Monthly Archives: August 2016

Domains getting stolen is not new. Like every valuable object in the world, premium domains are susceptible to being taken. What differs is the mechanism by which these are stolen compared to physical objects. Usually, it’s one of these methods:

• Phishing attacks: These manifest when users are tricked into clicking on links that mimic the real URL and site and the user is led to believe that they are on a legitimate site. Once the user enters the credentials on these illegal/fake sites, the password is stolen.
• Simple/Obvious passwords: Having simple or obvious passwords is the biggest reason why passwords are a weak form of security. There are various reasons for users having weak passwords, but its a reality that we live in today.
• Social Engineering: In this form of attack, the attacker tries to impersonate a user (when interacting with a registrar) or impersonate a registrar (when interacting with a user) and somehow gain access to to the domain(s). Social engineering predates the internet and can be as old as any trick.

There may be other forms of attacks in the wild as well, but the ones as mentioned above are the most common ones. In the past few years, as stolen domains are becoming a big issue and registrants wanting some more security, the registrars started offering two-factor authentication. With two-factor authentication, in addition to a password, some other form of authentication is used. Most commonly, the second form of authentication is something that the user possesses exclusively with him/her. These days, the second form of authentication involves a code that expires in a short span of time and is SMSed(texted) to the registrant after with authenticating with a correct password. So, the user enters the SMSed code to gain access to their account. This is another layer of security in case the password is compromised.

In my opinion, this a big step up by registrars to provide extra service to its customers. But, keep in mind that two-factor authentication is NOT a silver bullet against names being stolen, it just makes stealing harder. For example, it is possible that an attacker can social engineer the telecom company to transfer the SIM card to them (attacker). See these two links about how SIM cards can be compromised: Link1 and Link2. When this happens, the attacker can receive SMSs from the registrar for authentication and along with the compromised password, gain access to a user’s domains. DynaDot, a registrar, have recently come out with a different approach to preventing domains from getting stolen. Instead of using SMSs for authentication, DynaDot uses Google Authenticator  to authenticate user along with username and passwords. Google Authenticator is an APP that generates a time-based (60 seconds)one-time password and can be used to log in. However, even after the user logs in, the account is still secure, as the transferring domains out or getting EPP code requires unlocking the account again. The unlocking of the account requires:

1. Month and date of birth
2. The token code from Google Authenticator
3. A token code from SMS

As you can observe from the above, getting all the three above could be challenging. Another reminder that these are extra layers of security which decrease the chances of domains being stolen, but not 100% secure. Also, note with DynaDot, after an account is unlocked after correctly entering the above three pieces of information, the account gets locked automatically after 60 minutes.

In the future, I expect that that biometrics being ubiquitous and would be used to secure domains.

Disclaimer: This is NOT a paid post.