Information Highwaymen and Your Domain by
Lois S.
You go to work every day at the store you own, and one
morning, your key to the door doesn't work. You look in the
window, and the display items have changed. A stranger is
behind the counter. But when you call the police, they can't
do anything because the company papers now indicate that the
store belongs to the stranger.
The above scenario isn't likely to happen with a
bricks-and-mortar store. Because of insecurities in the domain
registration system, however, information highwaymen could
take over your online business.
As with identity theft, domain thieves steal your identity
-- the identity used to register and configure your domain
name. After that, your website, your email, your online
business, and possibly your reputation are theirs.
Domain names at risk of theft
While theft is a risk with all domain names, domains most
at risk are more valuable ones. Domains with dot com
extensions have a higher resale value than domains with other
extensions, and domains with high traffic or valuable keywords
are also more likely to be targets.
The motive behind domain hijacking is usually monetary, but
it may be personal. If anyone wants to attack you, stealing
your domain name is one way to do it.
How domain theft happens
When domain hijackers steal your domain, they gain access
to the domain's Whois records. They can modify the
domain's nameservers so that the domain points to a different
server. They can also transfer the domain to a different
registrar.
Either way, site visitors will find themselves at the
website of the domain hijacker instead of at your site. All
domain email will go to or through the other server instead of
to you. All you'll have left is a website without public
access because your domain isn't pointing to it any more.
How can this happen?
Domain hijacking methods
• Domain hijackers
send forged faxes to the domain registrar, impersonating the
registrants.
• Domain hijackers hack into the accounts of
free email addresses listed in Whois records and use those
addresses to obtain domain account information.
• Domain
hijackers send out fraudulent email renewal notices, and
registrants unknowingly transfer their domains to the
thieves.
Registrar non-action
• The gaining registrar (the registrar that the domain is
transferred to) doesn't obtain approval from the domain name
registrant or administrative contact as required by ICANN Inter-Registrar Transfer
Policy.
• The losing registrar (that the domain
is transferred from) doesn't notify the registrant of the
transfer during the five-day pending transfer period. During
this period, the registrant can cancel or deny approval of the
domain transfer --- if the registrar notifies the registrant
of it.
Registrant carelessness
• The registrant
forgets to update Whois details or to renew the account.
•
Someone with access to the registrant's records steals the
information.
Domain name disputes
If you discover that your domain has been hijacked, contact
your registrar immediately. If your registrar is unable to
resolve the situation, the ICANN (Internet Corporation for
Assigned Names and Numbers) Transfer Dispute Resolution Policy
(TDRP) applies.
By going the above arbitration route, you don't have to
argue your case in person. On the other hand, all you can get
back in the process is your domain (and not necessarily that).
For a lot more money, you can take your case to court, where
you can seek compensation for damages in addition to the
return of your domain. This process takes more time, however.
You may be able to proceed both ways - get your domain back
via ICANN domain dispute resolution procedures and then go to
court to collect damages. You can also appeal a domain
arbitrator's decision in court.
How to protect your domain name
Protecting a domain name is similar to protecting a
bricks-and-mortar store from burglary. With a combination of
precautions in place, thieves will find it difficult or
impossible to gain access.
Your domain account information
• List your
name for the administrative contact, and use your full
name.
• Create a complex password with letters (both upper
case and lower case) and numbers. Don't use any real words or
personal information in it. Make it long. Make it unique -
don't use the same password for anything else. Change it
periodically.
• Keep your domain login name, account
number, and password in a place where only trusted people can
access it.
• Use a valid contact email address that doesn't
use the domain it's for. Be sure that this email account also
has a complex password. If you're going to be offline for more
than a few days, have someone else check the email for this
account.
• Don't use a free email address such as a Hotmail
or Yahoo address. Domain hijackers target domains with free
email addresses in the Whois records. After they've cracked
your email account password, the support you need to get your
email account back will probably be slow, giving the hijackers
plenty of time to take over your domain.
• Update your
Whois record whenever the information in it changes.
Your domain account features
• Choose a
domain registrar that sends registrants transfer pending
notifications when a domain transfer is taking place.
•
Consider protecting your Whois details with a registrar that
offers a private domain name record. With this feature, your
registrar's data appears with your Whois record rather than
your data. The downside of using this feature is that your
business may have less credibility because you're hiding who
you are.
• Register your domain for a long time period, and
set up calendar reminders to renew it before it expires.
•
Set up your domain to be renewed automatically if your
registrar offers this feature.
• Use the Registrar-lock
mechanism if it's available through your registrar. When a
domain is locked, it cannot be modified or transferred unless
the registrant unlocks it or follows the domain transfer
process.
Other domain security measures
• Set up a
free Whois monitoring alert email service
and add your domain to your monitoring list. You will receive
email notifications whenever the expiration date, registrar,
or status of a monitored domain changes. (Whois does not have
data on all domain extensions.)
• Make sure that someone
checks your website every few days, preferably daily.
About the Author
Lois S. is a Technical Executive Writer for http://www.websitesource.com and
http://www.lowpricedomains.com
with experience in the website hosting
industry.
