|
If the rise of phishing has taught us anything, it’s that on the Internet, if a digital asset has value, there’s somebody out there who wants to steal it. Whether it’s a bank account password, a credit card number, a PayPal login, or even a magic sword in an online game, there’s a fraudster somewhere trying to misappropriate it for his or her own nefarious purposes.
Domain names have always been a target for such criminals. Companies and individuals doing business online have few assets more valuable than their domain name. It may cost $10 or less to register one, but the domain name is the glue that connects a company to its customers; revenue and brand equity depend upon its security.
Domain theft is not a new phenomenon, of course. Sex.com, for example, was hijacked all the way back in 1995, when there was only one registrar. Its true registrant had to spend years in court to retrieve it. In more recent years, high-profile domains such as Panix.com, Baidu.com and even ICANN.org have been temporarily stolen by attackers using social engineering to exploit process vulnerabilities at domain name registrars.
It’s surprising, given that domain name hijacking predates the creation of the competitive registrar market itself, that the industry has not done more in the last decade to mitigate the risks. ICANN’s Security and Stability Advisory Committee (SSAC) noted as recently as last year that “pure play, secure registration service providers are rare, in part due to the fact that evaluating security measures does not play as prominent a role in customer decisions when choosing a registrar as it should.”
However, registrant apathy regarding security may already be changing, according to a recent survey of savvy registrants.
There are three areas where registrars, in general, have room for improvement when it comes to security.
1. Better Authentication
The simple username/password authentication approach so common at Registrars has repeatedly been found vulnerable to social engineering attacks and should not be considered strong enough security for high-value domain name accounts. This is especially true when automated password reminders are available. If all an attacker needs to do is compromise a password or e-mail address in order to have complete control over a domain portfolio, registrants have the right to ask for stronger authentication.
Nowadays, it’s common practice for large financial institutions to allow, or even require, multi-factor authentication before giving customers access to valuable assets. But it’s not just banks. After the phishing black market put a dollar value on World of Warcraft accounts, the game’s developer had to start offering players one-time password tokens, in the form of key fobs, as a second authentication factor, to decrease fraud.
When you think about it, the fact that magic swords are sometimes offered a greater degree of protection than domain names is pretty crazy.
2. Notifications
When someone logs into a registrar domain account they are given virtually the “keys to the kingdom” for that organization’s entire domain portfolio and DNS settings. If domain account access is compromised, then all it takes for the criminal is to login to the registrar account, change the registrant and other contacts associated with the domain, and then either change the DNS information to point to a new site or transfer the domains to a completely different registrar where it is difficult for to reclaim the names.
It is time registrants get routinely notified when such changes are made to their domain name portfolio, whether via e-mail, text or perhaps even telephone for the most critical items. The best scenario is to notify two or more authorized employees to provide for shift changes and/or redundancy. Social engineering is the attack of choice for hijacking domains, and it’s harder to impersonate two people than one.
Because e-mail accounts are easier to compromise than phone numbers, using out-of-band communications channels, such as telephone or SMS text message, could also increase security.
3. Access Control
Usually, authenticated registrants have global privileges: they can change name servers, transfer out domains or cancel renewals, for example. The risk of domain hijacking could be further mitigated by employing more granular access controls once a customer has been “authenticated”. Many registrants may wish to use a higher level of security on their primary domains, limiting critical privileges to certain high-status users. The learning curve here could be eased somewhat by the fact that existing registrar Whois records already usually describe at least three roles—the administrative, technical and billing contacts.
Registrars should enable Registrants to designate different contacts for different authority levels. This would accord Registrants the choice of better protection.
None of these measures need to be a drain on registrars’ margins. Indeed, once in place, these will save money that is now spent resolving disputes after the fact by making criminal activity more difficult. Further, with domain name registrants increasingly looking at registrars’ security provisions before they make their purchasing decisions, the opportunity presented by value-added premium services, designed for security and marketed to customers with high-value domain portfolios, should be obvious. Criminals look for the softest targets; with a little effort in just 3 areas, registrars can significantly improve the security they provide for registrants.
For more reading on this topic, see SSAC’s advisory to registrars on improving security: SAC040
(Disclosure: I am one of the charter members of SSAC)
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byCSC
Thanks for gently reminding registrars that they need to raise the bar on security in a proactive manner to protect registrants. While SAC040 came out last year, there was an earlier report 5 years ago that covered many of the same issues, yet here we are 5 years later and some registrars still have weak security.
The VeriSign Registry Lock Service was a step in the right direction, although ideally it would have price caps associated with it, and be offered directly to registrants (i.e. lock removed only if VeriSign authenticates in an out-of-band manner with the registrant), as many registrars have yet to offer it.
Another area that could be improved is better audit trails for critical changes. While many folks rely on the imperfect WHOIS history function at DomainTools.com, a central database of all such critical changes would allow easier detection of fishy transactions. Mandatory Verified WHOIS would also help (as criminals would be unlikely/unwilling to verify themselves).
You grossly underestimate the determination of the financially-motivated criminal, I believe. I’m not convinced that mandatory verified WHOIS would make a noticeable dent in cybercrime, particularly in the longer term.
No, I fully appreciate that financially-motivated criminals are ruthlessly economic, and respond to higher operating costs by adjusting their behaviour. The costs of having a criminal create a verified WHOIS would be much higher than that of a non-criminal.
For example, if the method used was to send a PIN code to a physical address (before a domain would resolve, before they could receive a transferred domain, etc.), the innocent person simply gets their mail, types in the PIN, and goes on with their life. Cost to the registrar/registry might be $1 to $2/yr at scale, and that’s per registrant (not per domain). The average registrant might own 10 domains, so the per-domain cost becomes much less.
For a criminal to defeat the above scheme, they’re going to have to recruit others to forward them the PIN codes. As locations get blacklisted over time (there’s a finite limit of physical locations, as compared to infinite throwaway email addresses or stolen credit cards), the costs to the criminals will rise even further. Some might even go to jail, as there are more clues to their true identity when there’s a physical location in the mix.
So, it’s a classic case of signalling from economics. In education, for example, the “cost” of a “smart person” to suffer through university to get a piece of paper is much less than that for a “dumb person”, even if the academic knowledge obtained during those years is worthless. The signal (whether a person is smart or dumb, because they have a degree) is still valuable, though, because costs are different for smart and dumb people, in terms of education.
We have a real-world existing market that demonstrates that financially-motivated criminals are less likely to verify themselves, namely in the Extended Validation (EV) SSL market. What’s the percentage of criminals obtaining an EV certificate, compared to say a domain-control certificate (more lax) or a self-signed certificate?
Occasionally one does see reports about criminals obtaining code-signing certificates, etc., but it’s the exception rather than the rule, and they get quickly revoked. It’d be hard for a criminal to last long if all their domains are fake-verified to one location that is later invalidated/blacklisted.
Of course, we don’t want domains to cost $500/yr through “Extended Validation.” However, I think a PIN code for $2/yr per registrant (not per domain) would be highly effective. Add an extra $5 more (one time fee), and one could simultaneously distribute physical security keys, just like PayPal does at present, for 2-factor security.
Would the system be perfect? Certainly not, as we’ve seen criminals become registrars where extra “verification” is supposed to take place by ICANN. But, you don’t see those criminals creating hundreds or thousands of registrars….the economics just wouldn’t work. However, you do see criminals registering millions of domains.
It does not follow that the costs would be high enough to actually deter any criminal activity of note. If the intention is to deter criminal activity, you’d need to demonstrate that the rise in costs would make crime unprofitable, or at least insufficiently profitable to warrant the associated risks. Your prescription makes domain name registration less convenient and more expensive for everyone; I think it needs to produce a stronger outcome than “reduces profit margins for criminals”.
All cybercrime worth mentioning uses clueless “mules” or other intermediaries to perform any such work. You overestimate the usefulness of the data. You might catch a few incompetents, but the incompetents aren’t the real problem.
What you have is evidence that there are much easier ways for the criminals to achieve their goals than jumping through that particular hoop. There’s not enough to be gained from subverting EV-SSL at this time. It would be a different story if there were an instant payoff to be made via that route. Right now if you want money, you sell fake AV, or engage in browser-hijack click-fraud, or steal online banking passwords, and so on. EV-SSL is currently safe from attack primarily because the money is elsewhere.
People already play whack-a-mole with black-hat domain names. The criminals would just need to adopt new locations slightly faster than the enforcers can whack the old ones, and the status quo would remain stubbornly unmoved. Cybercrime is quite accustomed to the need for “disposable” everything: disposable domain names, disposable IP addresses, disposable money-mules. Disposable locations are a problem they’ve already solved as a part of the credit card fraud business.
I’ll settle for a system which achieves results proportionate to the costs. You’re suggesting the rest of us should bear extra cost and inconvenience in order to fight crime. I want stronger guarantees that crime will feel the hurt, not shrug it off, otherwise the costs are just self-inflicted pain. After you’ve proved that point, we’ll examine the unintended negative consequences for legitimate registrants.