I have and read that some people have been the victims of domain stealing... I have taken a few looks around and notice that many registrars aren't very well protected indeed... Just a username and password can be enough to enter the protected zones of the DNS.
I think more efficient ways of protection can be possible. For example the telebanking system used here in Belgium: when you sign up, you get a floppydisk. You can only log in when you enter the floppydisk + username + password. The floppy gives a very secure protection because it's no longer enough to know someone's account information to log in to his account.

Another possible way of prevention could be a double password.

Something secure as well could be that only from 1 computer there can be logged in, that way one must get access to the domain owner's computer to be able to log into his account. It's easy to realise through the IP address.

Finally, another way of prevention could be that for change of ownership, written documents are send to the postal address of the owner, who must sign the papers and post them back to the registrar. This way it is secured that the owner cannot lose his legal ownership, because he has the letter first and if he never wanted to change ownership he just ignores the letter.

I think these things aren't so hard to realise and would prevend much trouble. Not that so many people have troubles with it, but you read and hear about it now and then...
Isn't it that in some countries like the Netherlands the system is already used where written permission is needed for change of ownership ?

It is a trade off - Convinience vs Security.

How likely is it that YOU will get hijacked?

Take your pick. Some places it is a real pain to move from account to account, others, it can be done in two clicks.

Choose a very strong password and make sure you are using SSL at all times. That is about as best you can get in many cases.

Also a good antivirus and firewall protecting your home computer from trojans and keyloggers is a good idea.

Originally posted by kohashi
It is a trade off - Convinience vs Security.

How likely is it that YOU will get hijacked?

Take your pick. Some places it is a real pain to move from account to account, others, it can be done in two clicks.

Choose a very strong password and make sure you are using SSL at all times. That is about as best you can get in many cases.

Also a good antivirus and firewall protecting your home computer from trojans and keyloggers is a good idea.


Just to make sure I got this right :

SSL = ??

trojan = ??

keylogger = ??

Sorry, probably very silly questions, but I'm "quite new" in this domain world :)


I doubt if the registrars themselves can't do more to prevend hijacking. Okay, the chance of getting hijacked are rather small, but now and then you hear complains about it, the one that is victim will probably not be satisfied with hearing "the chances are rather small, so you're an exception"

The double-password, or certainly the written letter needed for change of ownership are easy to realise, and would save the few people that are victim of hijacking some troubles :)

and doesn't .NL already use the system where a written contract is needed for a change of ownership ?
any registrar on this forum that does .NL ??

Originally posted by Gerrit

SSL = ??

trojan = ??

keylogger = ??


SSL = Secure Sockets Layer, a protocol used for secured connections over the internet. When you access a secured page (that lock shows up) on the internet, chances are you are using SSL.

Trojan = A program that hides in your system and execute functions written by the author, usually malicious.

Keylogger = A program that can log key strokes. So even if passwords are **** out, it can actually know what's your passwords. May be delivered as a trojan.

On the topic, I think current methods are good enough. Faulting passwords/logins is not right either since you can have better password policies that can prevent it from being compromised (eg. only entering it over secured connections, having good protection systems at your work machine, changing passes regularly, and such)

Given the global nature of internet, I am not sure delivery of signed documents to and fro and both cost effective and efficient means. Emails are supposed to be good unique proof too since you are supposed to be the only one that can retrieve it (assuming that you maintain security over it)

All in all, I like the way things are now.

Originally posted by Gerrit
and doesn't .NL already use the system where a written contract is needed for a change of ownership ?
any registrar on this forum that does .NL ??

Yes, you need paperwork for that. But I wouldn't say "already use the system (...)". I think "still uses the system (...)" is more in place when talking about .nl domain names.

Of all the different types of domain names available, .nl-names are the ones with the most unrequested transfers. At least, that's what I'm seeing.

Originally posted by Gerrit
[B]I have and read that some people have been the victims of domain stealing... I have taken a few looks around and notice that many registrars aren't very well protected indeed... Just a username and password can be enough to enter the protected zones of the DNS.
I think more efficient ways of protection can be possible. For example the telebanking system used here in Belgium: when you sign up, you get a floppydisk. You can only log in when you enter the floppydisk + username + password. The floppy gives a very secure protection because it's no longer enough to know someone's account information to log in to his account.
[skip]
[B]
I think floppy disk will not give enough protection against trojan, but it's still better than just password.

By the way, lately USB drives are used to store keys. It's more convenient than slow floppy drive and more reliable.

Sprintserve explained it all quite well :)

Originally posted by sprintserve
On the topic, I think current methods are good enough. Faulting passwords/logins is not right either since you can have better password policies that can prevent it from being compromised (eg. only entering it over secured connections, having good protection systems at your work machine, changing passes regularly, and such)



the question is of course: "what is a secured connection" ? I update my Norton anti-virus once or twice and week and run Ad-Aware weekly as well. So I think my computer is quite safe...
I do not have a firewall though. I should consider installing one...


the Dutch system looks good to me, one can get hijacked but for the change of ownership paperwork is necessary, so it's much tougher to "steal" an .NL domain
It would probably be very difficult to do the same for .COM and other generic ones, but it would probably also be an appreciated extra service offered to the domain owners.

Not only .NL needs paperwork though. I checked around a bit, and noticed that the ccTLDs only available through written application also cannot be changed to another owner without written permission.

question for bNamed and any other registrar here that does .BE : doesn't .BE use the same system (with paperwork) as .NL ?

Originally posted by Gerrit
question for bNamed and any other registrar here that does .BE : doesn't .BE use the same system (with paperwork) as .NL ?

You can either confirm via e-mail or with paperwork.
Confirming with paperwork really only is available because sometimes the e-mail address doesn't work anymore.
It is however different from the .nl-system. You might have read my post about .nl-names being (in my experience) the one with the most false transfers? That's because the gaining registrar has the check the paperwork. For .be-names, DNS BE checks the paperwork.

About transfers with paperwork: the most famous domain-robery must be that of sex.com. That was done with paperwork... Have a search on google for "sex.com network solutions" and read all about it.

every registrar could of course leave the option to the registrant if he prefers to only allow transfers when he signs paperwork, that way the customer is sure no one can rob his domain...

another possibility is that when someone wants to move the domain to another owner, a message sent to the mailbox of the owner must be confirmed, that way the mailbox must be hacked as well to complete the robbery.