Hover’s Security Best Practices
We’ve been getting a lot of questions about our security policies here at Hover. In light of a recent and high profile security breakdown at a large registrar, your inquiries are more than justifiable!
We wanted to take the time to answer some of the questions we’ve received, and provide an overview of how we keep your account and domains safe.
Should I be worried as a Hover customer?
Worried? No. Vigilant? Always.
The thought of having a domain hijacked, or finding out someone messed with your DNS is scary. We’re domain owners too, and we all use Hover ourselves. We’re devoted to doing everything in our power to keep your account completely safe and secure. We know how important your domains are to you, and we value your privacy and security just as much as you do.
We’ve got some best practices and advice further down…keep reading!
What are your security policies?
We take every step possible to protect your account and domains across all of our customer service processes. Our advisors have access to event logs of account activities on your domains that they can review when someone calls in.
Unlike other companies, we never verify customers by asking for credit card information, since that info can often be obtained by other means. Instead we have our own secure methods to confirm the email address associated with your account. We would never, under any circumstances, provide anyone with the last four digits of the credit card on a Hover account over the phone or via email.
In the event that a customer’s email address has been compromised, our advisors have the ability to place an immediate lock on the Hover account to prevent further changes while we investigate. Our advisors have access to tools like account access and activity logs that assist them in determining whether anything is amiss in a customer’s account.
At Hover, there is no such thing as filling a “case report” through our website. Verification of identity, if it’s required for whatever reason, is handled personally by one of our in-house customer advisors directly with the customer, over the phone.
And since we’re a relatively small team, all of our front line staff work closely together in our head office right here in Toronto. We have an active intra-team chat system and in the event a customer needs information from another advisor or “department,” those conversations can happen quickly since it’s literally steps away.
How will you continue to protect me?
We are confident in our password security. And we’re also confident that our support team is very well-trained to ensure account access is only provided to the legitimate account holder. Security is something that we take seriously. As threats and methods evolve, so does and will our security methods and practices.
As a result of this particular incident, we’ve re-prioritized the addition of some new security features to bring you extra peace of mind.
We’ve been working on adding two-step authentication to Hover over the last little while and we’ve moved that project to the very top of the to-do list.
Within a week or two, you’ll be able to add two-step authentication to your Hover account if you want that additional level of security. We’re also planning to add login events to the existing Activity Feed, and we’re also strongly considering implementing email notifications for certain account activities.
These are things we’ve been working on over the last couple of months. As mentioned, we’ve moved them to the top of our to-do list because we realize that this is now top-of-mind for many of you and we really want to provide that additional peace of mind where possible.
There will be no additional charge for this enhanced level of security.
What steps can I take to protect myself?
To help maintain the security of your account, we recommend the following:
1. Use a strong password. It’s more difficult for hackers to guess or brute force passwords with 12 or more characters that include numbers, punctuation and upper and lower case letters. Some good articles have been written that can give you some other tips for creating quality passwords. In addition to having a strong password, don’t go using that good password across multiple different accounts online. The more places that password works, the worse it would be if anyone ever obtained it. And get in the habit of changing your passwords regularly.
2. Keep your account and domain contact information accurate and up-to-date. For those of you who have Hover email on your domain, it’s a good idea to use a different email address as the admin contact on that domain. That way, if your domain were to go offline for any reason, your ability to get notifications about it from Hover wouldn’t be affected.
3. Enable WHOIS Privacy on your domains (where it’s available). This hides all your personal information from being made public, including your email address. We include WHOIS Privacy for no extra charge on all domains that support it at Hover so make sure you use it. Changing your privacy settings is as simple as logging in, visiting https://www.hover.com/domains, and checking the box for WHOIS Privacy for all of your domains.
4. Lock your domains. In the event that someone has access to the email address associated with your domain, and they try to initiate a transfer, having the transfer lock on would cause the transfer to another registrar to fail immediately. It’s an additional layer of protection, and like WHOIS Privacy, it’s one checkbox to enable it. Make sure domains in your account are locked.