I found a link to David Airey’s blog on a forum and I think it’s important to read this. Had his registrar enabled a security key fob system, this theft could have been prevented. It’s scary to know that email accounts can be hacked, but its even scarier to know that if it happens, all of your domain names could be vulnerable.

Consumers can purchase insurance policies in the event valuables are stolen, but due to the nature of domain names, I don’t think coverage for theft events exist. Sure, a domain investor can fight to get his names back using the court system, but that is costly and takes a great deal of time. Valuable SEO rankings can be lost in the time a website is down, costing a business thousands of dollars in losses.

I think its about time a registrar makes domain name security impenetrable from outside theft.  As far as I am concerned, the best way to do it is using a security key fob. When will a registrar take action and make domain theft a thing of the past?

I frequently visit the various domain forums, and I am often surprised by the lack of common sense exhibited by some people who are too trusting. Accepting a direct Paypal payment directly from a buyer on a transaction over a few hundred dollars can pose a significant risk. Apparently it isn’t too difficult to request a chargeback, and once the domain name is transferred, if a chargeback is requested, it may be difficult to reclaim the name.  This would remove the money from the seller’s account, while the buyer can retain possession of the domain name.

Another thing that seems to occur too often is payment for domain names using a stolen or compromised Paypal account.  When the actual account owner learns of the charges and requests a chargeback, the domain seller is once again left without the domain name and an empty bank account.

The most simple way to avoid this is to use common sense. If you are completing a deal with someone who you’ve never met or heard of, it is always best to use an escrow service such as Escrow.com or Moniker. If that person refuses to use an escrow service, it is probably better to avoid the transaction. If you have a sneaking suspicion that something is amiss, its always best to trust your gut.

By special request, I am posting a poll to see if my readers would be willing to pay a premium to register/maintain their domain names at a registrar that distributes security key fobs to its registrants. Of course, the answer may depend on the actual cost, but I am looking for more of a general consensus. This comes on the heels of this morning’s post about Security Key Fobs.

Due to the poll causing my blog to become distorted to some viewers, I took it down. The numbers were pretty significant, with 78% of those that voted saying they would pay more for the fob.

With domain hijackings seemingly at an all time high, I think now is the time for a public domain registrar to take action. I believe security key fobs are a nearly impenetrable line of defense that should be put into action by a responsible registrar. This would curtail domain hijackings, potentially saving registrants thousands of dollars in legal fees and hundreds of hours fighting to have their domain names returned.

Domain hijackings can occur when a hacker gains access to a person’s domain registrar account. This can be done by hacking into someone’s email account using a variety of methods or by hacking into the actual domain account. Either a weak password or a multitude of other factors can potentially lead to this outcome. Once a hacker is in possession of the registrar account, there are many ways he can control the domain names without raising the attention of the domain owner. If the domain names are transferred to another registrar, it may be too late for the rightful owner to take action, and the process of getting the domain names returned can be costly and time consuming.

Domain names are intangible assets, and the loss of one can be fatal to a business. It can mean missed sales, lost emails sent to addresses linked to the domain name, confused customers, and it can be emotionally draining on the registrant. While we are able to secure our tangible assets such as jewelry or property deeds, it is more difficult to secure our domain assets. For example, if I lose the key to my safety deposit box, the bank doesn’t simply permit the finder to access the box. As it currently stands in the domain business, if a hacker gains access to my domain account though unscrupulous actions, he may be able to take control of my domain names. I don’t think its fair to be held accountable for something that may be out of my control.

With that said, I think a security key fob with a changing passcode (similar to what Paypal offers) could help secure a domain registrar account. I would pay a premium for this service, and I am sure others would as well. Having good security is a unique selling point that distinguishes some registrars from others. Having the best security system in place before competitors would certainly give one registrar a major competitive advantage. Most registrants wouldn’t want multiple security key fobs, so consolidating all domain names at the most secure registrar would be the most likely outcome.

I urge all registrars to take action, no matter how secure you believe your system is.

In one of the first examples of a large company utilizing (and actually marketing) the .mobi extension, Bank of America launched bofa.mobi. The Bank is heavily promoting this with a retail merchandising campaign, including bofa.mobi window decals in their large branches in Manhattan.

I think this is a positive development for the .mobi extension, as the Bank could have simply used their standard domain name and detected the type of browser the visitor was using. They could have also gone to market with the domain name and only used it for protective purposes, so consumers or other companies couldn’t use the name. A heavy endorsement of this website is a positive sign for the staying power of .mobi.

I have one security concern with this, and I hope the Bank is mindful of it. What if someone set up a malicious website on a similar domain name that only had two lines asking for an account number and password? Since we are talking about mobile devices with small screens, unknowing consumers could accidentally submit their banking information, unaware that this wasn’t the Bank’s website. It’s one thing if someone did this with typos of the full Bank of America name and/or used the Bank’s logos, as that would be a federal offense. My concern is if they weren’t this sophisticated.

Bank of America needs to do a very good job of training their customers about what to look for on the bofa.mobi site so they know if they accidentally navigate to another website in error. They should also buy as many .mobi typos similar to their bofa.mobi domain name, so nobody has the opportunity to set up a malicious website.

I don’t have much of a stake in the .mobi extension with only two .mobi names in my portfolio, but I believe this is a good endorsement from a major corporation.

Today’s Wall Street Journal has an article about a topic that most people in the domain investment business have been worried about for quite some time - domain theft. The WSJ article discusses the ease in which thieves can take possession of someone else’s domain name, and the detrimental effect it can have on a business that is reliant on the domain name as an ecommerce outlet or the email addresses associated with the domain name.

When a domain name is stolen, the thief usually tries to sell the name quickly, profiting even before the legitimate domain owner knows the name is out of his possession. Payment is usually requested through a company like Western Union, as it can be more difficult to track the thief. Once the domain name is sold, the new owner may try to sell it for a profit, believing he received a good deal, or he may begin to develop a website around the domain name. It isn’t until the domain name servers are changed that the legitimate owner would notice something was fishy, as his website wouldn’t resolve and email would suddenly stop working. The situation turns into a bad problem because two people feel that they are the legitimate owner, and determining the actual ownership becomes problematic.

Registrars don’t typically help unless there is a court order, as they would probably rather turn a blind eye than become involved in a potentially litigious situation. This makes it difficult for the legitimate owner, and it becomes more complicated when the registrar and/or new owner is located in a different country. Retrieving a stolen domain name can be a complicated task, and it may be best to enlist the assistance of an attorney like John Berryhill (quoted in the article) or Brett Lewis.

Some tips I would offer to ensure your domain name doesn’t get stolen include:
1.) Make sure your registrar password is made up of letters, numbers, and characters to make it difficult to hack.

2.) Keep the email address on the Whois record current

3.) Frequently log in to your email account on the Whois record, and/or forward all emails to a regularly read email account in case you receive a notice from the registrar.

4.) Do not click on links in emails as they may be phishing attempts to gain access to your various accounts.

5.) Do not log into your registrar accounts or email accounts from computers that aren’t secure, as keylogging software could track everything you type.

6.) Make sure your domain registration is up to date. It’s always better to pay far in advance.

7.) If you have an auto-payment plan in place to pay your registration annually, make sure your credit card information is up to date so it doesn’t get rejected, causing the re-registration to fail.

As I stated in a previous blog post, here are some tips to help prevent you from buying a stolen domain name:

1.) Do a Whois history check
-Did anything recently change?
-Does something seem strange in the Whois history like a different email address just added?
-Length of domain name ownership is a good way to tell if someone has all rights to the name

2.) Call the listed owner
-If the email address just changed, the owner will tell you the name isn’t for sale
-Conversation is frequently avoided by scammers

3.) Call/email the former owner
-They will tell you if they sold it (or if it was stolen)

4.) Search the forums/Google for any information that may raise red flags
-Stolen domain name posts
-Spam references on Google

5.) Do a WIPO/UDRP search
-May not be a anti-theft tool, but just make sure the history is clean

6.) Always pay with Escrow
-Escrow.com, Sedo, Moniker or Afternic offer this service

7.) Never pay with money order or cashier’s check
-Difficult to track
-Many scams involve counterfeit checks/money orders

8.) Only buy from the listed registrant
-Don’t attempt to buy from the technical contact if it’s different from the registrant
-Technical contact doesn’t necessarily own the name, but may just manage the domain name

9.) TRUST YOUR GUT!
-If an offer is too good to be true, it probably is
-If the terms the seller is requesting seem strange, question them

A few months ago, Paypal introduced the Paypal Security Key to help prevent account theft. The security key is a device that generates 6 number code every 30 seconds. Once you have the key, you will type this changing code into your account along with your Paypal password. I think this is essential for anyone who uses Paypal. I know this is obvious, but just remember not to tape your account name to the keychain!

It would be great if a company like RSA came out with a security keychain that allowed you to sign up all of your various accounts (banks, registrars, email accounts…etc) requiring passwords. I believe consumers would be in favor of this, but it would take a huge effort to get companies on board. If you find the Paypal keychain useful, why not contact some of the companies you do business with and ask them to look into a security keychain for their company.