Note To All Registrars: A Simple SMS Text With Pin Would Solve Most Domain Theft Issues

Jan 24 2012

Domain theft is an issue but it doesn’t have to be.  Most registrars don’t even make an attempt to secure your domains other than a username and password to your account.  Godaddy has a security measure that they think is foolproof that involves an account representative calling you at your personal phone number and giving both a four digit pin and a verbal OK to transfer.  No doubt it works but what about weekends, late nights, transfers that need to be done quickly?

When you rely on an agent to handle your transfer your domains you are relying on their time schedule.  They can’t work all the time. Most of the time they’re only going to put in 40 hours a week.  Last week my guy was sick. Sure someone sat in for him but they don’t know my voice.  Not saying he does, but I think we have a good enough relationship that he would know if someone else used my phone and tried to handle the call.  Weekends are extremely frustrating. Anyone willing to pay good money for a domain is willing to wait but I do like to get the money in my hands and the domain in the buyers as quick as possible.  The Internet moves fast.  Telling them they have to wait a few days will occasionally put a little bit of doubt in their head about your honesty. All this is unneeded.  Registrars could easily prevent domain theft with very little cost and save any labor they are already putting into their domain protection.  Here’s how

Setting up a “transfer section” of the registrar would do the trick.  To enter the transfer section you would need to trigger a SMS text (OTP, one time password).  You would combine this OTP with a four digit permanent password that the user picks and enters it in addition to the SMS password that is sent to the user’s phone.  If you keep the four digit password in the transfer section that can only be opened through SMS you have taken away the ability for everyone but the most gifted hacker to steal a domain from you.  Even if they stole your password to get into the account, they couldn’t get into the transfer section.  If they have your phone, they need your four digit personal password.  The chance of them getting all three are very remote.  The last step would be making the customer wait a few days if they lose their pin.  If someone requests a pin change alerts will be sent out and you would have time to check into it and it would make the would be domain theif wait it out and thieves don’t like waiting around.

And all this can be automated and done for pennies per transfer.  The coding, programming, and sms all have costs but certainly would be less than accounts reps (sorry account reps don’t mean to take your jobs away) and who wouldn’t want to have a registrar where your client’s domains are guaranteed safe?  Paypal and my bank have this added security, it’s about time the registrars do as well.

Share This

About the author

Outsmarting the Dumb, Outworking the Smart

View all articles by ShaneCultra


  1. RaTHeaD

    what you just said is one of the most insanely idiotic things i have ever heard.
    at no point in your post did you even approach anything that resembled a rational thought. i think everyone who reads it will be just a bit dumber for having done so. just my opinion… other opinions may differ.

    1. Post author

      Mr. Todaro,
      Ha. Don’t beat around the bush, say what you really mean. Although many will say it’s impossible yet I have no doubt that you are a bit dumber.

  2. Morgan

    I really like the idea Shane! Let’s talk more at DOMAINfest! We’ve been getting a steady stream of theft report on and a system like this would have prevented all of them.

    What you are proposing here could make domains a lot more secure – without requiring a lot of work for the registars! Let’s make it happen!

    (pardon any typos – written on an iPhone on a plane)

  3. Francois

    Good tip.

    We are already doing this at for months with others measures to fight identity usurpation (which is a huge growing plague). No other escrow service do it (for the moment).

  4. Jean-Francois

    This is a very good idea. I support it.

    But a remark based on my experiences with Dynadot’s SMS settings, a similar idea, although not specifically for transfers. Since it was introduced, I attempted several times to activate it. But it did never work. Never did the initial message reach my (Swiss) cellphone – although it is a number registered with Swisscom, the main national telecom service. Dynadot support made several attempts to solve the problem, we tested several ways, but still it did not work. It is extremely strange, since SMS from other (Swiss-based) companies for various purposes (credit card, etc.) reach me instantly.

    Based on that experience, I suggest that such a service should be first thoroughly tested with US and a number of international telecommunication services, in order to avoid such frustrating problems.

  5. George

    I think your idea is plain common sense. Go for it!
    Other than that, there’s just one idiot around here…
    No need to mention his name but, he’s the Dumbest around here.

  6. DomainAnimal

    don’t worry Shane. ’twill all be over soon. one day that ‘monitor’ staring back at you will scan your retinas in real time and relay this information back to a centralized database where it will be connected with IP records from your domain registrar, allowing your domain transfers to be biometrically tracked for your safety and protection. All your domains are belong to us.

Comments are closed.