Portfolio Management and Security 101
Not a week goes by when there isn’t a story about a domain theft, it’s becoming an all too familiar sight, and just this week a colleague of mine lost many domains, some ascii, some IDN.
While it was this act that prompted me to write this blog post, I will refrain from going into detail about this specific case, as the criminal investigation is
ongoing – however, having a ring side seat as this story unfolded, I can at least draw some conclusions and weave it into some practical advice – so that you
can at least try to avoid being the next statistic.
Stealing a domain is not the same as stealing money from your bank account.
- The chances are that your bank account has much more security than your domain account
- The chances are that you would notice money missing from your bank account before you missed a domain
- The chances are that the authorities will not view a theft of digital assets such as domain names as seriously as they would theft of cash
- You might be surprised how unhelpful and unsympathetic your registrar is
If you genuinely own million dollar domains, then this article isn’t for you – you will probably have your own registrar.
This article is for everyone else, I am not a security expect and i’m not giving you blueprints to build your own Fort Knox – it’s about some simple, often free precautions you can take to make your domain assets just that little harder to take – not unlike the house in a street with a visible burglar alarm isn’t 100% safe because of that burglar alarm – it’s just the house next door is easier to ransack because it doesn’t have one.
My 6 Points
#1 – Keep a central list of what you own and at which registrar
There’s only one thing worse than being a victim, and that’s being a blind and clueless victim.
Believe it or not, a lot of people I know still rely on the registrar to tell them what they own.
They log in to their account and they see a list of domains, and they assume it is what it is.
But sometimes, that’s not how it is, firstly if someone steals a name, how will you know?
Secondly, most registrars UI that you are presented with has little or no relationship to the central registry. We’ve all seen Domainsite keep emailing you renewal reminders long after you transferred out to another registrar.
Heck, I have 2 domains that are with Moniker that I transferred there from Domainsite, and not only do I keep being reminded by Domainsite to renew them, they also still show in the Domainsite UI as being in my account there!
Another registrar I use for ccTLD’s, their UI is manually updated when you purchase a domain, on one occasion this was obvious as there was a typo in the domain they keyed into the UI that is presented to me, yet the domain was correctly registered.
From my experience, you simply cannot trust a lot of registrars to give you a 100% accurate view, and don’t get me started on DNS management.
Keep a list.
#2 – Get a bank statement
Your bank sends you a statement each month that you probably check to see if there’s anything unusual on it, so why not do the same with your domain account(s) ?
Be re-active not pro-active.
Being pro-active takes time. If you have a 1000 domains spread across ten different registrar accounts, how often should you log into each of the ten accounts and check everything is still there?
Whatever answer you said, it’s going to suck up a lot of your time, so it’s no surprise to hear that people don’t check regularly; and finding out that one of your domains went walk-about 3 months ago isn’t going to help much in it’s recovery.
A domain thief invariably has one goal and that’s to resell your domain asap, and as soon as that happens, life gets 100x more complicated for you.
I would suggest using a service like DomainTools domain monitor – it’s free, and works just fine for IDN’s.
You load in your domains, and as soon as a change is detected to owner, lock status, DNS – you get an email alert.
From my experience though the tools only monitors gTLD’s (com, net, org etc)
#3 – Your email account is not safe
Your email account associated with your domains, is like a key to a safety deposit box.
You might use a free email provider like Gmail or Yahoo!, you might have your own dedicated server hosting your own email.
You might have a strong password that is made up of numbers and letters that you keep in a safe buried in your basement, personally guarded by Jack Bauer.
It matters not.
Spend five minutes Googling and you will see there are more horror stories about hacked email accounts than you could ever read.
You should assume that anyone at anytime could access your email
With that in mind, your email account cannot be the first and last line of defence.
There are a few registrars now that are providing an extra layer of security, everything from USB keys to online security questions and phone call and ID pre-requisites. As I said, I’m no security expert, so I won’t even try to pass judgement on these solutions – all I will say is some security is better than no security, and relying solely on your email account is naive.
Personally I think it’s a bloody cheek the registrars charge for this. You wouldn’t expect a monthly charge from your bank for them to lock the vault each night – but today it is what it is.
Remember, it’s the whois record that dictates the legal owner of a domain, and it only takes 1 second to change that whois and push that domain to another account.
#4 – Use a decent registrar
The only criteria I ever see discussed, is how cheap are they?
This could be a huge topic, and not one I want to get into here, other than to say – you don’t pick a baby-sitter purely on them being the cheapest.
#5 – Keyloggers, traffic sniffers and all-round general cyber nasties
You know the drill – get a paid-for Anti-Virus, Anti-Spyware, Anti-Malware & Firewall.
#6 – Arm yourself with some WMD
I’m not talking about the stuff world hiding champion Saddam hid so well – but Watch My Domains
I love this App. Again IDN friendly, load it up with all your domains, hit the button and it pulls back the whois record for each.
Makes life dead easy for keeping track of nameservers, owners, statuses and renewals. It even colors lines for names due renewal soon.
And if drop-catching or mining for new reg’s is your poison, then load it up with ten’s of thousands of terms and leave it running overnight.
There may be other better or cheaper products out there, but this one I fell in love with. Works with gTLD’s and most ccTLD’s, and their support team are top-notch.
If anyone is interested drop me a line and I’ll post more on this, as there are a couple of gotchas I’ve learnt.
$ummary:
#1 Keep a list – FREE
#2 Get notified – FREE
#3 Extra Level of Registrar security ~$150/year
#4 Use a registrar that prides itself on it’s security, they may be a few cents more expensive per renewal, so if you are price sensitive – just have your best names there
#5 Desktop security ~$100/year
#6 Portfolio software ~$50
If you cannot justify spending ~$300 to protect your portfolio from theft and your errors (dropping by mistake), then your portfolio simply cannot be worth what you thought it is.
Can you add to my list of 6, please leave a comment.
Regarding email .. I use a mail service that comes with my hosting, Ok, so what’s good about that? Nothing much but … I never use the online interface, I use an email client to download (Thunderbird being my choice)
The thing I particularly like about this is that I can change the URL to my mailbox, so instead of having it as https://webmail.mydomain.com/ I change the webmail portion of the URL to it reads something like https://MultipleLettersAndNumbers.mydomain.com/ .. Another thing, once my mail has been downloaded it is no longer on the server. Yeah, not perfect if you have a keylogger sitting in the background or someone sniffing your traffic blah blah, but a bit safer than a fair number of options out there.