Even the strongest, most difficult to guess password can easily be compromised by keyloggers, viruses, worms, and other malicious software. It’s important to scan your computer frequently for infections. There’s no reason to not be using spyware and antivirus detection software daily. One common misconception is that OS X is immune to any security threats — there are keyloggers designed exclusively for OS X and the operating system being used has little detrimental effect on social engineering and/or other phishing/pharming scams – you’ve been forewarned!

Public Wifi networks, libraries, and cybercafés should be avoided at all costs when you plan on doing anything more than web browsing. I highly recommend against checking email or logging into any important accounts such as Digg, Facebook, or your domain name registrar from them. If absolutely necessary, change your password as soon as possible and when using a public computer, make sure that in addition to logging out of your email or registrar accounts that you delete browser cache, history, passwords, and close the browser afterwards.

If available, use an email address from your Internet Service Provider for your important domains and websites. If you’re using an ISP-based email and plan on switching ISPs or if you plan on switching to a new webmail address, be sure to update the email contact information on all your domains. Historically, there have been major security flaws in many free web-based email solutions including Gmail, Hotmail, and Yahoo Mail. Should you decide to use a free web-based email, make sure you choose a strong 8+ character uppercase and lowercase alphanumeric password, preferably including symbols.

Make sure your email settings are set to “text only” and don’t open email attachments before scanning them for malware, regardless of the source. Without getting too technical, attachments, much like HTML emails, could be infected with keyloggers or other malware which could easily compromise the security of your email account. This must also be done before accepting files when using an instant messaging program such as AIM, Windows Live Messenger, and Yahoo! Messenger. Always remember – just because the email or attachment came from a trusted friend doesn’t mean it is malware-free. While likely not being done intentionally by your friend, your friend’s computer may have been compromised by someone else who is now using it to spread malware and has spoofed emails to make it appear as if they’re coming from your friend. While I strongly recommend against it whenever possible, should you decide to send or receive confidential information by email, make sure your emails are encrypted, providing digital signatures.

Should you require an email spam filter, opt to individually block out problem email addresses rather than using a more complete filtering solution – end user inquiries might otherwise end up in your junk folder. Whitelist (put on your safe list) the email addresses of your domain name registrars to avoid missing renewal notices and other important information.

DomainTools offers a Registrant Search service which allows anyone to purchase a list of domains associated with a certain name, address, or email address. After purchasing a list of domains associated with the compromised email address, it’s time to head to the registrars and click “Request Password”, which will unfortunately send the passwords to the compromised email account.

Using multiple email addresses with a different email address for each registrar will limit the damage a hacker can cause under most circumstances if he manages to compromise the password on one of your domain accounts. Don’t use the same password for your web-based email accounts that you use at domain name registrars. Use strong alphanumeric upper and lowercase passwords at each domain name registrar, each domain name forum, and each website you’re registered at. Buy an agenda to record your passwords in and save you from the temptation to significantly compromise your own domain name security by using the same password for multiple accounts for the sake of convenience.

Make it a habit of changing any important passwords at least monthly. To add an additional blanket of security, when given the option, opt for a different username than your email address at domain name registrars – this gives any would-be hackers an additional element they’ll need to determine prior to gaining access to your account. To make hacking your account considerably more difficult, consider listing a different email address in the whois than is associated with your registrar’s password recovery function (the email you used when signing up with the domain name registrar) and open up multiple accounts using different usernames and different passwords at the same registrar – this will significantly limit the damage which could be done in the event one of your passwords was compromised. If you use your own domains as nameservers, make sure they’re not about to expire. If the domains you’re using as nameservers expires, an opportunistic hacker could register them and use it to compromise the security of your other domain names.

By using email forwarding, you can forward all mail from the email listed in the domain’s whois to the email addresses you used while creating an account with your domain name registrars. Don’t let anyone know about this email addresses. The person hacking an account is often someone who knows the person he hacked — be careful what information you share with others. Don’t keep any personally identifying information saved in your email accounts. Information such as credit card numbers, passwords, secret answers to security questions, and contact information for domainers or reps should never be found in your email account or on your computer. Make it a habit of backing up your emails and storing them offline on removable storage media (such as a DVD-RW, CF/SD cards, USB drives, etc).

If your secret question is “What’s my dog’s name”, it’s really not a very good secret answer to give your dog’s actual name – many people probably know the answer and someone who doesn’t know you could easily run a search on the most common dog names and try to brute force his way into your account. A better solution is to use the secret question as a second password – how many hackers are going to guess your dog’s name is “6Fw8a42N9fsG38”? I’m guessing none, no matter how long they try. Keep all your domains “locked” and inquire with your registrars about any additional security measures (eg. additional verification measures, passwords, or security questions) which can be implemented on your most valuable domains. If your domains aren’t locked, they can be transferred away without your permission should you not deny transfer requests. If your registrar doesn’t offer additional security measures, transfer your valuable domains to a registrar which does (eg. Moniker Max Lock, Fabulous.com Executive Lock, Godaddy Protected Registration).

Keep on top of the news (especially the bad news) about your registrar. If things are heading south, you’ll want to get out of there asap. You should always have a contingency plan and money set aside in the event something does go wrong. Place all domains you intend to keep on auto-renew, however consider renewing them earlier if you can afford to. Renewing your best domains for an additional year is always a good idea and can protect you from possibly losing them in the event someone fraudulently obtains control of your domains, your auto-renew payment source doesn’t go through (eg. expired/stolen credit card, empty Paypal account), Acts of God resulting in your registrar being unable to process your payments, etc.

While looking up the whois, observe if it’s been updated recently (this could indicate a recent fraudulent transfer of ownership). Enter the information listed in the whois (such as name and email address) into Google and look for anything suspicious. Ask about the domain discretely with domainers who are “in the know”. Always remember that nothing is certain on the Internet and it’s always best to take more precautions than not enough. Google the domain name with and without extension. Enter additional keywords such as: namepros, dnforum, digital point, etc to get relevant search engine results for a particular domain name forum. Add in additional words such as: stolen, fraud, hijacked, hijacker, thief, missing, chargeback, paypal . Pretend one of your domains just got stolen – what would you do? Put yourself in that person’s shoes and try to outsmart any domain name thief by uncovering the truth. Example search engine queries include:

a) domain.com stolen namepros

b) domain.com missing dnforum

c) domain.com paypal chargeback

Make sure you don’t enter the search terms in quotations – this will produce only exact matches and in the case of a stolen domain, will result in you likely missing any information about it’s theft.

If a domain’s price seems “too good to be true”, proceed with caution. The biggest indicator of a domain name scam is often the price the domain is being sold for – the scammer wants to offload the domain as quickly as possible before the rightful owner reclaims it. Keep a watchful eye on newer domain name forum members selling expensive domains. View their profile and read some of their recent posts. A good way to avoid most domain scams is to only deal with domainers who have a good reputation. On domain name forums, this is easily determined by looking at their iTrader rating and observing comments from other domainers about previous transactions. Are the people who’ve been leaving comments new domainers (possibly fake duplicate accounts by the scammer) or experienced veterans? Phone the number listed in the whois for the domain and verify that the person answering the phone is currently in possession of the domain. If more than one person is listed in the domain’s whois, contact the other people listed – the person attempting to sell the domain could be an angry employee or part owner who isn’t authorized to sell the domain, something which brings me to another notable point worth discussing – Make sure you completely trust anyone listed in the whois as administrative, billing, or technical contact. Imagine a few worst case scenarios – the billing contact (who is in charge of paying renewal fees) forgets to renew your domain, the technical contact accidentally or maliciously changes all the nameservers on your domains bringing parking and website revenue crashing down to zero, and the administrative contact doesn’t feel he’s being properly compensated for his time and decides to sell a few of your valuable domains! For these and many more reasons, it’s best to have all contacts listed as you whenever possible.

Make it a habit of logging into your domain name accounts at least every 2-3 days and making sure nothing is missing. Use domain name monitoring software (eg. http://www.domaintools.com/monitor/ ) as an added security measure, however this is not a replacement for logging into your accounts regularly. If you discover any domains missing or with changes you didn’t authorize, phone your registrar immediately and provide them with any information they ask you to provide about the missing domain, such as when you were last aware of the domain being in your account and if you have any proof that you’re the legitimate owner. Your registrar will likely ask you to sign some forms including a liability waiver – truth be told, in most instances I’m aware of, blame falls 100% on the domain owner for not taking necessary security precautions discussed in this article. If you want your registrar’s help, you’ll need to sign the forms they ask you to sign. Many hackers will leave your whois info intact (especially if they’ve compromised the email address listed in the whois) – this makes it harder for a registrar to determine whether your domains have been compromised or not. Check domain name forums to make sure your stolen domain isn’t being put up for sale. If it is, alert moderators to the thread immediately.

If you can prove to your registrar that you’ve filed an ownership dispute, they may be willing to “freeze” your domains, preventing transfer or further modification of whois information pending the outcome of their investigation. If your domains get transferred to another registrar, it will be much more difficult to recover them. See my article on Sandboxing

for more tips on how to keep your domains safe.

Related posts:

1. Stolen Domains: Don’t Let It Happen To You!
2. Best Domain Name Registrars
3. Phishing for Domains