Lock it Down: Exploring Domain Security at NamesCon 2016

Screen-Shot-2016-01-10-at-2.35.08-PM.png

NamesCon 2016 at the Tropicana: Day One

Is It Secret? Is It Safe?

So you've registered a domain name... congratulations. Now you need to secure it. In an intimate session at NamesCon 2016, an esteemed group of industry experts helped newcomers to the Domain Names Industry come to grips with this necessary step in the process, while giving seasoned pros a refresher.

Joe Styler, Product Manager at GoDaddy, said, "I do what I can to help customers get back domain names that they've lost [...] but it's better to put safeguards in place so that doesn't happen in the first place." If you have valuable names, such as your business name - even if it doesn't have huge after-market value - make sure it's registered to an account that only you can access. Shared access to that registration can lead to a worst-case scenario if you part ways (or have a fight) with your domain partner. That doesn't mean freezing your colleagues out completely, though: "There are ways of giving them access to the tools they need without giving them [full] access to your name."

Styler also stressed the value of two-factor authentication, but you have to keep your head on swivel; even though "it's hard to keep your guard up all the time." Styler noted a particularly sophisticated phishing email he and his wife received from an entity that was definitely not Apple.

One of Styler's pro-tips: use a different email for domain login than you use for your WHOIS, to make it harder for a would-be domain thief to get even that first bit of identifying information.

Sean Love of Moniker.com said that domain-name theft "is not something we always like to talk about," but it's a fact of life. "If it is stolen, you'll more than likely get that name back." Before it even comes to that, though, "there's a lot to learn, a lot of things we've done, in the interim to fix that." If your laptop or smart device gets compromised and you use tools like Keypass or LastPass, geolocation-based security can protect you. Another way to secure your name is through Google. "A tokenization that expires after sixty seconds, in my opinion, is the best way to do it."

If you get jacked, said Styler, immediately let your registrar know, so "they can go to bat for you and get that name back." That can get tough, though, if the name is re-registered abroad and you have to deal with international law. Go public, added Styler: "the more public you can be, the better off [you are]," since it gets much harder for a thief to sell what's widely known as stolen goods. Love added that you should also contact the gaining registrar, and get the registrars on both ends of the dispute to communicate. Setting up two-factor authentication along every step of the way "makes it that much harder for people to get to your account to begin with," said Styler.

Marco Hoffmann, Head of Domain Services at InterNetX, mentioned one of his company's products called DomainSave: "It's like an online banking process": a PIN is sent to your phone, which you re-enter to access your account. "It always comes back to the WHOIS," added Love: "Privacy is your best bet. If it's not available for somebody to get, then they can't get it." Hoffmann added that it's important to secure your DNS entries. Meanwhile, said Styler, GoDaddy is looking at securing account numbers during transactions. For now, he advised maintaining two accounts: one for buying and one for selling; though he acknowledged that "it's cumbersome."

Love suggested that we take advantage of our phones' security tools: longer PINs, or apps that wipe the phone (or photograph the perp) if too many incorrect PIN entry attempts are made.

Styler stressed that you have to put real info in your WHOIS. In a misguided attempt at adding a layer of security, some people buy fake info, which makes it really hard to verify who you are if your name gets stolen. "It might seem like a good idea at the time," he said, but the opposite is true.

Overall, Styler and Love said that domain name theft is rare considering the sheer number of registrations. Love reckons the theft rate is maybe 1%, but "if you're in that 1%, it's probably your most valuable name, and you're hurting for it." He suggests auditing your domain names each month. That way, if bad luck strikes and your domain gets stolen, you will be able react quickly.

Keep your finger on the pulse of NamesCon 2016: check out our Twitter and Instagram feeds, as well as checking back in on the blog.