Getting your domain name stolen is one of the most devastating things that can happen to you on the internet. In an economy where businesses depend on their online presence, losing control over a domain name is a frightening thought.
In an instant, everything – from your website to your company email addresses and probably all the accounts connected to them – can get hijacked and used by very malicious people. There are laws protecting your ownership, but court procedures can get long and expensive, and by the time you get your domain name back, your business’ reputation can get irreparably damaged.
How can a domain name get stolen?
1. You can get hacked
Your domain name is registered with a registrar company, and your account on their website controls your ownership. Hackers steal domain names by obtaining access to this account, or access the e-mail address that “reset password” forms on their websites send emails to.
Once they obtain access to your account, they initiate the transfer of the domain to another registrar, gaining complete ownership over it. In most cases, your domain name is actually your email’s domain name, and a short period of control over your email is enough for that ownership to be transferred.
2. Your registrar can be compromised
There are people working at registrars, and they can get hacked and scammed just like you can. Always pick an accredited registrar, and try to go over their procedures. Ideally, you should pick a registrar that would help you with registry and registrar domain locking – a procedure that makes it more complicated to register.
Some experts advise against using the same company for domain names and hosting services, as getting control over your hosting account will not let them get to your domain names.
3. You can be a victim of a sophisticated DNS attack
This magic consists of a chain of machines asking each other the question “what IP should this address point to?”, and largely depend on a technology called DNS – the phonebook of the internet.
DNS, in its primary form, was not made to be secure. The evolution of the internet has made it harder for people to exploit the technology in order to redirect your users to a different, malicious server, but a couple of more or less sophisticated attacks such as “cache-poisoning of the recursive resolver” (say that three times fast 🙂 ) make it possible for hackers to create confusion and redirect a portion of your users to their servers.
The good guys have created DNSSEC, an extension to DNS, so this can be avoided by cryptographical signing of the DNS data, but there still are many domain names that do not support it, and configuring it is not a straightforward process with all registrars, so more often than not it is left off. While this does not let hackers steal your domain name per se, it does allow them to hijack your audience, and can cause just as large of a reputation hit.
Read More: What is DNSSEC and Why Should You Care About It
4. Someone can try reverse domain hijacking
If hackers were not too much of a worry, there are also lawyers to think about. Reverse domain hijacking is, in simple, a practice of another entity deliberately registering something with the name of your domain (often getting a trademark), and then accusing you of “stealing their domain name”.
While claims in bad faith are denied in court, these trials can get expensive, and are often used to strong-arm people into settlements in which they lose their domain names out of court.
How can I protect myself from losing the domain name?
Pick a strong password and use 2-factor authentication
You know these annoying SMS codes and authenticator apps that make it harder to log into your accounts? Use them wherever possible – especially for your email! If a hacker gets your email password, they are the only thing preventing them from doing damage. And pick a strong password, please.
Pick a reputable registrar and lock your domain name
Choose a reputable registrar, and make sure that they will let you lock your domain. Locking the domain name will prevent any request for changing its ownership until additional action is made. While most registrars have their own procedures on “registrar locking” (client prohibited status) the domain name, it is always smart that you also enable a “registry lock” (server prohibited status). Make sure to choose a domain name (like .ME 🙂 ) that supports it. Registry lock involves you and your registrar, but also the registry, which will prevent any change until it is notified about them by both you and your registrar via secure communication channels. This makes it much harder for someone to transfer the domain name out, and buys you precious time to prevent the theft.
Have DNSSEC enabled
Choose a domain name that supports DNSSEC (.ME does ❤), and have it up and running, especially if you are running an online business. Use a reputable DNS provider, and if you are using an external one such as Cloudflare, make sure you follow their guides on the additional steps for proper DNS configuration. While ICANN requires it’s registrars to support DNSSEC and all DS algorithm types needed for it’s proper implementation, make sure yours is compliant.
Use common sense in making it obvious that your domain name points to a legitimate website and that you are acting in good faith, but also in deciding if you should protect it with a trademark. Before settling on a domain name, check if it violates existing trademarks, including intent-to-use ones. If you ever get contacted by a lawyer threatening to reverse hijack your domain name, consult a legal expert before answering and making any decisions.
With everything taken care of, you are safer to start doing the things that really matter – creating amazing new things on your .ME domain name. Once your success is ready to be shown to the world, make sure to contact us with your success story for your place on our blog, bragging rights and some sweet SEO juice. We love nothing more than writing about .ME family members. Good luck!