password reset confirmations to the email address on file for the account, and never provides login credentials over the phone to any user under any circumstances.
- Make sure your WHOIS information is valid. Transfer authorization emails are sent to the Administrative contact on file for the domain in WHOIS. If the address on file is outdated or invalid (such as using email@example.com to avoid spammers), a third party could create the address and use it to gain access to your domain.
- Lock your domain. Nearly every registrar offers domain locking features to protect domain owners from unauthorized transfer. Locking a domain simply blocks all transfer requests until you, the owner, specifically unlock it. (This security measure also protects against registration scams, mentioned below.)
- Security is a chain; keep track of every link. If you register a domain with DynDNS.com, there are at least three sets of credentials you need to remember and protect: your DynDNS.com account itself, the account’s email address, and the Admin contact’s email address. Remember, security is only as strong as the weakest link; a “throwaway” Yahoo! account you made years ago but never check is a potential vulnerability. Keep track of every account in the chain, and ensure each account is up-to-date with strong passwords that get changed frequently.
- Keep yourself in the loop. No matter how much you trust your IT professional, it’s very important to personally track all access credentials. This way, should some unforeseen event occur the professional is on vacation and the domain expires, the professional is eaten by a grizzly bear while camping, the professional turns to super-villainy and ransoms your domain while twiddling his mustache in a diabolical manner you won’t end up locked out and out of luck.
- Use a trustworthy provider. Bulk registrars offer their services cheap for a reason. Should something happen to your domain or even the provider itself, such as when RegisterFly collapsed under fraud allegations and loss of ICANN accreditation in 2007, it may take weeks or even months to regain access. Even in the face of blatant domain hijacking, Comcast.net remained redirected for about five hours, while it took 4chan the better part of a weekend for the registrar to return control to the rightful owner.When choosing a registrar or any service provider, for that matter it’s important to do a little web sleuthing about the provider to determine if they’re a solid, upstanding registrar or a fly-by-night scam. As with all things, trust your judgement: if a deal seems too good to be true, it probably is. It’s also important to remember that domain registrations can be transferred between registrars; if you don’t trust your current registrar, you can and should move to a new one.
- Be aware of registration scams. As noted in our Domain Scams, Redux article, don’t fall prey to postal bills of transfer masquerading as bills for renewal. It’s rare for any registrar to use physical mail to bill customers, particularly when email is so much faster and cheaper; unless you use a provider that specifically bills via postal mail, it’s best to just throw out that kind of mail.
As usual, the best protection is simple awareness of potential problems, coupled with plenty of common security practices that should be used for all important online services. As the foundation of your online presence, keeping your domain registration safe and secure is of the utmost importance.