Three Types of Protection for National Domains

One of the serious forms of cybercrime is taking control of a registered domain, which results in the unavailability of internet services or redirecting users to services controlled by the attacker. Increasingly, we encounter reports describing the “kidnapping” or theft of domain names, which can have a serious impact on the online presence of companies or individuals. The result of such attacks, when the attacker takes control or modifies data of the registered domain, is the unavailability of internet services or redirecting users to malicious services controlled by the attacker.

The most common targets of attacks are domains belonging to globally known companies (Google, Facebook, Amazon…), but also other domains that may be of interest or benefit to attackers. Changing domain data and redirecting users of banks or financial institutions can allow attackers to steal user credentials and access their accounts. Attackers are also interested in disabling or redirecting domains of competing companies with successful online operations, as well as domains of political organizations or governments. However, attackers do not target only important domains — they often use any opportunity to demonstrate their “hacking” skills or to deliver political or religious messages.

The consequences of such attacks can be severe:

• Loss of reputation
• Loss of user trust
• Financial loss (drop in sales or compensation to users)
• Loss of confidential and important business data

However, there are security solutions that prevent these types of attacks by locking critical operations on protected domain names. RNIDS is currently the only top-level domain registry that offers users three levels of domain name protection, two of which RNIDS does not charge for:

• Secure Mode
• Client Side Lock (Registrar Lock)
• Registry Lock

Ask your accredited registrar to activate protection for the domain names you use in your business.

Secure Mode

The most common way to “kidnap” a domain is by modifying domain parameters and redirecting users to an internet location controlled by the attacker. This can be done in many ways, but one of the most common involves gaining access to the domain user’s account at the accredited registrar where the targeted domain is registered (via an easy-to-guess password or inadequate system security).

For this reason, RNIDS implemented the option to place domain names into “Secure Mode,” which requires confirmation from the domain’s administrative contact for every change of critical domain data (DNS server changes, enabling full WHOIS data display, modifications of administrative contact data, etc.).

When one of the protected changes is initiated for a domain for which Secure Mode is active, an email is sent to the administrative contact containing details of the initiated changes as well as a link with a time-limited verification code. The requested change will be executed in the RNIDS system only after the administrative contact confirms it by clicking the verification link (within the required timeframe), which passes the verification code to the domain registration system.

Although Secure Mode does not guarantee 100% protection — since the administrative contact’s email account could be compromised — it significantly complicates and makes attacks nearly impossible when good email account security practices are followed. Additionally, this type of domain protection allows very fast changes to protected data without involving the accredited registrar or RNIDS.

Client Side Lock (Registrar Lock)

This type of domain protection is also known as Registrar Lock and implies the prohibition of all changes to a domain in this status, except renewal of registration.

This protection level provides a high degree of security but also depends on how it is implemented by the accredited registrar. If a registrar allows unlocking such protected domains through their portal without additional security measures (strong passwords, two-factor authentication, SSL encryption), the user’s account can easily be compromised, which would allow the attacker to unlock the domain.

As with Secure Mode, this type of domain locking provides sufficient protection for most domain names, and the possibility of abuse is nearly eliminated if the registrar provides adequate protection through secure portal access or disallows automatic unlocking without additional verification.

Registry Lock

Considering best practices of top-level domain registries worldwide, RNIDS has implemented the highest level of protection — Registry Lock. This type of domain protection introduces an additional level of verification for unlocking such protected domains and for making modifications. This means that every request for modifying a domain under Registry Lock requires manual authenticity verification, practically eliminating the possibility of abuse or domain “theft.”

Requests to activate this service are submitted through an accredited registrar and must include the following information:

• The domain name for which the service is being activated
• The name of the user (registrant) of the domain name
• Contact information for three individuals authorized to give approval in cases of temporary or permanent deactivation of the service, including: full name, email address, and phone number

Deactivation of the service requires manual verification by RNIDS and is performed only based on a written request by the domain registrant, submitted through the registrar, containing:

• The domain names for which the service should be deactivated
• The type of deactivation requested (temporary or permanent)
• The name or full name and handwritten or electronic signature of the authorized person or registrant

The deactivation procedure consists of two levels of request verification:

1. After the request for unlocking the domain is submitted, emails are sent to all contacts designated during service activation, requesting confirmation. At least two out of three delegated contacts must approve the unlocking.
2. After successful email confirmations, RNIDS contacts the approving individuals by phone for additional verification. Only after receiving confirmation via phone is the service deactivated.