Modernizing Authentication — What It Takes to Transform Secure Access
It's ten o'clock in the morning and the number of visitors to your ecommerce site has suddenly dropped to zero. Normally you make online sales worth hundreds of dollars an hour, but now your business has come to a standstill.
It's a scary scenario, but one that can come about if you lose control of your domain name. Anyone who manages to gain access to your account with your domain name registrar can hijack your domain name, diverting your website visitors to their own site and accessing your email. If they manage to steal your domain name by transferring it into their name with a new registrar then you face a long and expensive legal battle to get it back.
And you don't have to be the victim of a crime to lose control of a domain name: if you forget to renew it it could be snapped up by a new owner perfectly legally. If that happens they can then do what they like with the domain name that used to be yours and you may never be able to recover it.
Losing your domain names could clearly be a disaster, so here are eight tips to help you protect them:
- Set up a process for renewing your domain names regularly. The easiest way to lose a domain name is simply by failing to renew it in time. Setting up a renewal process can be as simple as scheduling a recurring renewal reminder in your desktop calendaring program to warn you a month before each of your domains is due to expire. Many registrars now allow you to synchronise domains so that they expire on the same date, making it much easier to manage more than one.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
You can usually choose to renew domain names for one, two, five or ten years, but be careful about choosing anything longer than one year - renewing is something that is much more likely to slip your mind if you don't have to do it regularly. You may also be able to opt to have your domains renewed automatically, but this is likely to increase the risk that you lose track of your domains and their expiry dates.
- Check the contact details held by your domain name registrar regularly. Your domain name registrar should send out a reminder by email when it's time to renew a domain name, and may also need to contact you if there are payment problems or if someone attempts to transfer your domain names, so it is important to check that the current contact details it has are up to date. It's especially important to ensure the contact details are updated if the person in your organization who is responsible for domain name registrations leaves, and it's also sensible to whitelist your domain name registrar's address in your spam filters to ensure that you receive any emails it sends.
- Keep your account secure.Anyone who can access your account on your domain registrar's website can potentially hijack your domain name or transfer it to a new owner, so it's vital that your account is secure. That means it's important to ensure your account is protected by a long, strong password that can't easily be guessed or bruteforced by a hacker. You should also use any additional authentication methods (such as two-factor authentication using a security token or one-time passcode sent by SMS to a cellphone) if your registrar offers them. It's also important to ensure the account password is changed if the person responsible for your domain names leaves your organization.
- Implement Registrar Lock.Most registrars offer a service called Registrar Lock (sometimes called Domain Lock or Transfer Lock,) which can help prevent your domain from being accidentally or illegally transferred without your permission. When the domain is "locked" it can only be transferred after you log in to your account and unlock it. Registrar Lock therefore won't protect you from anyone who has access to your account, but it can prevent someone from trying to get the domain transferred by impersonating you on the telephone or by email.
- Opt for Domain Privacy.Domain Privacy, which most registrars offer free or for a small monthly charge, enables you to prevent your name, address and contact details being made freely available in Whois records. Domain name thieves can use this information to impersonate you and attempt to have your domain names transferred to a new owner, or to contact you to try to fool you into revealing your account password.
- Use Extensible Provisioning Protocol (EPP).EPP provides another layer of protection for your domain names, if it is supported by your registrar. It enables you to pick (or you may be assigned) a unique Authorization Information Code (AIC) for each domain, which must be supplied to a new registrar before the domain can be transferred to it. If your AICs are kept secure and confidential this can provide effective protection for your domains, but be warned: some registrars make them available to anyone who can log in to your account, effectively rendering them useless.
- Use permanent email addresses.When you specify your contact email address, avoid using one from a free service that might expire if you don't use it regularly. If that happens someone else could snap it up and use it to impersonate you in correspondence with your domain name registrar, or use your registrar's "forgotten password" feature (if it has one) to have the password emailed to them.
- Be suspicious of emails purporting to be from your registrar.Never respond to emails asking you to log in to your account and administer your domain names by clicking on links contained in the email. That's because the email could be "weaponised" and the links could take you to a replica of your registrar's website where your account details can be captured. To avoid this always enter the address of your registrar manually in your browser before logging in.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.