I consistently say that hijacking is an inherent risk with the domain names we register and manage. We ought to take steps to protect them as much as we can.
Lately, though, I’ve read some articles on a couple of domain hijacking cases involving Google’s free e-mail service GMail. I use it myself, so I was concerned to find out more how or why that happens.
Apparently a popular site called MakeUseOf.com got hijacked on November 2. You can read more about it here.
I once mentioned it happened to a graphic designer last year. From what the author wrote, it turns out it happened to others as well.
Already someone gave a detailed example how it can occur. From what I gathered about it, though, the potential hijacker still needs to access your system somehow to make that happen.
Subsequently Google’s Chris Evans blogged about it. I don’t really consider myself a security expert like some people are, but I kinda agree with Chris that it’ll take visiting either an unknown or virus-infected site to somehow compromise your GMail.
Then again, lots of Internet users aren’t really tech-savvy anyway. Thus, we’ll need to try to educate and help one another out to ensure this doesn’t happen to us.
As Chris and a few others suggested if you’re especially using GMail, make sure to access only the trusted source. Currently it’s https://mail.google.com.
If you’re rather new, you’ll notice the http part has an “s” after it. More often than not, that indicates the website is in a secure environment to (at least try) protect your sensitive data online.
Currently GMail doesn’t necessarily default to that https thing, so you’ll have to manually type that in whenever you access your GMail online. Once you’re logged in, there’s a setting to enable that.
After you log in, look at the upper right-hand portion of your GMail account and look for “Settings” like the one encircled in red below:
Click Settings and you’ll see a General screen. Scroll down and look for this portion:
Click the circle beside “Always use https” and then Save. From then on, it’ll default to https://mail.google.com whenever you want to check it out online.
While at it, make sure that https thing shows whichever email service (especially a free one) you use for your domain registration. One free (hopefully) secure email I know is Hushmail, though I haven’t really gotten around to trying it out.
(Just an FYI: Hushmail was also compromised a few years back, which was eventually resolved. I haven’t seen any recent online report to cast any doubt on their service yet, but feel free to share whatever you might know that can be verified online.)
Additionally, check with your registrar if they can let you use a different one for WHOIS display and another for your actual account that isn’t necessarily shown. For instance, domain registrar Moniker lets me create a WHOIS contact which I can input whatever email address I want (as long as it’s valid, of course).
Then I create another that lets Moniker notify me just in case. My actual email address isn’t necessarily known to the entire world, yet I can check it if I get any updates from them.
Nowadays various registrars allow users to create account “levels” with varying and limited permissions. Check with the one you’re using.
One other thing I sometimes suggest is using your registrar’s privacy service. While it might cause some people to “doubt” you, it can also prevent a potential hijacker from knowing what your actual email address is to somehow compromise.
In any case, decide for yourself which is the best way you’re comfortable with. One of these days I’ll release a short report giving additional steps, so stay tuned.