All Your Domains Are Belong to Us

How secure are your domain names? Not very. I’m going to start off with an open letter to Afternic and Sedo on the threats facing their fast transfer system. Then I’ll move on to some practical steps that readers can take to secure their domain portfolios.

Afternic and Sedo,

Fast transfer is probably the greatest innovation in the domain aftermarket, but it is poorly implemented. If a hacker gains access to a user’s account at either one of your websites, he or she can steal all of a victim’s domains that are opted in to fast transfer without ever compromising their email or registrar accounts. How?

It is simple really, just log in and change the pricing to $50 for all domains already opted in to fast transfer. Then buy them at a partner registrar that the domains are not currently registered with. Poof, they’re gone. By the time the mess is all sorted out, assuming it ever gets sorted out, the domains are long since sold to an unsuspecting third party.

Your fast transfer system bypasses all registrar security, including the highest level of security at GoDaddy which is DTVS. Your customers are one phishing email or keylogger away from losing their most prized possessions.

What can you do about it?

First and foremost, when a user changes the price on a domain you should immediately opt it out of fast transfer, and then send a new opt-in email. You should treat an opt-in as willingness to transfer the domain for that specific price. If the price changes that “contract” is no longer valid. That way the hacker must have email and registrar access to opt them back in. At that point the fast transfer attack vector is pointless anyway, except for bypassing DTVS. He could simply transfer out and save the $50 per domain.

Next, you should have 2FA as an option when logging in. That has been a standard for a very long time, and it is relatively easy to implement. That will make it significantly harder, if not impossible, for a thief to gain access to change the prices. Ideally you should require users to activate 2FA in order to participate in the fast transfer system.

Fixes to the Opt-In Emails

The following definitely applies to Afternic but possibly to Sedo as well. You should update your opt-in emails to include the account username that requested it. Some users receive a lot of these emails throughout the course of a month. If another seller lists some of my domains I might accidentally opt-in without even realizing it, because I have no easy way to know if I requested it or someone else did.

This confusion allows a thief to steal a domain directly with a $50 price without even compromising the user’s Afternic or Sedo account. But it is also a way to sell a domain and get paid for it without ever having to steal it in the first place. Let that last part sink in for a minute because it is absolutely terrifying. You should require a link between the seller’s account and all the partner registrar accounts. And your ownership verification needs work.

Also regarding your opt-in emails, I don’t know if you are already doing this or not, but make sure requests from different accounts do not get batched together just because they are at the same registrar. Let’s say I own and and both are at GoDaddy. I list the former and another seller (illegitimately) lists the latter. Make sure they aren’t included in the same opt-in email. When listing large batches of names it would be an easy thing to miss, and then I’ve accidentally allowed someone else to sell and get paid for it.

Hey @afternic and @sedo - Please fix these security issues ASAP! #domainsClick To Tweet

Domain Industry Security Tips

Obviously if you read the open letter above, a good first step would be to opt out of fast transfer for the time being on any liquid or high-value domains that you own. Make sure your Afternic and Sedo passwords are extremely long and complicated. Never click any links in any emails from either of these services, or any service for that matter. Be very careful when opting in to fast transfer as you might not have initiated the request.

After that, the best piece of advice I can give is regarding your WHOIS email. You should use an email address that you only use for correspondence. Do not use this email address at any service provider, be it registrars, marketplaces, your bank, etc. Otherwise you are broadcasting your greatest vulnerability. For example, use in the WHOIS and then use for all your accounts. That way the thief doesn’t know which email to hack to get the keys to your castle.

Also guard your account IDs and/or usernames. For example, let’s say you buy a domain from someone on NamePros and it is at GoDaddy, and you have to give them your customer number and email address for the push. Don’t give them the details for your main account holding all of your domain names. Instead, give the seller an intermediary account that doesn’t have any domain names in it. Receive the push there, and then immediately push it into your main account. That way nobody has your real customer number.

General Security Tips

Always enable two-factor authentication (2FA) on services that have it available, especially your email. If your email provider doesn’t offer it then move. Never use email or SMS as the delivery method, always use an app like Google Authenticator. Text messages are not secure as a thief could port your phone number out to another carrier and receive your 2FA codes.

On that note, contact your carrier and make sure you have extra security to prevent your number from being ported out, just as an extra measure of security, even though you aren’t using it for 2FA. It will prevent a thief from calling a registrar and impersonating you.

Never use the same password for more than one site. Services like 1Password and LastPass make this very easy to manage, and you can share access with a trusted family member in case something happens to you. Don’t write your passwords down in a notebook.

If you follow all of these tips you should have your bases pretty well covered. Don’t just assume that domain theft will never happen to you. If you have something of value I promise you someone out there is ready to take it from you. Get on it today.

If anyone has any additional tips please leave them in the comments below.

3 thoughts on “All Your Domains Are Belong to Us

  • By Undaunt - Reply

    God bless you for this article .Hope everyone implements this .

  • By Kevin M - Reply

    Great post Michael. What would make it even better is if some of the afore mentioned market places would read this and actually impement some of these security steps. Domain stealing is becoming more and more rampent and can cause major financial and business loses to those affected by such. Thanks for these great suggestions.

  • By Ryan - Reply

    Great read. Have to say I didn’t think about someone else opting one of my domains in with their marketplace account.

    I think the real fix should be not to rely on email for the opt in process but to authenticate to the registrar directly using oauth.

    Also for 2FA, I highly recommend a security key. Not as well supported as other methods but its growing.

Leave a Reply

Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>