Imo, the more security the better.
(Charles, don't even start. :-) )
Keeping a printed paper record of one's domains is a good idea.
Swerve
> From: George Kirikos <[EMAIL PROTECTED]>
> Date: Tue, 22 Oct 2002 17:29:43 -0700 (PDT)
> To: [EMAIL PROTECTED]
> Subject: Best Practices for Domain Name Security at OpenSRS
>
> Hello,
>
> Today I think someone tried to hijack one of my email accounts,
> possibly to steal a domain name. As far as I can tell, they failed. (I
> even got a virus email on a related email address at almost the same
> time, and I don't that is a coincidence). Anyhow, all my domains are
> now locked (most of the valuable ones were already locked).
>
> I'm wondering what other "best practices" people are following in terms
> of protecting their domains, and perhaps Tucows/OpenSRS might get some
> valuable input as to possible new features that can be implemented over
> time, to give peace of mind.
>
> Besides domain locking, are there any other things we can do to protect
> our names? I also make sure to have no electronic record of passwords,
> for example. Also, notification of transfer requests goes to an email
> address which is NOT in the same domain or on the same server as the
> admin account.
>
> Any other ideas?
>
> I was thinking that perhaps the Admin addressed could be cloaked by
> Tucows/OpenSRS in the WHOIS, so that a potentially malevolent
> individual wouldn't know which email address needs to be hijacked. For
> instance, we could have an email address of:
>
> [EMAIL PROTECTED]
>
> ('verified' being a subdomain under OpenSRS, or could be a different
> domain) which would then forward the email to ones REAL admin account.
> Anyone subscribing to this "verified" service (at a slightly higher
> fee, presumably), would also be "verified" for the WHOIS accuracy issue
> raised by ICANN at:
>
> http://www.icann.org/announcements/announcement-03sep02.htm
>
> and thus have their names be on a 'white-list' for automatic protection
> from WHOIS accuracy challenges.
>
> I'd mentioned other ideas in the past about harware tokens (such as
> RSA's "SecurID"), or Digital Certificates, like banks often issue for
> remote access. Phone verification might be another option.
>
> Perhpas I'm just too paranoid, but just one bad incident can cause ugly
> publicity (e.g. if a top domain like GM.com, EDS.com or BMO.com was
> hijacked, all of which are at OpenSRS), and economic damage.
>
> What other 'best practices' are folks following, or would like to see,
> to protect their own domains, and domains of their customers/prospects?
>
> Sincerely,
>
> George Kirikos
> http://www.kirikos.com/
>
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
