A serious form of cyber-crime is one in which criminals take over control of a registered domain which results in online services becoming unavailable or in users being redirected to services controlled by the attacker.
It is more and more common to hear reports of “domain hijacking”, also known as domain theft. This crime can seriously affect the online presence of a company or individual. These attacks, in which the attacker takes over control of a domain or changes its registration data, result in downtime for online services or in users being redirected to services controlled by the attacker.
The most common targets are domains belonging to global names such as Google, Facebook and Amazon, but attackers will target any domain that might bring them profit in some way. Changing domain data and redirecting the users of a bank or financial institution could potentially allow the attacker to steal user credentials and access their accounts. Attackers may also want to disable or redirect the domains of business competitors with successful online operations, or those of political organisations or governments. But attackers do not just target high-profile domains, they may seek for any opportunity to show off their “hacking” skills or to get their political or religious message across.
The consequences of such attacks can be serious:
- Loss of reputation
- Loss of user trust
- Financial losses (reduced sales or compensation made to users)
- Loss of confidential and vital business data
There are, however, security solutions that can prevent abuse by cyber-criminals by locking down critical operations for protected domain names. RNIDS is currently the only top-level Internet domain registry offering three levels of domain name protection to users:
- Secure Mode
- Client-Side Lock or Registrar Lock
- Registry Lock
The most common way domains are hijacked is by the attacker changing the domain parameters and redirecting users to an Internet location that they control. This can be done in many ways but one of the most common is by taking over the domain user’s account held with the accredited registrar (as a result of using an easily-guessed password, or poor security in the system).
For this reason RNIDS has implemented the option to put a domain in Secure Mode, which requires confirmation from the administrative contact for the domain before any change can be made to critical domain data – a change of DNS server, removing WHOIS privacy protection, changing data for the administrative contact etc.
When a protected change is initiated for a domain that is in Secure Mode, the administrative contact for this domain will receive an email outlining the requested changes, as well as a link with a time-limited code to approve the changes. The requested change will only be made in the RNIDS system after the administrative contact has confirmed it by clicking the verification link within the expiry period and thereby sending the verification code to the domain name registration system.
Although Secure Mode does not guarantee 100% protection, since the administrative contact’s email account could be comprised, it does make a successful attack significantly more difficult, and indeed almost impossible if good practice has been followed in protecting the email account. This type of domain protection also allows protected data to be changed very quickly without the need for any action on the part of the accredited registrar or RNIDS.
This type of domain protection is also known as Registrar Lock and consists of blocking all changes to a domain locked in this way, other than registration renewals.
This type of protection ensures a high level of security but can vary in the way it is implemented by the accredited registrar. If the accredited registrar permits unlocking of a domain protected in this way via its portal, with no additional security measures (enforcing strong passwords, two-factor authentication and SSL encryption) the user’s account could be compromised, and the door opened for the domain to be unlocked by the attacker.
As in the case of Secure Mode, this type of domain locking also provides a sufficient level of protection for most domain names, and abuse is almost impossible provided the accredited registrar has taken all the necessary measures, such as ensuring secure access to their portal and preventing automatic domain unlocking without additional validation.
Following the best practice of top-level domain registries, RNIDS has also implemented the highest level of security – registry-level domain locking. This form of protection introduces an additional level of verification before a domain protected in this way can be unlocked and changes made to it. In practice this means that every request for changes to a domain for which Registry Lock has been activated is subject to manual verification, which all but eliminates the possibility of abuse and domain theft.
Requests for the service to be activated or deactivated are submitted through the accredited registrar and must comprise the following elements:
- The name of the domain for which the service is being activated;
- The organisation name or name and surname of the user (registrant) of the domain name;
- The contact details for three people who are authorised to give approval in the event that a request is submitted for temporary or permanent deactivation of the service. Details must comprise the name and surname of the person, their email address and their telephone number.
Deactivation of the service involves a manual check by RNIDS, and can only be done on written request by the domain name registrant, submitted via the accredited registrar. This application must comprise:
- The name of the domain for which the service is being deactivated;
- The type of deactivation being requested (temporary or permanent);
- The organisation name or name and surname and handwritten or electronic signature of the authorised person or registrant.
The deactivation procedure consists of two levels of verification:
- After an application is submitted for the domain to be unlocked, the contacts named when the service was activated are sent an email with a request to confirm the application. At least two out of the three delegated contacts must give their approval before the domain is unlocked.
- After receiving the required approval from the previous step, RNIDS contacts the individuals who gave approval by telephone for further confirmation. Only once those contacts have given confirmation by phone will the service be deactivated.