ICANN new transfer policies take effect Nov. 12

[Theo]

I just initiated a transfer to Enom - received their regular notification with nothing different.

 

[Mr Webname]

MWN, where was that quote from? Was that fraudulent?
Are transfer code requirements being disregarded?

~ Nexus

The email was a genuine notification from Godaddy concerning a transfer that I have initiated - however if I hadn't initiated it and had not received/read the email the net result would be that the transfer would be carried out!
Of course in this instance, being a .org the auth code had been supplied to my receiving Registrar, but that wouldn't apply to many other extensions.

 

[Domagon]

Transfer security is definitely an issue, but there's one even bigger ... bogus "Whois Problem Reports". I've posted more details about this problem on various sites, including on ICANN's open forum and on the newsgroups.

Merely by filing problem reports claiming a registrant's information is incorrect, one can get possibly get control over the domain ... BYPASSING ALL PROTECTIONS!

Registrar-lock, auth-codes, etc are meaningless ... many registrars state they will suspend/delete domains *merely* based upon receiving a "Whois Problem Report" within as little as 5 days after notifying the registrant; often by email - folks who go away for a week or two on vacation could come back and find their domain name suspended/deleted.

While I realize this thread is about transfer policy changes and related security, it's important for folks to be aware of this other serious security issue, especially given that many registrants are being led to believe they can "lock" it and basically forget it ... if only that was true ... the truth is something else completely

Ron

 

[dotNetKing]

I just initiated a transfer to Enom - received their regular notification with nothing different.

Up to now, when initiating a transfer *to* Enom, Enom's usual e-mail (at least the one I get through the enom reseller I'm with) requires me to click on a link to authorise the transfer. This e-mail is sent to the domain's admin e-mail, and the transfer cannot proceed without this prior authorisation via the new registrar.

Later I get an authorisation request from the*losing* registrar (normally) which I have to authorise.

I still assume that I will need to give the initial authorisation to the gaining registrar (not losing registrar) on the strength of an e-mail sent to the domain's admin address. It is just the second authorisation that isn't required (although even up to now not all registrars required this, including my enom reseller. They seem to have been doing what will now become the norm, and there has been no security risk with that system).

I am beginning to wonder if there really isn't any security threat after all. We will soon find out, but I think it might all have been a false alarm?

I would say I haven't bothered to lockmany of my domains yet, but then I might be a target for thieves, wouldn't I ;-)

 

[Monte]

Hey gang,

A lot of you are emailing and IMing me about this so I thought I would let you know where Moniker.com stands on this.

We are treating all transfer out requests as fraud unless we have heard from you - to protect your domains here. Besides locking all of your domains by default, I and my staff look at each transfer out request and make sure it was authorized. We have yet to loose one name due to this high security policy.

[mod]Advertising only in the appropriate forum please.[/mod]

 

[Dave Zan]

Hey gang,

A lot of you are emailing and IMing me about this so I thought I would let you know where Moniker.com stands on this.

We are treating all transfer out requests as fraud unless we have heard from you - to protect your domains here. Besides locking all of your domains by default, I and my staff look at each transfer out request and make sure it was authorized. We have yet to loose one name due to this high security policy.

[mod]Advertising only in the appropriate forum please.[/mod]

Great to hear back from you, Monte!

Whew! Your treating all transfer requests as fraudulent is sure to piss many
people, but I believe you can handle it.

Good luck, Monte! k:

 

[Theo]

Hey gang,

A lot of you are emailing and IMing me about this so I thought I would let you know where Moniker.com stands on this.

We are treating all transfer out requests as fraud unless we have heard from you - to protect your domains here. Besides locking all of your domains by default, I and my staff look at each transfer out request and make sure it was authorized. We have yet to loose one name due to this high security policy.

[mod]Advertising only in the appropriate forum please.[/mod]

A few were upset with the tight security at Moniker - I'd say it's necessary. You'll be hearing from me Monte :-D

 

[seeker]

What???
I got a request for a mass transfer.
Monte, I have very few domains with you compared to my portfolio, but, at this moment, I know I wish it were all with you.

 

[Monte]

davezan1,

we are not treating all transfer requests as fraudulent....just those without proper notification. That is the key to this whole issue. Just unlocking (or leaving your domains unlocked by accident) does not cut it with property.

[mod]2nd Warning - do not advertise outside of the Advertising Forum.[/mod]

 

[GeorgeK]

I agree with your policy, Monte, and said so during the entire transfers policy development process. The pendulum has swung too far to the other side with the recent changes, and I'm sure after a few bad experiences get press, the pendulum will swing back towards protecting registrants' security, through double-verification.

The prior assumption, that led to this policy, was that there are bad registrars out there HOLDING BACK names from being transferred. In response, security was lowered, to permit the gaining registrar's authentication of the transfer request, alone, to trump all.

Problem is -- it didn't remove the "bad registrars"! If they're still present, it means instead of having names held back, we'll have bad registrars who don't do proper checking of consent (e.g. accepting forged faxes as 'consent'), and the losing registrar can't do much to protect their clients.

One 'solution' that might fit the rules (not sure), might be to create "sticky" locks? i.e. if a domain name gets unlocked, it can only stay unlocked for 24 hours or so, and if no transfer request ensues, it bounces back to a state of being locked automatically?? I'd consider that a useful feature, as the act of unlocking the domain, if it happened immediately before the transfer, and was authenticated via email or some other method, serves the purpose of the validation by the losing registrar that the transfer is legit.

 

[seeker]

its either locked or it isnt.
All else is the 'politics' of each registrar.
now, some agree, some dont.
The bottom line is simply, and I am saying this to myself as well, it is NOT to react from fear.
Reacting from fear is just about the worst strategy there is. It leads... well, it leads to the way the world is today....

 

[GeorgeK]

As I think about this further (public brainstorming), another "feature", in conjunction with a "sticky lock", would be that at the moment that the domain is unlocked, the registrant is prompted to choose, from a list of all ICANN registrars, the registrar(s) they want to allow transfers to go to.

e.g. I have example.com at Moniker, I go to unlock, and I specify that only transfers to OpenSRS are acceptable. A transfer comes in during the 24 hour unlock period from a Korean registrar, and it gets auto-rejected by Moniker. No transfer request from OpenSRS comes in within 24 hours, and it goes back to locked status.

 

[Domagon]

...Besides locking all of your domains by default, I and my staff look at each transfer out request and make sure it was authorized...

What is your company's policy regarding Whois Problem Reports?

1. Do you screen them?

2. For those reports requiring more attention, how much time does the registrant have to respond? ... 5 days, 15 day, or ??

3. What is the penalty for no response by registrant? ... more notices, suspension, deletion, or ??

I ask since it appears your company takes security seriously unlike Dotster and BulkRegister who both seem more than willing to suspend/delete domains for merely receiving a Whois Problem Report - not everyone checks their email daily ... and even then, email isn't all that reliable - surely one would expect a registrar (BulkRegister in particular, for which I administer 700 domains) to be a little more concerned about security.

In summery, what is your company's policy regarding Whois Problem Reports and notifications, etc?

Please reply here for the benefit of others and/or PM me. Thank you.

Ron

 

[Monte]

Ron,

When notified, we follow the following steps:

As a reminder, ICANN-accredited registrars are obligated to take reasonable steps to investigate and correct reported Whois inaccuracies <http://www.icann.org/registrars/ra-agreement-17may01.htm#3.7.8>. As indicated in the following Registrar Advisories, registrars have a vital role in maintaining the accuracy of Whois data:

Registrar Advisory Concerning Whois Data Accuracy
<http://www.icann.org/announcements/advisory-10may02.htm>

Registrar Advisory Concerning the "15-day Period" in Whois Accuracy
Requirements
<http://www.icann.org/announcements/advisory-03apr03.htm>

We have moved certain names to our disputed account when compliance has not been met. Most of the time, our customers meet compliance and we fulfill our obligation to ICANN without jeopardizing our commitment to our clients. That is not to say that there are probably other domains with inaccurate whois data in our data base. When notified, we do address it.

Hope this addresses your question Ron.

 

[Domagon]

You basically dodged the question ... ICANN gives registrars the Right to cancel registrations after 15 days has elapsed with no response, but ICANN does NOT require registrars to do so; registrars have the flexibility of providing more time before taking any action ...

Here's a simple hypothetical question ...

Someone files a Whois Problem Report on a domain, how many days would you give the registrant to respond? 5 days, 15 days, ???

Ron

 

[Monte]

Ron - I did not dodge the question. The answer is that it varies based on whether the complaint comes in before a weekend, if we know the customer, status of account, etc. It is not an automated policy, it varies by registrant.

I appologize I cannot be more specific than that.

 

[Domagon]

Ron - I did not dodge the question. The answer is that it varies based on whether the complaint comes in before a weekend, if we know the customer, status of account, etc. It is not an automated policy, it varies by registrant.

I appologize I cannot be more specific than that.

Not reassuring...

Your nebulous response really illustrates well the severe security risk Whois Data Problem Reports present to all registrants; most registrars, including yours, appear not to care.

Let's see ... here's a scenerio to steal a domain; often legally!

1. Hijacker selects desired domains

1a. (optional) select domains that have at least one piece of information wrong - quite easy really ... the mere lack of a country code alone is justification enough to file a report!

2. Hijacker submits Whois Data Problem Report(s) at http://wdprs.internic.net/

2a. (optional) Flood admin contact email address(es) with lots of junk; fill their box(es).

3. Hijacker waits for domain(s) to be deleted

4. Place order at drop services to register the domain(s)

And here's the kicker ... the hijacker will likely NOT violate any laws in the process - their registration(s) will likely be LEGAL! Wow, what a perfect way to steal domains ... all nice and neat :cheeky:

Ron

p.s. various folks involved in domain policy have long been aware of this security risk, but now I'm going to make sure everyone else knows too ... and name names of registrars who have poor security in regards to this matter.

 

[David G]

........We are treating all transfer out requests as fraud....

I must have been using my crystal ball when I predicted several months ago after ICANN announced the new policies that you would start doing that as of Nov 12.

Are you really allowed to have such a blanket policy? If yes, are others also going to do that i.e. Godaddy, Tucows size firms, if not, why not? Do you think all registrars should block all transfers using that loophole? If they did would that be more of a positive or more negative?

As I think about this further (public brainstorming), another "feature", in conjunction with a "sticky lock", would be that at the moment that the domain is unlocked, the registrant is prompted to choose, from a list of all ICANN registrars, the registrar(s) they want to allow transfers to go to.

e.g. I have example.com at Moniker, I go to unlock, and I specify that only transfers to OpenSRS are acceptable. A transfer comes in during the 24 hour unlock period from a Korean registrar, and it gets auto-rejected by Moniker. No transfer request from OpenSRS comes in within 24 hours, and it goes back to locked status.

Excellent ideas George, the best way to solve this problem I have ever seen.

It would be a true Godsend to have your features implemented by icann rules.

You should send your suggestions to them direct.

 

[Monte]

ron,

sorry, it does not work that way. we do not delete the name. it is moved into a disputed account and the real registrant has already been contacted well before that would even happen.

Trader - the purpose of our policy is to PREVENT theft and unauthorized events...that's it. The policy rules allow for a registrar to protect its clients and we are taking our ability to protect our clients and their domains very seriously....especially now when many will try to take advantage of the policy to steal names. Be greatful that many of your collegues who have their domains at Moniker, will not face an incedent of theft as many others will.

 

[jberryhill]

Your nebulous response really illustrates well the severe security risk Whois Data Problem Reports present to all registrants

Ron,

He didn't say he deletes the domain name. And, yes, the answer can depend on the registrant. One client of mine with a substantial number of domain names seems to attract whois data problem reports, because of nimrods that assume "bad data" when they don't get answers to their harassing emails or letters. If the whois data problem report relates to that client, I can tell you that Monte does nothing, because he knows the data is correct.

Monte has taken a load of flack over his transfer-out policies. First off, Moniker's policy is designed for security, and not as a fee scam like some other registrars. Secondly, there are registrants who choose Moniker PRECISELY for the reason that transfer-outs are regarded with a certain level of suspicion.

What I'd like to see in Monte's spare time (heh), are some statistics in a few weeks on transfer-out requests.

It would be a true Godsend to have your features implemented by icann rules.

You should send your suggestions to them direct.

I have to say, yet again, that the general impressions folks seem to have of ICANN's policy processes are beautiful in their innocence.