News

Registrant verification makes fraudulent registration impossible

25 November 2022

In a nutshell, DNS Belgium uses registrant verification to match the data a registrant uses when registering a domain name with his or her identity data. We do this because there are still cybercriminals who use fake data or even data of other people to register a domain name.

An automated process checks whether a registrant's details are correct based on a number of parameters. We do this even before activating a domain name. If the system suspects that this is not the case or that data are missing, we contact the registrant and his or her registrar. We ask them to pass on correct data. Until that happens, we do not activate the domain name.

Proactive and automated

DNS Belgium was of course checking domain name registrations long before registrant verification came along. Up to the year 2000, registration data were checked very strictly: you had to prove your identity and provide sufficient documentary evidence to be able to register a domain name.

In 2000, this was completely abandoned: anything could and everything was allowed, so to speak. But because it is DNS Belgium's job to keep the internet in Belgium safe, we quickly took initiatives to make the .be zone safer. We started actively checking registration data.

"DNS Belgium sets the bar high when it comes to a secure internet."

Initially, we did this manually and usually in response to a concrete complaint. We wanted to check more proactively and also automate checking. In 2020, we therefore started looking at what our colleagues abroad were already (or not yet) doing.

Denmark already had its own system that enabled Danes to prove their identity when registering a domain name. For non-Danish nationals, checks were less strict. Checks of non-Danish registrants are still done manually and not automatically as in our country. In Estonia, an absolute forerunner when it comes to digital identity, both Estonians and non-Estonians can use an electronic proof of identity when registering a domain name. It is the registrars who have to oversee this process.

The bar is high

DNS Belgium sets the bar high when it comes to a secure internet. We aspire to check all new registrations, domestic and foreign, and to do this entirely ourselves.

We conducted an initial analysis in the autumn of 2020. Experience from years of checking registrations gave us a good insight into how fraud is committed, which we put into rules.

Initially we wanted to check all suspicious domain name registrations. But eventually we want to check all new domain name registrations. We are not ready to do so for the time being because the human intervention is still too great, and that drives up costs of course, but also because the technology of digital identification is not yet ready for it. This is especially difficult outside Belgium.

The figures clearly show that the current automated verification is bearing fruit. Whereas before 2020 we checked a few registrations per day, with registrant verification this is now 15 to 20 per cent of all new registrations.

Why is registrant verification important?

With registrant verification, we can stop fraudulent registrations. After all, those who want to register domain names for fraudulent purposes often provide incorrect data when applying and do not respond to our request to provide correct data. Fraudsters at times also use data from other people or companies to register a domain name. This keeps them out of harm's way themselves but can cause reputational damage. By preventing rogue websites from coming online, we intervene before they can cause any damage.

And in doing so, we are fulfilling our mission to make the .be zone as secure as possible and trust in .be domain names even greater than it already is. The fact that we have had to intervene less reactively and delete registered domain names since registrant verification proves that our approach is working. Moreover, we prevent cybercriminals from registering domain names with stolen data.

Historical data have also shown that people registering a website with fraudulent intentions often used anonymous data in the past and registered a domain name under the name Mickey Mouse, for example. With registrant verification, it is impossible for a domain name to become usable even for a very short time. So there is no way they can do any damage whatsoever. Before registrant verification, we often noticed abuse only the next working day.

The far-reaching, automated way in which we currently check registration data is unique. Yet we want to go even further in the future. We still see many opportunities to expand registrant verification.

With this article, we support the United Nations Sustainable Development Goals.