ICANN recommends "Emergency Action Channels" to battle domain hijacking
Marian Del Rey (CA) - A tool used to influence the social status of people, personal deception, is the most effective tool used to hijack the rights to others’ domain names, says a report released Tuesday by ICANN, the organization that maintains the Internet’s IP addresses.
Authored by Dave Piscitello, president of the Core Competence consultancy, and fellow member of ICANN’s Security and Stability Advisory Committee (SSAC), the report suggests that since human beings are the ones being deceived, social, not technological, measures can be adopted by DNS registrars, both to avoid future cases of deception, and to react more swiftly to hijacking events.
For instance, Piscitello suggests, in addition to the perpetual customer support offered by most registrars today, they could also deploy so-called "emergency action channels," enabling customer support to make emergency contacts with registrar’s management personnel at any time, day or night, should a hijack situation be confirmed. This full-time access is necessary, states the report, because hijackers will always exploit the weakest links in customer service personnel, as evidenced by the number of hijack attempts during weekends and holidays.
A domain name hijack takes place when the hijacker successfully passes himself off as the party authorized to request a transfer of someone else’s domain name from one registrar to another. Once the transfer is approved, the hijacker is given access to the registry database, where he can change the IP or domain name address of the victim’s DNS server to that of his own server. As a result, a URL submitted by a browser becomes associated with the hijacker’s server, which can provide a false page, or simply a new and unexpected service.
The ICANN report cites in detail a handful of real-world experiences of domain name hijacking, with varying degrees of impact on the victims’ businesses. In one such incident, the original owner of the DNS name HZ.com, discovered early this year that his registry was transferred without his consent to a new registrar, whose contact (Whois) information for the address was now shown to be a company with a suggestive, though not lewd, name. The new registrar demanded proof that the victim was the original owner of the address, and at first would not accept copies of earlier Whois data for HZ.com as more valid than the e-mail requests for transfer that the registrar had apparently received from the original registrar. It is believed that this e-mail may have been successfully spoofed, however, and that it did not originate at the original registrar of record after all, but with the hijacker.
Only when the CEO of the parent company of the new, or "gaining," registrar was contacted by a colleague of the victim, was the gaining registrar instructed to revert control over the domain name back to the victim. Had an emergency action channel been in place, the ICANN report says, this degree of personal contact might not have been necessary - certainly someone in executive authority lower than the CEO of the parent company, could be trusted to make a decision. But to help with that decision, the ICANN report adds, more replete auditing information should be available to registrars. Backup copies of Whois data would have revealed more readily when and where the victim’s registry had been forged.
Also, certain non-mandatory documents such as a "pending transfer notification," sent from the losing registrar (the original one) to the gaining registrar, were waived in this victim’s case. Had the losing registrar sent that document, the gaining registrar may have had time to make an inquiry. And had the gaining registrar had a proper audit trail, they would have known with whom to inquire.