5 March 2014
On 15 January 2014, the Hong Kong Internet Registration Corporation Limited (HKIRC) announced a new security service, ".hk LOCK", for domain name owners of ".hk" or ".香港". The service offers domain name registrants protection from "domain hijacking".
"Domain hijacking" is to be distinguished from "domain name hijacking" — the latter is also known as "cybersquatting" and refers to the practice of registering domain names which are identical or confusingly similar to another person's trade mark. Domain name hijacking can be combated by dispute resolution mechanisms such as the Uniform Domain Name Dispute Resolution Policy (UDRP) and the Uniform Rapid Suspension System (URS).
By contrast, "domain hijacking" generally refers to the unauthorised access or change of the registration particulars of a domain name or even the unauthorised transfer of the registration. Domain hijacking is often carried out by hackers who re-direct visitors of the affected website to fraudulent websites, i.e., website defacement. Website defacement may result in (i) damage to reputation as the attack could be widely publicised and visitors may consequently lose confidence in the official website(s); (ii) damage to revenue, especially in the case of B2B or B2C websites; and (iii) leak of confidential information since email traffic could be diverted and stolen.
Domain hijackers may acquire personal information of the actual domain registrant from public or illegitimate sources, then go on to impersonate the registrant and convince the domain name registrar to modify the underlying domain name server (DNS) records. Some domain hijackers simply hack into the DNS records to do this. It has been reported recently that a number of companies have fallen victim to domain hijacking activities, including The New York Times and Twitter. All these cases involved attacks by a hacker group named Syrian Electronic Army against the domain name registrar, Melbourne IT. The hackers used a phishing email to gain access to a reseller account and proceeded to change the DNS records of multiple domains, including those of The New York Times and Twitter, causing outages to the corresponding websites.
To tackle the problem of domain hijacking, some private domain name registries, such as Verisign, have been offering "registry lock services". This service allows registrants to set the conditions under which their registration information can be changed. For instance, at the highest settings, the registry lock service requires direct, human-to-human interaction and confirmation between the domain name registry and the registrar in order to process a modification or a transfer of the domain name.
HKIRC has now introduced a similar service, ".hk LOCK", which blocks all online access for changes to DNS records of ".hk" domains. With the introduction of this service, DNS records may only be unlocked for modification or transfer at the request of certain authorised persons appointed by the domain name registrants. Each domain name registrant may only nominate a maximum of three authorised persons who have the authority to change DNS records. An authorised person's identity is then verified by HKIRC's staff each time a request for change of DNS record is made. To avoid abuse, HKIRC will only unlock the DNS records for a short interval of 15 minutes after the identity of the authorised person has been verified. HKIRC charges a fee of HK$2,000 per year for its ".hk LOCK" service. The service is available directly through HKIRC and its accredited registrars.
The introduction of ".hk LOCK" offers ".hk" domain name owners an extra layer of protection against domain hijackers. In addition, it is not uncommon that unintentional errors to DNS records may be made by employees of the domain name owner which may bring just the same level of damage. The lock service will also provide protection against such inadvertent errors.
Given the increasing threats to cyber-security, this service is to be welcomed by domain name users in certain industries, such as:
- banks and financial institutions, governmental departments, utilities and public services;
- brand owners with an active online presence;
- online shops, online service providers;
- businesses that communicate confidential or sensitive information with their clients;
- owners of websites of high traffic volumes.
It is expected that domain name owners which operate in these industries will subscribe to ".hk LOCK" services.