Domains without a transfer lock are missing a key gating tool preventing the theft or sale of domains
Domains are crucial for establishing ownership and control over online services. They not only serve as a measure of authenticity but also embody authority for assets delegated to that domain. Important systems such as TLS, encryption and authentication rely on the trust created by domain ownership where domain ownership allows you access to publicly trusted certificates, emails and verification assigned to that domain.
The domain system is ultimately managed by ICANN (the Internet Corporation for Assigned Names and Numbers), which oversees top-level domains, as well as ownership and administration of domains individually managed by registrars.
As domains are critical to online operations, most registrars provide additional verification and protection mechanisms to ensre tha only authorised and validated requests are actioned. One common protective measure is the implementation of transfer locks. A transfer lock can be enabled on a domain to ignore or reject transfer requests until the lock is released. Until the transfer lock is manually removed domain transfers cannot take place. This additional step ensures that a transfer only occurs after a deliberate request to remove the lock, which can be tracked and recorded, providing direct visibility and control that may not be available through the transfer process.
Domains without transfer locks can be easily requested for transfer by anyone as domains need to be accessible enough that both small and non-technical teams can manage them. For domains that do not have a transfer lock enabled, a simple request and accessing the authentication code sent to the domain owner is often all that’s required to transfer a domain. While the transfer process may vary among registrars, many allow a transfer request to be fulfilled with a single authentication code.
From a technical standpoint, all domains are treated equally and the onus is on the domain owner to enforce protection measures that correlate to the value of the domain
On most cloud platforms, you manage transfer locks through your cloud provider’s API which usually hooks into the provider’s Identity and Access Management system. This enables you to block API calls to disable transfer locks meaning that without special IAM privilege escalation domains cannot be unlocked and therefore cannot be transferred. Additionally, any requests to disable a transfer lock are locked and can be actioned and monitored via the cloud APIs.
Review all the domains you own and ensure that all of them have transfer locks enabled. Some registrars do not support transfer locks however you’ll have an error code indicating whether this is the case which can be noted and the domain monitored.
Stolen domains for organisations usually have associated damages of at least 6 figures with our below referenced articles providing real life examples. SkySiege for Organisations not only detects domains without transfer locks but also rolls out policies preventing these transfer locks from being removed.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.
