An interesting point made was to avoid using custom domains for the login emails, since a DNS takeover would compromise your accounts tied to that email.
I think that's missing the point a bit. Using gmail as your primary address will make you vulnerable to Google arbitrarily (or even justified) shutting down your access. We all heard stories about that.
What you should do, is make sure that you trust your registrar. Paypal sure have some questionable practises, but the real culprit in this story is clearly GoDaddy.
An interesting point made was to avoid using custom domains for the login emails
That's horrible advice. That sort of attitude taken to the extreme means we shouldn't be using DNS for anything ourselves and put everything in Google's (or Amazon's) big bag.
Should I redirect my customers to facebook.com/company as well in fear of someone taking over my DNS?
The lesson from this whole charade is to not trust something as crucial your DNS to untrustworthy companies like Godaddy. We've heard the horror stories before and we keep on hearing them again.
Relying on Google, a company with no direct end-user support and no emergency hotline to secure the most important thing you have, DNS, is even bigger madness. I've been locked out from a Gmail account before. It took me weeks to get it back, because Google has no support.
So yeah. Get a proper DNS-provider, and don't dig yourself deeper into the hellhole you're currently setting up.
The counterargument is that Google's notoriously poor customer care team could ignore your plea when they deny you access to your own gmail address for god-only-knows-what reason. But it's still probably safer to go the gmail two-factor authentication route.
Yes. This seems like his final conclusion. Gave me something to think about.
Wild story coming out today because I was just setting up a couple domains/emails today on Google Apps. There's actually a section in the process in which they suggest setting the MX TTL to 1 Week.
This is quite frustrating. I don't use Gmail or Google Apps mail, so that I can't be compromised by a malicious insider (however unlikely) or a flaw in their authentication systems. Instead my security is exactly as weak as my registrar's authentication.
Wonder how would you prevent or detect this hack attempt early. Are there services that monitor for DNS changes? Could you up the TTLs on the MX records so if you did notice a breach, you would have adequate time to resolve it?
What you should do, is make sure that you trust your registrar. Paypal sure have some questionable practises, but the real culprit in this story is clearly GoDaddy.