Securing your domain registry against unauthorized transfers
All dispatches
DNS and Domain Security27 Nov 20257 min read

Securing your domain registry against unauthorized transfers

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

Your domain name is the digital heartbeat of your business. It is the address your customers type into their browsers to find your website, the foundation of your professional email communication, and a critical component of your brand identity. Yet, for many UK SMEs, the domain registry remains a "set it and forget it" asset, often managed through an account created years ago with little oversight. This complacency creates a significant vulnerability: domain hijacking. When a malicious actor gains unauthorized access to your domain registrar account, they can initiate a transfer of your domain to their own infrastructure. In a matter of hours, they can redirect your traffic, intercept your business emails, and even use your credentials to launch sophisticated phishing campaigns against your clients. Securing your domain registry is not just a technical task; it is a fundamental pillar of your cyber security posture and a requirement under the data protection principles of the UK GDPR.

Understanding the Anatomy of a Domain Hijack

A domain hijack is rarely a brute-force attack on the global Domain Name System (DNS). Instead, it is almost always a breach of the administrative access to your registrar account. Once an attacker gains control, they can change the "nameservers" or request an "Auth-Code" (also known as an EPP code) to transfer the domain to a registrar of their choosing.

The Lifecycle of an Unauthorized Transfer

  1. Credential Harvesting: Attackers obtain your login details via phishing, credential stuffing (using passwords leaked from other breaches), or by compromising a former employee’s account.
  2. Disabling Protections: Once inside, they strip away security features like 2FA or domain locks.
  3. Initiating the Transfer: They request the transfer code, which is often sent to an outdated email address still associated with the account.
  4. The "Hostile Takeover": Once the domain is transferred, the attacker controls the DNS records. They can point your domain to a fake website, intercept your incoming emails to reset your banking passwords, or hold your domain for ransom.

Implementing Multi-Factor Authentication (MFA) as a Non-Negotiable

If there is one single action you take after reading this guide, let it be the enforcement of Multi-Factor Authentication (MFA) on your domain registrar account. Many UK SMEs mistakenly believe that a strong password is sufficient. However, given the prevalence of sophisticated phishing attacks, passwords alone are no longer a robust defense.

Why SMS MFA is Not Enough

While any MFA is better than none, SMS-based authentication is vulnerable to "SIM swapping," where attackers convince your mobile provider to port your number to their device. For high-value assets like your primary business domain, we strongly recommend using:

  • Authenticator Apps: Tools like Microsoft Authenticator, Google Authenticator, or Authy.
  • Hardware Security Keys: Devices like YubiKeys provide the highest level of security by requiring a physical touch to authorize access, making remote hijacking virtually impossible.

The Power of Domain Registry Locks

Most reputable registrars offer a feature known as a "Registry Lock" or "Transfer Lock." When enabled, this feature prevents any transfer requests from being processed, even if an attacker has your account credentials and the Auth-Code.

How it Works in Practice

  • The "Kill Switch": When a registry lock is active, the domain is essentially frozen at the registry level. Any request to change the registrar requires a manual, multi-step verification process—often involving phone calls or identity verification—that cannot be automated by a bot.
  • When to Use It: While it may add a slight delay to legitimate administrative tasks (such as moving your domain to a new provider), it is an essential safeguard for your core brand domains. Think of it as a deadbolt for your digital storefront.

Managing Administrative Access and "Least Privilege"

One of the most common oversights we see at Black Sheep Support is the use of shared accounts or overly permissive access levels. If your marketing intern, your freelance web developer, and your CEO all share the same login credentials for your domain registrar, you are exponentially increasing your risk surface.

Establishing Proper Governance

  1. Centralise Ownership: Ensure the domain is registered under a company-owned email address (e.g., it-admin@yourcompany.co.uk) rather than a personal address belonging to a single individual.
  2. Audit Access: Regularly review who has access to your registrar dashboard. If a staff member or third-party agency no longer requires access, revoke it immediately.
  3. Use Role-Based Access Control (RBAC): If your registrar supports it, create separate accounts for different team members. Give them only the permissions they need to do their job—for example, a developer needs DNS management access, but they do not necessarily need the ability to transfer the domain or change billing details.

Monitoring and Proactive Alerts

You cannot secure what you do not monitor. Many registrars provide notification services that can alert you to suspicious activity in real-time. By configuring these alerts, you can gain precious time to react before a transfer is finalized.

Essential Alerts to Configure

  • Transfer Request Notifications: Ensure that any request to move the domain triggers an immediate email and, if possible, an SMS alert to your primary IT contact.
  • Login Alerts: Set the account to notify you every time someone logs in from a new device or an unrecognized IP address.
  • WHOIS Privacy Checks: Ensure that your domain's WHOIS data is set to "Private" or "Proxy." This prevents malicious actors from scraping your personal contact information (such as your home address or private phone number) from public databases, which is often used to craft targeted social engineering attacks.

Aligning with UK Cyber Security Standards

For UK SMEs, security is not just about protection; it is about compliance and credibility. Adhering to frameworks like Cyber Essentials—the UK government-backed scheme—requires you to demonstrate that you have basic technical controls in place.

Why This Matters for Your Business

  • GDPR Compliance: Under UK GDPR, you have a legal obligation to protect the personal data you process. If your domain is hijacked and your email communication is compromised, you may be handling sensitive customer data in an insecure manner, leading to significant ICO fines.
  • Supply Chain Security: Many larger UK enterprises now require their vendors to hold Cyber Essentials certification. By hardening your domain security, you are proving to your partners and clients that you take the security of your shared digital ecosystem seriously.
  • Reputation Management: A domain hijack often results in the domain being blacklisted by spam filters and search engines. Recovering your domain's reputation after it has been used to send malicious emails can take months of effort and significant lost revenue.

Key Takeaways

  • MFA is mandatory: Move beyond passwords and implement app-based or hardware-based multi-factor authentication immediately.
  • Lock your domain: Use registry-level locks to prevent unauthorized transfers, even if your account is compromised.
  • Limit access: Apply the principle of least privilege; remove access for former employees and third-party contractors as soon as their contract ends.
  • Monitor the perimeter: Configure real-time alerts for login attempts and transfer requests to ensure you are the first to know of suspicious activity.
  • Think compliance: Secure domains are a core requirement for Cyber Essentials and help you meet your UK GDPR obligations regarding data security.
  • Centralise management: Ensure your domains are registered to a company-controlled email address, not a personal one, to prevent "locked-out" scenarios when staff leave.

Securing your domain registry is a manageable, high-impact task that provides outsized protection for your business. By taking these proactive steps today, you ensure that your digital identity remains firmly under your control, allowing you to focus on growth rather than remediation.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch

Related dispatches

The role of managed DNS in network performance
DNS and Domain Security

The role of managed DNS in network performance

# The role of managed DNS in network performance For UK SMEs looking to stay ahead in the modern workplace, understanding dns and domain security is fundamenta...

How DNS filtering stops staff clicking malicious links
DNS and Domain Security

How DNS filtering stops staff clicking malicious links

# How DNS filtering stops staff clicking malicious links For UK SMEs looking to stay ahead in the modern workplace, understanding dns and domain security is fu...

Why you should never let outside agencies control your primary DNS
DNS and Domain Security

Why you should never let outside agencies control your primary DNS

# Why you should never let outside agencies control your primary DNS For UK SMEs looking to stay ahead in the modern workplace, understanding dns and domain se...