The last couple of days have seen some major concerns raised over email account security and how secure that makes your domain portfolio. If like many domainers you own domain names to the value of thousands of dollars, you ought to be concerned about your assets’ security.
In this post I will try to reflect on some methods hackers use to get a hold of email accounts and subsequently get access to registrar accounts and valuable domain names. Even though some of you may think that I am not helping anyone by revealing these methods I believe that by discussing these issues we domainers stand a better chance of fighting hijackers and crooks on a more level playing field.
Losing email accounts to email account hijacking is not limited to just domainers, it happens to people on a regularly. Sarah Palin’s recent troubles simply highlighted an every day occurrence mostly caused by email account owner carelessness – sorry Mrs Palin, but it’s true.
So, how do email accounts get hacked? What methods do hackers use? And what methods do they not use?
Fake Provider Back-end
What in fact happens is that SOMESUPPOSEDACCOUNT@yahoo.com collects the information you send them (including your account username and password) and uses those to gain access to YOUR email account.
I guess this method works mainly with people curious about hacking their friends’ / family members’ / lovers’ mail accounts without having a clue about how things really work on the web.
Enticing as it may seem when we watch it in movies, brute force is not a realistic method to get access to email accounts. It would take thousands of years for a super computer to brute force it’s way into a mail account with a computer program trying different permutations of characters to guess the password – so this method is discounted.
Trojan’s and Key Loggers
Trojan’s and key loggers are definitely a security concern and can lead to hackers gaining access to your email account.
Trojans are installed in addition to some other software you download and execute from the web. Upon installation Trojans act as a back door to send sensitive information back to the creator of the Trojan (hence the reference to the Greek legend of Troy).
People usually fall victim to key loggers when using public access web service providers like internet cafes and library computers. Key loggers are programs or hardware that log any keyboard activity in a log file to be read later.
Any decent programmer can easily create a program or website feature to act and look like any other program we know today. You may have seen fake Msn popup boxes appearing on various sites in recent times impersonating the real thing and allowing you to “login” to your Msn account. The recent WordPress.org impersonation also brought this issue to our attention in spectacular fashion as did the recent eNom phishing emails.
Social engineering is antother very common way hackers gain access to people’s mail and registrar accounts. Wikipedia defines social engineering as “the art of manipulating people into performing actions or divulging confidential information.”
How does social engineering work? It’s pretty simple actually. Hackers call the account owner and impersonate a service provider staff member. While discussing their account (mail, registrar, hosting or whatever) they manipulate the account owner into disclosing their account username and password.
Account Owner Carelessness
The story behind the above mentioned Palin account hijacking describes in detail how her account was hacked directly as a result of her carelessness and naivety. Mrs Palin used publicly known information for her security questions which allowed the assailant to easily research the information necessary to unlock her account.
So, what can you do to secure your mail account and all your valuable information and assets? Here are some points you should consider when deciding whether your web security procedures and practices are up to scratch.
1. Mail providers DO NOT provide back-end features that allow you to get access to people’s email accounts! (I won’t even go into why attempting to gain access to someone’s accounts is wrong – I’ll leave that to your conscience.)
2. Protect yourself from Trojans and spyware by using antivirus and antispyware software, a firewall and refraining from installing programs from non-trusted sources.
3. You should be careful about where you log into your accounts from and consider whether the computers you use are safe and key logger free.
4. When accessing your mail / blog / hosting / registrar / other account, make sure you type the url yourself rather than follow any links you may receive through your email or follow through a website. Be careful not to misspell your provider’s url to further help avoid falling victim to phishing scams.
5. Service providers will never call you to ask for your password. They have direct access to all your information in their database and if need be they can access it directly themselves. Someone asking for your password over the phone is a strong indicator they are attempting to manipulate their way to your account details.
6. Choose your account security questions carefully. Do not use information commonly know to your friends and acquaintances or commonly available on the web as it may be used to gain access to your account as described above.
And finally, even if you fall victim to hackers who gain access to your email accounts you can make sure that you do not lose your domain names by using features like the Moniker MaxLock or something similar from other registrars if it becomes available.
If you enjoyed this article download my free ebook – the Domaining Manifesto – from www.domainingrevolution.com for further insight into managing and making money from your domain names.