Domaining Companies Breached: Why Changing Passwords Is Not Enough

Early last year I posted my Top 10 Tips For Keeping Your Domains Safe. Tip #9 covered password protection and recommended that you use a program such as Password Safe and use the random password generator. If you followed that advice, then its likely that you only have to change one password. If you didn’t follow that advice, you could be in a world of trouble.

Over the past week I’ve received far too many notices from parking companies telling me to change my password. At first I thought I had been transported back to 1990 or a scene out of the Matrix whereby someone types in a password and gets access to “the mainframe”. Here is why changing your password isn’t enough.

Identity Theft

Your parking accounts provide valuable information such as your name, address, telephone number, credit cards etc.. While there are legitimate reasons for companies asking you for this information (such as to verify your identity when you sign up), if the information is stolen then it can be combined with other information so that:

• Loans can be taken out in your name.
• Credit cards can be obtained in your name.
• Other identity documents can be issued.
• Someone else can become you!

Domain Theft

Just when you thought that getting your identity stolen was bad enough, your portfolio is being transferred. I’ve already written about how you can secure your domain names before, so I won’t go into it here – just read the article.

Money Laundering

Change your passwords on your paypal account and bank account. Paypal have a Security Key that costs you $5. It provides extra security on top of your password. It’s not fool proof, but will help deter the dumb crooks. I suggest you use it. The last thing you need is for your paypal account or bank account to be emptied and/or used to transfer large sums of money on behalf of criminals.

Next Steps

1. Use Password Safe and randomly generate a passwords for all your accounts.

2. Change your EMAIL (pop3/IMAP) passwords. These are often used to reset passwords. eg: people click on “Reset my password” or “I’ve forgotten my password” and an email is sent to you. Of course, the crooks know your ISP (from your domain name in your email address)and can probably login your your email via webmail and get that password reset email before you. Didn’t think of that, now did you?

3. Change your server, blog, paypal and any other passwords.

I hope this has given you a few things to think about. Your domains are valuable assets. It’s time to treat them that way.

Commerce Dept Criticizes ICANN On New TLDs

In a letter sent to ICANN last week, Meredith Baker, the head of the Commerce Department’s National Telecommunications and Information Administration stated that is not clear “whether the potential consumer benefits outweigh the potential costs“.

It also goes on to say that “ICANN needs to ensure that the plan would not jeopardize the stability and security of the Internet addressing system.”

Finally, we have someone in the Commerce Department who can see this obvious fundamental problems with what ICANN is proposing. Lets hope this letter is the precursor to stopping this really stupid idea. Keep up the good work Meredith.

More information: USA Today, San Francisco Chronicle, Arizona Daily Star, The Salt Lake Tribune, Las Vegas Sun.

Domain Renewal Postal Mail

As a professional domainer with an ever growing portfolio I tend to attract spam – usually of the email kind. Most of my domains have whois privacy protection, some of the details like my email address change on a daily basis. As such, when spammers try to send me junk, it just bounces.

One thing I can’t seem to shake off is this unsolicited postal mail asking me to renew my domains with registrars and resellers. Yesterday I received three letters in the post. Two were from the “Domain Renewal Group” and one was from the “WorldWideWeb Register”.

I have uploaded a high resolution image of the Domain Renewal Group letter (936k jpg) as well as the WorldWideWeb Register letter (1.7meg jpg). Of course, I have removed some of the identifying information from them.

The Domain Renewal Group letter was printed on paper that’s a big bigger than standard A4, whereas the WorldWideWeb Register used very thin quality A4 sized paper, kind of like the old credit card receipt paper.

Domain Renewal Group

The terms and conditions are in tiny little print and are extremely difficult to read. In fact, you might need a magnifying class to read it properly. Here are some interesting paragraphs:

“If lawsuit(s) are threatened: If we are sued or threatened with lawsuit in connection with Service(s) provided to you, we may turn to you to indemnify us and hold us harmless from the claims and expenses……”

“You warrant that your use of our services is not going go subject us to any claim(s). You further agree to indemnify, defend and hold harmless us and applicable registry administrator(s)…..and all such parties‘ directors, officers, employees and agents from and against any and all claims, damages, liabilities, costs and expenses…….”

“All fees are non-refundable, in whole or in part, even if your domain name registration is suspended, cancelled or transferred prior to the end of your then current registration term, unless this Agreement specifically provides for a refund.”

When it comes to renewal costs they are VERY expensive – AU$40 to renew a .com for 1 year! They also suggest other names – in my case for .org and .biz at AU$75 each!

WorldWideWeb Register

Their letter tends to focus on the “Updating of your data:” which is the subtitle of the letter.

The letter was sent to my mailing address, but I didn’t own the domain name that it mentioned. The letter had a generic “company name” as the owner. When I checked the domain name, using whois, it was registered to a different owner.

The first line of their letter reads:

“We kindly ask you to update your subscription ensuring that you include your correct data, thus allowing all Internet users to contact you without any problem. In the attached document, you will find basic data about your company, which you should check in order to avoid publication of private websites.”

Apart from the sentence, not actually making sense – I wonder how many people would receive this letter, see that their details are wrong and then provide the correct information. The other interesting thing is that the domain name they mentioned was a .com.au. Traditionally the underlying registry data for .com.au has been hidden away. Perhaps this is a way to obtain that data, domain by domain?

An extract from page two of the letter reads “The applicant must correctly supply their information so that the contracted company may include it in the relevant editions of the World Web Company Register on CD-Rom, as well as in its Internet database…..”

The next page reads “…. I give GT@P – Guia Telefax Anuario Profesional, S.L. the order to publish my company data in the next three annual editions of its Web Company Register, both on the Internet (www.webcompanyregister.com) and on CD-Rom. The total cost per edition of the service contracted …… is 877 euros.”

Wow, so I pay you 877 euro to have my personal details appear in your database! Where do I sign?

New Security Flaws In ICANN Proposal

Last month I talked about ICANNs new proposal to allow domain names with non Latin characters. The media has yet to realize the true implications of this, so I’m going to spell it out in “plain English”.

• www.pàypal.com
• www.ebày.com
• www.bànk.com
• www.päy.com

Notice that mark on your screen? In German its called an umlaut, also known as an accent mark.  What does it mean for the Internet:

1. An increase in phishing sites that look like the real thing.
2. A new opportunity for typosquatters to profit from registering domain names.

So when is an a, not an à’ ? What happens when an international visitor goes to www.pàypal.com in their browser? Will they go to www.paypal.com or www.pàypal.com? That depends on the characterset they use!

For domainers, its time to start thinking about those new domain names to hand register. For corporates, it time to think about tracking down all those domain names with a view to getting them registered when this thing goes live.

The Hidden Dangers In ICANN’s New Proposal

Today, ICANN is going to vote on allowing domain names with non Latin characters. For example, Chinese, Arabic and Cyrillic.

If this proposal goes ahead, its going to be very difficult to distinguish between domains in Latin characters and others such as Cyrillic. What does this mean? It’s going to:

a) increase phishing as organized crime is going to catch on that they can register ebay.com or bank.com using Cyrillic characters. Best of all, those domain names will not be registered because the character sets are different.

b) increase the number of dodgy, misleading domain names that are for sale on auction sites. We all know the good old trick of using an 0 (zero) as opposed to an O (oh). Introducing non Latin characters makes it all that more difficult. Don’t get me wrong, I’m not against it entirely – I just think its going to introduce problems – many of which haven’t been thought about or widely discussed.

Will there be another mini landrush to grab all those trademarks using Cyrillic? Who knows. It also presents a problem when you show Cryillic in italics and non italics:

We will see what ICANN comes up with later today.