Will New ICANN Rules Fight Domain Transfer Fraud?

By Larry Seltzer  |  Posted 2004-11-28

Will New ICANN Rules Fight Domain Transfer Fraud?

Some observers are concerned that new rules governing the transfer of Internet domains between domain registrars that went into effect on Nov. 12 will facilitate theft of those domains and "slamming" by registrars.

The new rules, originally announced by ICANN (the Internet Corporation for Assigned Names and Numbers) on July 12, were "approved unanimously by both ICANNs Generic Names Supporting Organization [GNSO] and its Board of Directors."

About a year ago I wrote about problems with domain registration transfers that made it all too easy to steal someone elses domain. I got a shocking amount of mail from victims of domain theft at the time and developed a low opinion of registrars. It was clear they all wanted to just bury the matter, and they dont get the benefit of the doubt from me anymore. (Register.coms Web site is scrupulously lacking in any information for press to use for contacts. There was a time when they had a contact and just moved slow on it, but they lack even this now.)

So I was ready to assume the worst when I read about the new rules. They streamline certain procedures so as to facilitate transfers in cases where the registrar previously holding the domain—the "registrar of record"—drags its feet. It seems the real problem, as ICANN puts it, was not registrars being too easy with transfers, but those not proceeding with a timely transfer when a legitimate request came in. And more specifically, Network Solutions has a lousy reputation in this regard. (Am I now accusing them of conflicting offenses, being too lax with transfer security and not willing enough to proceed with the transfer? Let them call me up and explain it to me.)

It seems that the sorts of problems I was observing have less to do with the transfers between registrars than with other security policies of the registrar, specifically changing the administrative contact information. The new ICANN policies shouldnt make the problems any worse because they still require that the registrar of record contact the owner. If the owner information is incorrect, its really a separate issue. And if there is a real dispute over a domain transfer, there is a set and orderly policy for dispute resolution.

Next Page: Incorrect owner information.

Page 2

But owner information often is incorrect—because the owner wanted it that way. The WHOIS database is one of the great farms from which spammers harvest e-mail addresses, so many domain owners intentionally put in false contact information. Even the other contact information is often false out of privacy concerns. This information is usually separate from the registrars billing database; while false information in the contact records usually violates registrar policy, as long as they get paid they usually look the other way. And its not illegal to put false contact information in a WHOIS record, although there has been some talk in Congress of making it so.

The real answer seems to be domain locking, which it now appears all registrars support. Locking puts a "Status: REGISTRAR-LOCK" in your WHOIS record and prevents a default transfer of the type just instated by ICANN. GoDaddy, for example, has put a notice up warning all customers that they better lock their domains if they want to be sure of protecting them.

I havent seen a single definition, but it appears that "REGISTRAR-LOCK" doesnt just prevent unauthorized transfers, but any other change in the domain record too. The only way to make a change is to log in to the master account and use the registrars interface. If this is universally the case, its the solution to the problem. Its just up to you to secure your master account information.

Taking ICANN at its word—that there was a problem with expediting legitimate transfer requests—I can see the reasonableness of the new policies. It does make competition more practical by denying registrars the ability to stall. What we need now are policies and technologies that make contact records more secure and eliminate all this ridiculous false information.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

But beyond locking, I like the approach as that used by Domains By Proxy. Instead of your contact information referring to you, it refers to Domains By Proxy. You can tell them to forward contact requests on to you, or not. They only work with a small number of registrars? Why shouldnt all registrars offer this? In fact, why shouldnt it be part of the standard?

Come to think of it, isnt the whole idea that domain contact information needs to be public kind of quaint and antiquated? If you want to make your domain contact information public, put up a Web server and write a page for it. This looks like a job for ICANN.

In the end, if there are many attempts to steal domains and users have to utilize the (4,449 word) Dispute Resolution Policy to resolve them, its still a failure even if it works every time. The system needs to protect domain owners from having to engage in the process too. I havent yet seen where ICANN has helped this.

Check out eWEEK.coms for the latest security news, reviews and analysis.

Rocket Fuel