Akatombo Web Log
Friday, November 12, 2004
Prevent the Theft of your Domain
ICANN, the regulatory body controlling domain name (yourwebaddress.com) has made a (we think) rather stupid change to their Policy on Transfer of Registrations between Registrars. This may sound complicated, but we think it makes it easier for people to steal your domain name. We’ll lay out the details in simple terms below:
Skip to the solution
The Reasons
The change was made to combat a legitimate problem: some unscrupulous domain name registrars (The companies that provide domain name registration services) have made it very difficult for customers to transfer their domains away to another company that may provide better prices or service. We have had to deal with this problem on behalf of customers in the past, and when I used to work at a domain name registrar this was a big problem for customers trying to transfer in to our service. The problem is serious and needed a solution, but we are not confident that the solution ICANN chose was the right one.
The Change
We’ll try to be as brief as possible regarding the changes to policy but it gets a little bit complicated, so please bear with us. The important changes are as follows:
“Requiring registrars to verify the identity of the registrant or administrative contact requesting the transfer by one of a number of approved methods to deter fraud;”
This is a requirement of the “Gaining Registrar” meaning the company that is getting your business. The approved methods of authorization are as follows:
- Physical means:
- Notarized statement
- Valid Drivers license
- Passport
- Article of Incorporation
- Military ID
- State/Government issued ID
- Birth Certificate
- Electronic means:
- Electronic signature in conformance with national legislation, in the location of the Gaining Registrar (if such legislation exists).
- Consent from an individual or entity that has an email address matching the Transfer Contact email address.
“Preserving the ability of registrants to “lock” their domains so they may not be transferred from the registrar, but requiring registrars to provide a readily accessible way for registrants to have their current registrar remove this lock at their request;”
This means that registrars have to give registrants (you) an option of locking their domain names so that it cannot be transferred until the lock is released. This is one of the things that we recommend that you take advantage of to ensure that your domain is not fraudulently transferred to another party—We’ll cover this more in the next section.
“Enabling registrants to transfer their domain names without having to “double-confirm” the transfer once the transfer has been reliably authenticated per the new policy; and”
This reverses the old practice of many losing registrars (the registrar being transferred away from) of making registrants confirm with them that they indeed wanted to make the transfer before the transfer to the gaining registrar (the registrar being transferred to) could take place. This means that if someone manages to fool the gaining registrar into thinking that you are making the request for the transfer of your domain name (and it is in their interest to believe) then the transfer can go through without you confirming the transfer.
Note: Many thanks to my friend who attended the ICANN meeting for explaining to me that the confirmation with the losing registrar was never a requirement, although many were doing it. This policy made it illegal to do so. While it is true that some registrars were using this to hold up the transfer process it could also be a genuine fail-safe to protect customers.
“Providing a robust dispute resolution process for resolving disputes between registrars, including registries implementing a “transfer undo” functionality to provide for efficiently reversing any transfer initiated in violation of the policy.”
This is an attempt at making it easy to reverse the damage done by a fraudulent or mistaken transfer, but in our opinion is insufficient for one, and too little too late for another.
The Problems
- First of all the means of authorization don’t all seem equally worthy. Most registrars will almost certainly go for the electronic forms of authorization. It would be stupid for them not to. They would just be putting a bunch of extra effort and a time barrier in the way of registrants that want to transfer to them. Focusing on the two electronic means of authorization it seems to us that it would be a lot easier to spoof e-mail authorization to on registrar than to both, and the first option of using an electronic signature authorized by the local government is silly for three reasons:
- Not very many legislatively approved methods of doing this exist.
- The Internet is international: if I am in Japan and use a registrar in the U.S. then the electronic signature may not even be available to me.
- Different countries have different laws:
Imagine this scenario, I go and establish my domain name registrar in a poor country with a government open to bribery. I give certain government leaders a small stipend in exchange for the consideration of passing a law authorizing the use of an easily spoofed electronic signature system that we have developed. I am now open to reap the benefits of transfer and registration fees from any that would like to attain a domain that is already taken, and don’t mind being a bit dishonest about it. — This is a very oversimplified example, registrars must be accredited by ICANN, and there is also the issue of domain resellers to consider. Still this seems to us to leave some pretty big holes in the policy.
- They have now outlawed the previously required double-confirmation system, making it easier for domain transfer chicanery to take place.
- As far as we have observed ICANN’S UDRP is far from adequate, can be rather slow, and is often wrong. Even if you were to get your domain name back through the UDRP that will be little consolation since your website and e-mail service for that domain have been interrupted in during the proceedings.
The Solution
We recommend that you take the following steps to ensure that your domain name does not fall victim to a fraudulent transfer:
- Visit the website of your domain name registrar and log in (make sure that you don’t forget how to log in to your domain name account, that could cause you big problems in the future).
- Check your contact information, and make sure that it is all up to date—especially your e-mail address.
- Look for an option to lock your domain names, as of today (November 12th, 2004) all domain name registrars are required to provide one, and lock all your domains to prevent them from being transferred until you release the lock
If you follow these steps, your domain name should be pretty safe, but of course always remember to keep your domain name registrar account login information safe and secure. If someone can gain access to your account they can pretty much do whatever they want.
Was this helpful to you? Do you have any question or have we missed something? Please leave a comment below to let us know!