Thank you for sharing!

Your article was successfully shared with the contacts you provided.
You worked hard to thwart the actions of cybersquatters around the world. Through substantial efforts up to and including litigation, you secured the transfer of domain names identified by your company as mission-critical. Like a hunter returning with the spoils of the hunt, you proudly turned the domain names over to your marketing and information technology teams, who then spent millions to build the company’s Internet strategy around the names. Confident that your work was done, you turned your attention to other matters. Months later, you receive a phone call from your information technology department. They report that the company’s principal domain name is no longer pointing to the company’s Web site. Instead, it’s pointing to pornography. Or to your chief competitor’s site. Or to a bogus press release reporting “accounting irregularities.” Or to nothing at all. A frantic investigation reveals that an anonymous hacker has stolen the domain name in the middle of the night. You contact your registrar to find out what has happened and to get the name back. Although sensitive to your predicament, the registrar informs you that it could take a full day to make the corrections necessary to return the domain name. All you can do is wait — and hope your customers wait with you. Sound far-fetched? It’s not. This story is repeating itself around the world with increasing regularity, yet few attorneys or the companies they represent are even aware that their domain names can be stolen. Not only can domain names be stolen, it is alarmingly easy for even a novice hacker. Why? Because standard domain name registrations with most registrars have virtually no security. Changes to domain name registrations are usually made online. The method by which most registrars verify that changes are authorized is by comparing the e-mail address of the person requesting the changes to the registered e-mail address of either the administrative or technical contact for the domain name. On occasion, a registrar will require a missive on company letterhead to confirm that the registrant wishes the changes to be made. To get around these “safeguards,” hackers forge an e-mail header that makes it appear as if their e-mail communications to the registrar are actually coming from the administrative or technical contact for the domain name. This is child’s play to any reasonably competent hacker: The names of those contacts are generally available through WHOIS searches online. Forging an e-mail header is one of the easiest of hacker skills, and instructions on how to do so are readily available over the Internet. If necessary, hackers can even create forged letterhead that is strikingly realistic. THE LONGEST DAY Armed with these tools, hackers can take possession of a domain name in a number of ways. The most straightforward method is to tell the registrar to change the registered server information. Every domain name record includes the addresses of the primary and secondary computer servers for the Web site. When an Internet user types in a domain name, the Internet connects the user to the content located at the servers listed in the registration record. By changing the server addresses, a hacker effectively takes control of the domain name. Registrars can sometimes correct the situation within four to six hours. However, changes to domain name records are generally made in batch updates, and these batch updates are generally run only every 24 hours. Unscheduled updates are expensive and time-consuming. Some registrars, therefore, may resist making any changes to a hacked registration record until the next scheduled batch update. In Internet time, 24 hours without a critical domain name is a lifetime. Even four to six hours without a domain name can wreak havoc. A dot-com seeking to go public may see its initial public offering sour if it loses control of its principal domain name for even a few hours on the eve of the IPO. Other businesses working feverishly to build consumer confidence in their Web sites may see such confidence substantially eroded. So what do you do about it? The good news is that there are several easy steps you can take to reduce the risk of unauthorized changes being made to your domain name records. First, emphasize the importance of the administrative and technical contacts’ role. Before some registrars process changes, they notify the administrative contact that a change will be made that night. An alert administrative contact — that is, one who does not delay in reading all e-mail messages from the registrar — may be able to catch an unauthorized change before it’s too late. Second, if your company does not maintain its own servers, put in writing with your Internet service provider that it is not authorized to ask for or make any changes to your domain name records. The reason for taking this step is that many of the larger ISPs process changes to their customers’ domain name records as a value-added service. Employees of the ISPs are in daily contact with all the major domain name registrars. Thus, the registrars may make changes that an ISP requests without inquiring further or sending any confirmation of the changes to the domain name owner. Recognizing this practice, some hackers, posing as employees of a company, have done their mischief through the ISPs. Finally, cheaper is not always better when it comes to domain name registration. Choose a registrar that recognizes the significance of domain name hacking and that offers enhanced security mechanisms to prevent unauthorized changes. An example of such enhanced security is the little-publicized Guardian service that Network Solutions Inc. offers its customers. Through this service, NSI makes available three different levels of security protection. Under the basic level, called “mail-from,” NSI will require e-mail confirmation from both the administrative and technical contacts before it will process a change to a registration record. Under the next level, called “encrypted password,” any person seeking to make a change to a registration record must use an encrypted password of the owner�s choosing. The third and best level involves the use of public key/private key security technology, also known as PGP or Pretty Good Privacy. While NSI provides all its Guardian services for free, the use of this third level of security requires that a company install PGP software. The software is available over the Internet for free or from NSI for a fee. In sum, the bad news is that it’s all too easy for a hacker to steal your company’s domain name–for at least 24 potentially crucial hours. The good news is that a few simple steps can substantially reduce the risk of your domain name being stolen. Install the lock, turn the key, and don’t be a target for Internet thieves.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.