
My website was stolen by a hacker and I got it back - RonileSille13
http://www.ramshackleglam.com/2014/04/01/my-website-was-stolen-by-a-hacker-and-i-got-it-back/
======
euphemize
> 1\. Have a really, really good password, and change it often. Your password
> should not contain “real” words (and definitely not more than one real word
> in immediate proximity, like “whitecat” or “angrybird”), and should contain
> capital letters, numbers and symbols. The best passwords of all look like
> total nonsense.

[http://xkcd.com/936/](http://xkcd.com/936/)

But really, I'm a bit puzzled by her 5 "recommendations". Turn off your
devices while you're not using them? I feel like the most important one is
missing - don't use HostMonster or Godaddy, their representatives are not paid
enough to care about the implications of you losing your domain name.

~~~
lelandbatey
To follow up, I will say that my favorite way to create a password is to use
sayings from two or more of your favorite books or other sources.

So, if you like Harry Potter and Enders Game, what are the phrases that come
to mind?

    
    
        Harry Potter - expelliarmus
        Enders Game - win all the future fights
    

Now you have a great password: "winallthefuturefightsexpelliarmus" Nice and
long (33 chars), with some made up stuff. Maybe tack some numbers on the end.

~~~
pilom
Modern password crackers are pulling all of wikipedia and youtube for seed
words. If your words are in either of those, don't expect the password to
stand to a dedicated attacker

~~~
riquito
There are 1160290625000000000000000 combinations of 5 words with a dictionary
of 65000 words. That's not brute-forceable. If you take existing phrases it's
another story, but random words works well.

~~~
pilom
Being a little loose with my estimates and a bit of Fermi Math, thats only
about 300 years of computing time on a small home built GPU cluster.

Basically tells me that 4 random words are definitely crackable and 5 are
theoretically possible (and definitely doable with 5-10 years of Moore's law)

~~~
dllthomas
lg(65k^4) is very nearly 64. If you worry about 4 random words being brute
forced, you should worry about 64 bit symmetric keys being brute forced. I
don't know where the current recommendations come down on that.

------
mcherm
I am curious: does anyone here on HN have a registrar to recommend who they
know (preferably from experience) would actually be more helpful in this
circumstance?

Because from the sound of it, the unwillingness of the registrars (both of
them) to take action here without being compelled to by a lawsuit is the root
of the problem. The FBI's willingness to be helpful is nice, but doesn't solve
the root problem, and as a law enforcement agency they can only really help in
cases where they manage to "catch the criminal". And paying off the criminal
just isn't an acceptable solution (although stopping the payment immediately
is cool and all).

I would be willing to select a registrar on the basis of their policies, not
their prices. Policies like this sort of dispute resolution and policies about
how they handle DMCA notices or government subpoenas (and non-subpoenas), if
only I knew which registrars had the best reputations for these things.

~~~
shiftpgdn
Look at it from the GoDaddy's point of view: This woman is claiming she has
rights to a domain in one of their customer's accounts. As far as they know it
was legitimately transferred in by one of their paying customers. Her real
issue rests with HostMonster and the ICANN dispute resolution system.

~~~
unreal37
GoDaddy could seize the domain until the dispute is settled. If everyone
recognized she was the previous owner, that should be enough to cause an
investigation into the transfer.

Not saying a claim from anyone should cause a seizure, but the legitimate
previous owner should be able to dispute it for a time period. Domains are
stolen all the damn time.

~~~
shiftpgdn
I worked in webhosting for nearly a decade so I'm quite familiar with the
volume of fraud and stolen domains. But to play the devils advocate how would
you feel if somebody claimed a domain you own was stolen just to freeze your
account and waste your time. You'd be furious at GoDaddy for freezing your
account over a fictitious claim.

~~~
philbarr
They only need to freeze the account if the domain was moved very recently.

~~~
dsrguru
This. I want to upvote this comment a hundred times. If there's a dispute
_with probable cause_ , temporarily freezing the domain while launching an
immediate investigation seems by far the best balance of thwarting domain
theft and minimizing fraudulent claims.

~~~
shiftpgdn
By ICANN policy domains can only be moved once every 60 days. Did you want the
domain name taken offline?

~~~
dsrguru
I'm not very familiar with their policies. Does that apply even in the case of
theft? Didn't the article's author recover her domain within a few days?

~~~
shiftpgdn
It's no matter what you are only allowed to move domains once every 60 days.
It is to prevent somebody from stealing a domain and moving it through 10
different registrars to wash the history of ownership.

------
zackmorris
I wonder if her or her husband ever accessed any of their accounts using their
cell phones. I've seen tons of stories lately about Samsung Galaxy phones
being compromised so at this point I just assume that if top of the line
phones are pwned, then all cell phones are.

I'm kind of shocked that there have been no class action lawsuits on phone
manufacturers. Especially from banks.. just imagine the liability of millions
of customers getting keylogged no matter what the bank uses to secure its site
(even two factor authentication). It's almost unfathomable.

Someone really should make a one time pad login that doesn't work a second
time even if you look over the user's shoulder. For example their password
could be their favorite song and the site would ask them to enter the 2nd, 3rd
and 4th letters of the 5th, 6th and 7th word respectively or something. Or how
about a custom grid of letters printed on the back of the phone they’d look up
positions on so it would have to at least be in someone's physical possession.
Or how about a dongle in the headphone jack that's hardcoded and can't be
hacked, that the user would type rolling codes through. There has to be a
better way of doing this!

------
noonespecial
I feel for her but I do need to point out that some of the suggestions she
makes for making it easier to get her stolen domain back would also make it
easier for bad actors to cause mischief in the first place. But GoDaddy sucks.
True dat.

~~~
poopsintub
GoDaddy has two-step authentication. If you make any type of money off of a
website or other account, you should use two-factor authentication. Facebook,
email, and godaddy would be a decent start. A similar incident occurred when
the man lost his $50k? twitter account because he didn't use two-factor
anywhere.

~~~
the_ancient
Godaddy also has proven their Phone Support personell are easy victims to
social hacking, which negates any electronic security. If I can call up
godaddy and have them change account details or the mobile number on the 2
factor settings then your 2 factor security is pointless.

GoDaddy may have great electronic protections, but I do not trust their phone
support personnel at all

------
thejosh
So apart from the 4 pretty much "how not to happen", try using a host that
supports 2FA.

~~~
astrodust
Got a list? It seems like every day GoDaddy is leaking domains.

I've been using Hover a lot, but I'm not sure what their exposure is like.

~~~
zrail
Namecheap does 2FA.

~~~
potench
Curious why this is being down voted? Is it because namecheap does not offer
2FA? Seems to simply be answering the question above.

~~~
r1ch
For me, their 2FA is essentially unusable. It uses a UK SMS gateway (no Authy
/ Google Authenticator support) and out of the 20 or so times I've tried to
set it up, only once has the code actually come through to my phone. I've had
an open support ticket for 6 months, 3 months since the last reply.

~~~
zrail
I just set it up (US cell phone) and it took less than 5 minutes end to end.
Have you tried lately?

------
devanti
I'm curious as to how the FBI helped, because it doesn't really say in the
article

~~~
Fuxy
They were considerate i guess and they asked a lot of questions.

Not sure if they did anything useful but they certainly looked more interested
then GoDaddy.

------
coldcode
I never trust shared hosts provided by a registrar. I have my own blog
software running on AWS and I am the programmer and only user. The fewer
people involved is better security but that's not generally possible for the
average person. At least I can't lose both the domain and the content.

------
Kiro
How was it hacked? I find that info in the article except that they used
HostMonster's email confirmation system somehow?

~~~
shiftpgdn
Sounds like it was just social engineered out of HostMonster. Almost all of
the EIG hosts (HostMonster, BlueHost, iPage, HostGator, etc) use awful
outsourced support that are only rated on amount of tickets closed/solved.
They are very lackadaisical with customer information and verify accounts
based on the last four digits of the card used. I'm guessing the "hacker" in
this case guessed the last four of the card via livechat or a support ticket
and then got in and moved the domain over to GoDaddy.

~~~
chomp
"I remembered the notification from YouTube that someone had accessed my
account from a different location – a notification I had ignored, assuming
that I had logged in on a mobile device or that my husband had accidentally
logged into my account instead of his own."

All of her accounts were compromised - seems more likely to be malware than
social engineering.

Also the hosts you mentioned use in-house support.

~~~
shiftpgdn
Actually many of their support staff are outsourced through GlowTouch which is
an Indian based support firm. It's in the EIGI S1 filing here:
[http://secfilings.nasdaq.com/filingFrameset.asp?FileName=000...](http://secfilings.nasdaq.com/filingFrameset.asp?FileName=0001193125-13-361255%2Etxt&FilePath=%5C2013%5C09%5C09%5C&CoName=ENDURANCE+INTERNATIONAL+GROUP+HOLDINGS%2C+INC%2E&FormType=S-1&RcvdDate=9%2F9%2F2013&pdf=)

~~~
chomp
Yeah, they are in charge of Hostgator India. They have no reach into the US
based brands.

Source: I work at one of the aforementioned brands.

~~~
shiftpgdn
Unless you're in Burlington you probably aren't familiar with the brands you
don't work at. Most of them have support provided through GlowTouch. Even
HostGator USA has GlowTouch Indians doing transfers and helping in ticket
queues.

~~~
Kiro
Source? You just replied to someone who works there and who specifically said
"They have no reach into the US based brands.".

------
ChuckMcM
It is not reassuring to see the level of compromise, the cost of disclosure,
and the abuse of antiquated protocols rising faster than the institutions that
depend on them can respond. In particular there was a lot of resistance early
on to using credit cards on the Internet, now it is nearly compulsory, and yet
many of the fears that banks and others raised in the early days of e-commerce
are coming to pass.

I have to believe there are some seriously rich criminals out there. What do
they expect to do with their ill gotten gains?

------
andrewljohnson
Simple way to secure your passwords:

* 1) Use 1Password to generate and store them

* 2) Use DropBox or similar to share your encrypted vault between your devices

* 3) Secure your shard vault with a strong computer-generated password, and keep it written down somewhere

I wonder why strong password management isn't built into operating systems,
thus educating everybody and making them ubiquitous. What am I missing? Where
is MacPass? WinPass?

The advice on the blog and this comment thread isn't any good, but there's
really no good advice besides use a password manager.

~~~
axman6
OS X/iOS have cross device password syncing using keychain these days.

------
jstalin
I don't see how much she paid to get it back. A civil suit filing with a
demand for a temporary restraining order and preliminary injunction could be
filed in a few hours and since godaddy and hostmonster are US companies, they
would have had to comply. She'd have her domain back in a matter of hours for
maybe a couple grand.

~~~
ShaneOG
She didn't pay anything. She stopped/cancelled the wire transfer

~~~
sireat
This was the most interesting (unique) thing about the whole ordeal.

I did not realize that wire transfers can be cancelled after the receiver has
already had the funds placed in the account(else the thief would not have
released the domain).

~~~
jacquesm
It's an escrow service, _not_ a wiretransfer company.

The bit that I don't get is that escrow.com (the one party that didn't
actually do anything wrong here) now has acted in a way which they probably
should not have done, from their point of view the transaction actually _is_
legit (buyer has control of the domain name, so funds should be released).

If Escrow.com can't be trusted to release the funds when the recipient has the
goods then what point is there to use them in the first place?

~~~
epsylon
That's what surprised me as well, but maybe the FBI intervening in the case
was what pushed them to not honor the wire transfer.

~~~
nick_14
I use Escrow.com a lot as a domainer, so I was initially concerned that a hold
could be placed on the wire transfer after receiving the domain. The whole
point of Escrow.com is that you are not able to cancel wire transfers and run
away with my domain. However, it looks like they were operating under special
circumstances due to the FBI investigation. Brandon Abbey is the president of
Escrow.com and said “Escrow.com is holding the funds based on the proper legal
authorities filing the necessary paperwork with the judicial system. We
strictly follow the Escrow Law. That is what licensed escrow companies do.”
Looks like it was just not explained correctly in the initial article.

------
zacinbusiness
I am absolutely shocked at how simple it is for this sort of fraud to take
place. If someone calls GoDaddy, for instance, and says "Hi, I'd like to
transfer a domain name. Here's all of my proof that I am who I say that I am."
I understand that GoDaddy, ever dutifully obliged to their customers, will
transfer the domain with haste. However, should there not be some sort of
probationary period? 45 days or so where both GoDaddy and the new "owner" of
the domain both have full, master control? It seems to me that an account
manager in GoDaddy could handle this task easily enough. Simply coordinate
with the new owner, notify that there's a dispute, and lock everything down
until a resolution has been completed. Am I missing something here or are
these companies simply lazy and unmotivated?

------
quackerhacker
Is there any domain register that offers 2 factor authentication to make
changes that are detrimental to a site?

I have Network Solutions, KVC Hosting, and have tried 1and1, but all of
them...from a security standpoint...are lackadaisical when it comes to
security.

Network solutions WANTS their clients to bundle userid's into 1 account...that
makes it easy.

KVC, I emailed them to update my domain contact info, then I transferred one
of my domains out with that new email.

I never did any test with 1and1...but then again the 2 above (with kvc and
netsol) weren't even tests.

Another security breach involving GoDaddy(1)?

(1): Naoki lost his twitter ([https://medium.com/cyber-
security/24eb09e026dd](https://medium.com/cyber-security/24eb09e026dd))

~~~
tombrossman
Gandi, mentioned several other times in this thread, also supports 2FA.
[https://wiki.gandi.net/en/contacts/login/2-factor-
activation](https://wiki.gandi.net/en/contacts/login/2-factor-activation)

You can also create a second account there and delegate limited rights to it
for making changes. The odds of losing both accounts are remote.

~~~
resistor3672
Gandi also does IP restriction: [http://wiki.gandi.net/en/contacts/login/ip-
restriction](http://wiki.gandi.net/en/contacts/login/ip-restriction)

------
lutusp
The most unfortunate part of this story is that the site owner had to use
underhanded tactics of her own to regain control of her site. She didn't get
her site back by going through formal legal channels, she got it back by using
tactics similar to those used by the criminal she was dealing with. Different
intent and legal standing, but same methods.

It would be interesting to know what would have happened if she had instead
waited for the legal methods to play out. Instead, it's a story of one trick
undoing another trick.

~~~
mannykannot
That's a more unfortunate part of the story than the registrars' inaction? Or
the theft itself? I don't think so.

~~~
lutusp
> That's a more unfortunate part of the story than the registrars' inaction?

Okay, fair enough, I'll give that fact a close second in the rankings. But to
me, the fact that she had to descend to the level of the criminals she was
dealing with, had to do things that under slightly different circumstances
would have made her a criminal, is the most discouraging part of the account.

------
lingben
Here are 3 simple changes that can prevent this:

* use 2 factor authentication (if your registrar doesn't find one that does or better yet, have ICANN rule that all registrars must have it)

* ICANN rule that says if a domain has been recently moved it can be frozen by previous owner until the matter is cleared up

* whois privacy will not only hide who the owner of the site is but also who the registrar is (if you don't know who the registar is among the hundreds out there, you can't target the right one with social engineering!)

------
genofon
-Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense

I think this is a bad advice. You only need long password that are not
feasible for a brute force attack and not trivial (personal data). If you have
a password you can't remember you are going to write it somewhere and that can
be a security issue

------
joshmlewis
> 2\. If possible, use a separate computer (an old one or a cheap one
> purchased for this purpose) for things like banking; if your family computer
> is the same one that you use for bank transactions you risk having your kids
> click on a bad link that results in a hacking.

Or don't let your kids use your work computer when you have very important
privileges at stake? I would definitely keep all of this in a very encrypted
environment that isn't accessible by my kids or anyone else.

------
pjbrunet
Welcome to 1999. This reminds me of when sex.com was stolen with fake
stationary. I see the "unauthorized transfer" in the blog post but I wonder if
she forgot to renew the domain? Happens to good people all the time. I'm not a
lawyer, but in that case, unless she's incorporated as "ramshackleglam"
there's no cybersquatting argument. That's why it's helpful to use your real
name--then a thief has no leg to stand on.

------
blueskin_
>cyber hacking

For when just 'cyber' and just misuse of the word hacking aren't enough.

Edit: >assuming that... my husband had accidentally logged into my account
instead of his own

I think this shows her attitude to security could at best be described as lax.

>3\. Turn off your computer and personal devices when they’re not in use.

I... this is... wow, what.

------
whileonebegin
Isn't escrow.com supposed to prevent payments from being stopped after the
domain is released? Obviously, in this case it's justified, but for regular
customers, you don't want escrow releasing a domain and then the buyer stops
payment.

~~~
akcreek
The buyer can't stop the payment as the wire is already complete and money in
escrow.com's account. Escrow.com had to stop the payment and in this case they
did so because there was a request from law enforcement.

~~~
DavidAdams
Yes, I'm pretty sure this is where the FBI comes in. So the solution to this
is: you agree to buy back your stolen property using an escrow service, then
the FBI tells the escrow service not to release the money to a thief.
Eventually you get your money back.

------
driverdan
Don't the companies have the lawsuit issue backwards? By not helping aren't
they opening themselves up to being sued whereas if they immediately fixed the
problem the person would have almost no reason to initiate a law suit.

------
abshack
I'm partial to the "t33nz 1o1 \o/" cipher.

    
    
        input: correcthorsebatterystaple
        output: ~~krct^hrs333bttstpl$$:)
    
        input: password
        output: lulz!isma:PASSWORD#sorrynotsorry

------
caleb23
This has a lot of good information in it and I put a lot of time into it, but
I do realize it is hard to read since Hacker News doesn't start things on new
lines. If someone can tell me how to do that if it is possible that would be
great. If not here it is on Pastebin -
[http://pastebin.com/MspKq8sz](http://pastebin.com/MspKq8sz).

Here is what I recommend for website security (this is a lot of advice and is
not perfect - if you want me to write this up in a detailed blog post and
cover more things let me know)... I also provided my contact information at
the bottom if you have any questions or need any help settings this up.

Domain Registrar:

1\. Melbourne IT -
[https://www.melbourneit.com.au/](https://www.melbourneit.com.au/) 2\.
Namecheap - [https://www.namecheap.com/](https://www.namecheap.com/) 3\. Gandi
- [https://www.gandi.net/](https://www.gandi.net/)

\- Enable WHOIS protection \- Enable domain locking - if you want more details
on how to set this up let me know \- Enable email notifications and make sure
you keep your account information up to date \- Log in from a computer using a
VPN (I use and recommend proXPN - [https://proxpn.com/](https://proxpn.com/))
which encrypts your connection

DNS

1\. Any of the domain registrars mentioned above 2\. CloudFlare -
[https://www.cloudflare.com/](https://www.cloudflare.com/) (offers performance
benefits as well) Their DDOS protection, DNS, and performance benefits are why
I use and recommend them. They are not very good in terms of their WAF or
website security and that is why I use and recommend Sucuri as well. 3\. DNS
Made Easy - [http://www.dnsmadeeasy.com/](http://www.dnsmadeeasy.com/)

\- Follow advice from passwords section \- Delete unnecessary DNS records \-
Enable DNSSEC if possible

Email Hosting

1\. I recommend that you use Google Apps for Business -
[https://www.google.com/enterprise/apps/business/](https://www.google.com/enterprise/apps/business/).

\- Follow advice from passwords section \- Take advantage of the security
Google offers

Passwords

1\. Create strong passwords using a password generator. I use GRC's Password
Generator by Steve Gibson. -
[https://www.grc.com/passwords.htm](https://www.grc.com/passwords.htm) 2\.
Store your passwords in a password manager such as LastPass. -
[https://lastpass.com/](https://lastpass.com/) 3\. With LastPass use a strong
master password, limit login attempts to your country and the ones you travel
to frequently, use two factor authentication, don't use a password reminder,
don't write down your master password - only memorize it and don't ever share
it, change your master password at least slightly every 3 months, and disable
logins from the TOR network. 4\. Use the same password only once (Don't use
the same password on multiple sites). 5\. Don't store your passwords in the
browser or save them, so you are automatically logged in. 6\. Make sure your
password is at least 15+ characters (I use 50+ characters) and it contains
lowercase letters, uppercase letters, numbers, and special characters. 7\. If
a site requires a secret question, make sure the answer to that question no
one else would know or make it a password or phrase that you would remember.
8\. Use the browser add-on HTTPS Everywhere and use Mozilla Firefox or Google
Chrome as your browser. 9\. Try to not share your passwords - I would like to
say never share your passwords, but I know that is not possible :). If you
have to share your passwords, do so using LastPass, change the password after
they are done, make sure they haven't done anything that looks malicious, have
a clear plan of what they need to do, and ask them how long it will take them.

Website Security

1\. Backup your site - I recommend and use Sucuri Backups -
[http://sucuri.net/services/website-
backups](http://sucuri.net/services/website-backups) (it is $5 a month per
website) 2\. Use monitoring, alerting, and a removal service - I recommend and
use Sucuri - [http://sucuri.net/signup](http://sucuri.net/signup)

It is $89.99 per year for one website. The service includes 3 main areas which
are monitoring ([http://sucuri.net/services/website-scan-malware-
detection](http://sucuri.net/services/website-scan-malware-detection)),
alerting
([http://sucuri.net/services/alerting](http://sucuri.net/services/alerting)),
and removal ([http://sucuri.net/services/malware-
removal](http://sucuri.net/services/malware-removal)). You can use any of
those links for further details.

3\. Use a WAF - I recommend and use Sucuri CloudProxy -
[http://cloudproxy.sucuri.net/signup](http://cloudproxy.sucuri.net/signup)
($9.99 a month for the most basic plan - the two other plans are $19.98 and
$69.93 per month)

4\. There could be a lot more in this area, but that should do a pretty good
job for you. If you are using a CMS such as WordPress, Joomla, or Drupal you
have quite a bit more you can do in this area.

Hosting

1\. It honestly depends on your needs, so I am not going to recommend anyone
specifically. If you want help with this or anything you can find my contact
information at the bottom.

Network Security

1\. Use WPA2 for the encryption protocol 2\. Make your network name random 3\.
Make your password to connect to your network very strong 4\. Change the
default login credentials to login to your network to a secure username and
password. 5\. Disable Wi-Fi Protected Setup (WPS) 6\. Configure OpenDNS at the
router level - [http://www.opendns.com/](http://www.opendns.com/) 7\. Follow
the passwords section for your passwords

Computer Security

1\. Use a antivirus program (Antivirus for Mac by Sophos for MAC computers and
Microsoft Security Essentials or Avast for Windows) 2\. Use an anti-malware
program (Malwarebytes Antimalware and Malwarebytes Anti-Exploit for Windows)
3\. Use a firewall (Windows Firewall or TinyWall for Windows) 4\. Keep your
operating system updated 5\. Keep your programs updated (Secunia PSI or
FileHippo Update Checker for Windows and AppFresh for MAC) 6\. Remove Java and
Quicktime if you don't need them 7\. Replace Adobe Reader with Foxit Reader or
Sumatra PDF 8\. Make sure you keep Adobe Flash Player up to date 9\. Uninstall
programs that you don't need or don't use 10\. Only download things from
trusted sources (the browser extension Web of Trust would help with this) 11\.
For your browser make sure you are using Google Chrome or Mozilla Firefox. For
Google Chrome and Mozilla Firefox, I recommend that you use Adblock Plus,
Disconnect, and HTTPS Everywhere). If you want to be very secure and are
somewhat technical, I recommend that you also use NoScript for Mozilla Firefox
and NotScripts for Google Chrome.

If you have any questions you can email me at [redacted].

~~~
soulshake
This is really good advice. Some additional things that come to mind regarding
domains: \- enable 2-factor authentication/IP-based login restriction, \-
disable password reset via email, \- provide valid registrant data, in case
you ever have to prove your identity \- for the extra cautious, contact the
provider and ask them to add a note to your file to be extra wary of any
requests.

~~~
WickyNilliams
Hey, I'm with Gandi and only after this thread did I realise you offered 2FA.
I would have enabled much sooner had a i known it was available.

I know you guys don't often send out emails (and I really appreciate that),
but perhaps a mail shot letting people know it's an option would be
worthwhile. For security stuff I'm happy to receive unsolicited emails

~~~
soulshake
Hmm, that's a good idea. I'll see what we can do. Thanks :)

------
harvestmoon
The author did not mention that you can pay extra money to lock down a domain.

If it is locked down, it can not be transferred without, iirc, a picture of
your driver's license or something like that. There may also be time delays.
For my valuable sites, I pay for this service.

~~~
rwallace
That sounds like a good idea. How do you do it?

~~~
harvestmoon
Quote from GoDaddy:

Go Daddy offers Protected Registration, which prevents a domain name from
being transferred to another registrar. The product includes our privacy
service, as well as a Deadbolt lock.

Our Deadbolt lock means that in order to cancel the service, you must show
documented proof of your identification, which makes the lock more robust than
a standard registrar lock. This may seem “cumbersome,” but that is the point;
if the domain name is valuable to you, you would be well-served to use product
that safeguards against making it easy for a hijacker to gain access.

------
leccine
I can't understand why people still use GoDaddy. They lose domains to hackers
every week, you can just call them and they are more than happy to change
contact information or email address for you. Freakin' amazing.

~~~
Casseres
I once called a registrar (that I've never heard of before or since) to inform
them that a domain they registered was missing WHOIS data, they asked me what
I wanted to put in for the WHOIS data. I facepalmed. While I wanted the
domain, I wasn't going to steal it.

------
lhgaghl
This is why corporations with 12 million users need to establish personal
relationships with every client. If that was the case, they'd have just known
she was the real owner.

------
kevinchen
I'm unsure why this is relevant to a site like HN. People are compromised all
the time. It's not news. It's not even helpful for avoiding the same mistake:
the author does not tell the details of the attack and gives some pretty bad
advice for avoiding "cyber hackers" (such as turning off your computer to
prevent your email getting hacked).

~~~
quackerhacker
I agree with you with the "bad advice," opinion. There's no glamour or valor
with how she got her domain back. In reality...it appears from her article
that she really just paid to get it back.

So I guess her suggestion is to have $30k stashed to make up for lack of
security. From what I read...she's still out money, even though she did get
her domain back.

~~~
graedus
She retained the money.

 _And then I called the wire transfer company and placed a stop on the
payment._

It's unclear to me how this works. At first, it seems as though she and
Anthony pursued this action independently, which would seem quite risky: risk
of the apparently-fraudulent stop payment not being processed in time, or at
all, resulting in the loss of 30k; risk of legal action from the seller,
however seemingly ridiculous and unlikely, is scary. Later it sounds like
maybe this was done with the FBI's blessing (point 5 under "Here's what to
do").

~~~
akcreek
I (Anthony from the story) negotiated the price with the seller to $3,500. I
had Jordan wire that to escrow.com while we waited for the domain, db and
files to be transferred. We made this decision because nobody was helping
(hosts/law enforcement) and with this action the worst case scenario became
paying $3,500 for the site (assuming the seller didn't back out). After this
the FBI took the case and they were involved in stopping the funds from
transferring.

I'm positive she would have gotten it back eventually even if it did sell to
someone else and they took control, but it could have been a more lengthy
process and her entire living is derived from the website and the business
associated with it. Having it out of her control for any amount of time could
have been very damaging.

I had a Flippa account with history and no visible connection to her so the
seller did not know that I was working with the actual site owner and she was
working with the FBI.

The investigation is still ongoing and I've had some interesting conversations
with the seller (thief is more accurate) since the money was frozen.

~~~
gamebak
I sent you an email to your inbox mentioned in your user profile. Someone
tried to sell me that website as well and I did some research about him (got
his skype, his email, and even his address ).

~~~
akcreek
Thanks for reaching out - just sent you an email back.

