 | | | |
| | | |
| |||
|
In processing your very first domain registration, Network Solutions created a "Contact Handle" for you. This is usually some letters followed by a number or numbers. The letters are usually your initials. My handle, for example, is WX W8, and yours probably looks very similar. When they created this handle for you, your contact handle was given a "default" security protection method, called Mail-From security. This means that requests to modify, delete, etc, domain names associated with your contact handle must be from the email address listed for your handle. Network Solutions does no other checks except to check the "From" address on the email templates that are mailed in to process these modifications. So anyone could send in a template, with your contact email address in the from field, and make any modification to your domain name that they desire. Network Solutions does email you back an acknowledgement of the modification request, and an email to notify you the change was processed. However these criminals hope that you aren't fastidious about checking your email, because the longer it takes you to become aware they have gotten away with this, the longer they can hold your domain hostage. Fridays are a typical day for this to happen, since many businesses don't check their email until the next business day. Long weekends are even more likely to be used by these criminals. Once you have been victimized, and can provide some sort of proof to Network Solutions, they DO usually act as quickly as possible to rectify the situation. Many times, however, the real damage has already been done. Email for your business may be being redirected, or potential new customers may see a web page that makes them think twice before dealing with your company, or your site has been pointed to pornographic or other equally offensive website. Many people say that NSI cannot be held to blame for this situation. They say that blame rests with the people who do not read the documentation on securing their contact handles on the Network Solutions website. To a certain extent I would agree with this. However, when this type of thing became as proliferated as it has over the last year, Network Solutions should have taken steps that would prevent ALL domain holders from having to worry about this type of hijacking. Also, Network Solutions does not properly disclose this potential problem, nor do they point you to the web pages with a strong message indicating you should do this right away. Network Solutions currently provides a web based management system for your domain name, where you have to login with a username and password to make changes to your domain, and this is a much more secure method. The vast majority of domain registrations, however, are still being processed via these same email templates from Network Solutions Premier Partners or Business Account holders. These email template created accounts get the same level of security that is described above. Indeed, in order to get access to the web based system, you have to register your domain name directly on the Network Solutions website, and pay $119 for their "enhanced service." This is where I say Network Solutions is to blame. Web based username/password secure authentication has been available, trusted, and easily implemented by companies on the Internet for web based services for a long, long time now. Network Solutions has been aware of the problems with Mail-From security for a long time as well. Their continued use of this weak Mail-From security, instead of developing and using a secure web based system that would be provided to ALL existing and new registrations, is nothing short of negligent. That they require you to pay $119 for the privilege of using a secure web based system is one of the most ludicrous things I have seen Network Solutions do over the years. Security in your domain name is a right, not a privilege, and as a customer and domain name holder, you have a right to expect that Network Solutions would take every step to make sure that your domain names are secure from this type of criminal hijacking. Network Solutions should have created a web based registration system for all domain holders, existing and new, and set random passwords for existing domain name holders that they could have emailed to them on request so that they could access their account and manage their domains. This system should not cost more than the default registration price. Charging $49 for access to this type of system, which is what they do now, is nothing short of information superhighway robbery. Not a week goes by that I do not hear a report on various forums I am on from a business who has been subjected to this type of domain hijacking. The first 2 days of this week alone, I heard of 3 cases. And Network Solutions does not seem prepared to make the necessary changes to fix this problem. So now you may be asking yourself what you can do to keep yourself from being victimized by Network Solution's lax security. There are basically two working solutions. There is a third option, PGP signed modifications, however this method is notoriously unreliable and can cause delays of weeks if not months at times, so I will not recommend it or cover it here. The first method is the Crypt-PW security Network Solutions offers. You can start the process by going to this page on the Netsol site and entering in your contact "handle". If you don't know what it is, go to this page and enter in your domain name. Next to your name in the Admin/Billing contact area will be a set of parentheses. Your handle is the letters and number(s) inside those parenthesis. In the example above of my own handle with Network Solutions, the Handle is WXW8. So once you get this, enter it in the first field, then in the second field enter your email address and click modify underneath. Then click submit. This will take you to a page for your existing security method. If you have not done this before, your current method is Mail-From, and it should already be checked. Make sure it is checked and then click submit at the bottom. This will take you to a page where you can change your address, phone number, etc. If everything is correct here, just click submit at the bottom. Next it will ask you to set a new security method. The one recommended is Crypt-PW. To change to this you need to select Crypt-PW, so check the box, and then enter in your new password in both of the boxes provided. Make certain you select a good password, one you will not forget and is not likely to be guessed by someone else. If you forget your password, there is a way to change it, but it is involved, and can take several weeks sometimes. If you are in this situation and need assistance, email The Domain Helper and one of the Domain Helper Volunteers will try and guide you through the process. Once you select your password, Network Solutions will encrypt the password, and take you to a page displaying the template and information you are submitting. At the bottom you will see the section on "Authentication." Make sure it says Crypt-PW and that there is an encrypted password there. Then click submit, and Network Solutions will email that form to you. When you receive it, forward it to hostmaster@networksolutions.com. Make sure you are sending it from the correct email address in your domain registration. Network Solutions will receive it, and depending on how backed up their processing system is, you should receive a notice that they received it. When it is actually processed you will receive a notice that says the modification was completed. At that point, your domain names that use your domain handle are secured. If you have a third party, such as an ISP, listed as a Technical or other contact for your domains, you should make sure that they have their contact handles secured as well. You can forward them the web address for this article and ask them if their contact handle is secured to protect them and their customers from having their domains hijacked. Many ISPs do not realize that it only takes ONE forged message from any one of the contacts to modify/hijack a domain name as long as that contact is not secured. Some have the mistaken belief that any changes made using their contact handle will cause a message being sent to them and to you to "Ack" or approve the modification before it is processed. This is not true. If their handle is not secured, and they are listed as the technical contact for your domain, your domain name is at risk. There were some big name ISPs who fell victim to this type of hijacking over the Christmas and New Year's holidays. From this point on you will have to use the Crypt-PW on all your domain templates to make modifications. Network Solutions will encrypt the password you enter on your modification templates, and compare it to the encrypted password you gave them above, and if they match, then your modification will be processed, if not, then they will generate a phony message that says all the contacts were notified and have to approve the modification. No such notification is sent out, the modification is deep sixed and not processed further. There is another method of protecting your domains, and it is actually the one I recommend strongly as long as Network Solutions does not create a more secure default system, and insists on charging more for a secured web based system. Move your domains to a new competing Registrar. Under the agreements with the Dept of Commerce that let Network Solutions continue their domain registration operation, they had to open the registry to competitive registration services on a wholesale basis, and separate the backend registry part of the business from the front end registration system. Under the agreements, new Registrars have to be accredited with The International Corporation for Assigned Names and Numbers. Network Solutions also had to separate their commercial business from the govt. owned Internic name, and maintain the Internic.net website as an independent reference site with links to all the registrars on a non-prejudicial way. So you can go to this page and see a list of the currently active accredited registrars. You also no longer need to wait till your domain comes up for renewal to transfer it to a more secure registrar. After January 15th, 2000, you could transfer domains at any time, and not lose the remaining time on your domain names. You do have to pay for at least one year with the new registrar, which is just added to your remaining time. This is a small price to pay for security. Most, if not all, of the new Registrars are using web based systems, however not all of them are using secure SSL to secure the entire process using high level encryption so that your secure login information is never passed over the internet in plain text. I would like to list some that I have dealt with and recommend. Let me state up front that I have absolutely no business relationship with any of these registrars, and am not affiliated with them in any way, and they in no way sponsor this website or any of my projects. Dotster, Inc is one of the newest members of the Registrar community, and in that time has already impressed me with their professionalism and their customer service. With domain rates as low as $15/yr (special rate until Feb 15th, 2000) and a normal rate of $25/yr, they also offer discounts for bulk registration, ISPs, and for long term registrations. Dotster has recently signed deals for large bulk domain registrations that provide them with a solid and secure financial status that satisfies me as to their stability. They answer customer service requests quickly, and personally, and process registrations and modifications rapidly. They use an entirely web based system, and their system even automatically logs you out after a period of inactivity to prevent you from forgetting to logout and someone coming up on your computer and accessing your account. Also if you are inactive for too long, and then try and access a part of your account, you are prompted to login again. They use secure SSL encryption for their entire registration and account management section. Register.com also has a web based system, and has been involved in Domain Registration and management services for many years now, and is one of the largest registration services in the world. Their rates are roughly the same as Network Solutions right now, but you have the added sense of security of dealing with a company that has been around for such a long time, and will be here for a long time to come. Domain Bank, Inc. is another large domain name registration service, who have excelled in providing excellent customer service as well. Their customer service is second to none in the industry, and their management have distinguished themselves in providing a quality service as they transitioned to becoming a Registrar. There are many other quality domain registrars out there, this list is not meant to be exhaustive, but to provide a reference of some that people here have used and had good experiences with. Some things to look at when selecting a registrar are if their account management and registration system uses SSL to encrypt all communications between you and their service, thus making sure that your information is totally secure from eavesdropping, that they DO provide 24 hour access via a web based registration system to your account for making modifications and new registrations, and that they have a good response to customer service requests. Send them a question, such as asking them if they use SSL for their account management system, and see how quickly they respond, and if you get a personalized response. Don't be shy, if you have a question ask them. If they don't answer you, feel free to move on to another company. You are the customer, you have a right to expect quality and fast responses, and that they are responsive to your needs and concerns. If you have domains hosted with Network Solutions, give serious consideration to moving them to a new registrar, and to let Network Solutions know why you are moving them. Push Network Solutions to be a responsible Domain Registration Service, and to provide secure account/domain management to all domain holders. If you have questions about this article, experiences with having your domain hijacked, or other related comments about this subject, please submit them as comments below. If you would prefer to share them privately, the author of this article can be reached at william@dso.net. < Bank of America revealed as buyer of the three million dollar domain
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||
|
|
|
||||
|
||||||