The growth of the digital landscape has seen many organisations either transition their offline business model to online, or simply exist only as an Internet brand. The last twenty years has seen the emergence of global brands that have challenged the traditional model of success by leveraging the power of the World Wide Web, reaching the furthest corners of the globe and never putting up the “closed for the day” sign in the doorway.
The importance of domain names to this growth cannot be underestimated. Organisations such as Ocado and Etsy exist because of the digital world, with one domain name supporting billion-dollar revenue lines. Whilst we have come a long way since the days of Lastminute.com, arguably the first successful pure online organisation, we still have some way to go before we see mass adoption of ecommerce, both from the buyer and the seller point of view.
One challenge that still needs to be conquered is the persistent threat from bad actors online. Those individuals and groups who look to exploit weaknesses in the digital economy for their own financial gains. These threats can take many forms, but one common problem has been with us for many years – domain hijacking. The practice of a fraudster trying to redirect a domain name to a malicious website is fortunately not as much of a headline as it used to be but that doesn’t mean the problem has gone away. There are rumoured to be over 30,000 website exploits per day. Not all will involve large organisation or household brands, nor will all be related to the redirection of primary domain names, but the threat is still real.
It isn’t always fraudsters, looking for financial gain, who attempt to hijack domain names and redirect legitimate traffic. The trend of political activists exploiting domain hijacks as a means to raise their causes is still real and when it occurs, makes the headlines and can cause significant reputational issues for the organisations involved.
Fortunately, a growing number of Top-Level Domain registry operators offer a solution that addresses the problem of domain hijacking called Registry, or Super Lock. This registry-side solution ensures that a domain name’s DNS records cannot be changed unless by an authorised and verified individual. Domain names that utilise registry lock cannot be modified, deliberately or accidently, unless a two-factor authentication process has been completed through the accredited registrar.
Registry locks are a fundamental part of an organisation’s domain security policy. They protect the most critical domain names that may support significant revenue streams, vital internal systems or heavily-invested marketing campaigns. They can be viewed as an insurance policy against cyber threats that could damage revenues and reputations.
Many registrars also offer locks on domain names at their systems level which will provide some protection against malicious actions such as modifications to the domain contact handles, transfer away or deletion of the domain name. However, it is only through the implementation of a registry lock that DNS modifications, or redelegations, can be prevented.
Registry Lock is offered on key TLDs including .Com, .Net, .UK, .AU and .FR. A number of new gTLD registries are now looking at implementing the security feature as well, and there is a growing call for it to be made mandatory for all ICANN-accredited registry operators to implement.
Whilst the process of setting up registry locks varies from TLD registry to registry, the core principles are relatively standard. The registrar of the domain name will set up the registrant contact details within their systems, whilst the registry will have a similar set of details for the registrar. Any request to unlock or relock a domain name has to come through the authorised contact at the registrar, who in turn will need to have verified the request through two-factor authentication with the registrant. Because the request has been authenticated at the registry and registrar level, the possibility of making changes by mistake are almost completely eliminated. It also means that if a bad actor manages to access the registrar system to place an order, it will fail because they cannot be verified by the registry.
The threat posed by those intent on domain hijacking is unlikely to go away any time soon. It is therefore vital that organisations ensure that their critical domain names, where possible, are protected by domain locks. In our next blog we will examine how an organisation can determine which domain names should be locked, and what other alternatives they have as part of a focus on a client-shaped approach.
To learn more about registry locks, please contact us.