A lot of people went phishing for domain names in 2014.
This is the third in a five part series covering the top stories in the domain name industry in 2014. You can also listen to the companion podcast covering these five themes of 2014.
It’s a lot easier to steal a million dollar domain name from most domain name registrars than it is to steal a million bucks from the bank.
So it shouldn’t come as a surprise that domain theft continued to be a problem in 2014.
Some domain name registrars are improving their security, but new rules make it even easier to get phished. Phished login credentials are a key way domain names are stolen.
Consider the new Registrar Accreditation Agreement requirement this year that mandates some level of whois verification. It’s required on all newly registered domain names and when you make certain changes to whois information.
Registrars want to make this as simple as possible because they don’t want to have to suspend your domain name. So they send an email to your whois contact asking you to click a link to confirm.
This makes phishing much easier.
Over a million domain names have been suspended thanks to this new requirement, which has had no measured impact on the safety and security of the web.
Phishing is a problem, and it manages to ensnare people who should be technically savvy. 2014 culminated with the ultimate example: Domain name overseer ICANN was compromised after some of its employees fell victim to phishing.
What can be done about domain theft and phishing in 2015?
On the theft side, all registrars should implement some form of two-factor authentication. If your registrar doesn’t offer this, it’s time to move.
On the phishing side, it’s mostly an issue of education. The damage of the RAA requiring verification is already done. That genie can’t be put back in the bottle when it comes to phishing, even if the requirement is dropped. Registrars need to follow best practices around emails (including using the customer name in legitimate emails) and educate their customers about what to look for to verify an email is legitimate.
Kassey says
Godaddy should implement two-factor authentication worldwide immediately.
Andrew Allemann says
I agree. They’ll probably want to switch from text based to app based authentication for non-US. Uniregistry uses Google Authenticator.