Can you explain the relationship between domain locks for 60 days and attacks using stolen payment details?
A lot of the EU ccTLD registries and other ccTLDs do not have such a 60-day lock and I never saw any issues in relation to stolen payment details. And to be clear, we process a lot of incoming and outgoing ccTLD transfers.
In addition, to drastically reduce domain theft, you have to have a big issue of domain theft first. The current amount of unauthorized transfers complaints is very low as provided by compliance. I suspect domain theft (which is a different bucket) is even lower, though we do not have real statistics. With the exception of IRTP-D, from what I recall dispute providers had a total of 2 cases since 2016.
I do not mind the 60 day lock in the sense that it bothers me. However, as a registrar, I would not mind the option to be able to remove the lock in certain scenarios.
On 09/11/2021 17:44, Steinar Grøtterød via CPWG wrote:
> Dear all,
>
> At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed.
> The present policy – and the majority of Registry Operators, have a
> 60-days transfer lock after the initial registration of a domain name
> AND a 60-days lock after a successful inter-registrar transfer.
>
> Based on the discussion in the TPR WG, I would like to hear the CPWG
> opinion by asking the following:
Following up on today's meeting:
> 1. Are we in favor of keeping the 60-days lock after the initial
> registration of a domain name?
Yes.
This is still important to deal with issues of reversed creditcard
charges and non-payment. While payments systems have improved, this 60
day lock is still a defence against an orchestrated attack using stolen
payment details.
> 2. Are we in favor of keeping the 60-days lock after a successful
> transfer of a domain name?
Yes.
This is one way of drastically reducing the chances of success for
domain name theft. Domain name thieves generally use multiple registrars
to make it difficult for the registrant to recover their stolen domain name.
> 3. Could the above be optional?
No.
And ICANN Compliance should proactively enforce it.
> 4. Should the Registrant has the option to opt-out?
No.
Do the people who came up with the proposal of making it opt-out for
registrants actually understand the issue of domain name theft/hijacking
and how the thieves transfer a stolen domain name from registrar to
registrar to make it difficult for registrants to recover their domain
name?
On a related issue that came up in the call, Domain Tasting is very
different from registrars simply offering time limited promotions.
Domain Tasting involved registrars simply being set up for the purposes
of tasting and deleting millions of domain names in the five day Add
Grace Period. This exploitation of the AGP spread to retail registrars.
Over approximately five years, over 1 billion (1,000,000,000) .COM
domain names were tasted. The ICANN registry reports were flawed and
incomplete at the time and remained so until 2014. Those of us who were
tracking the issue at a domain name level measured it in worn out
harddrives.
It was only when legal action was taken against a few key registrars and
Google announced that it would not monetise registrations within their
five day AGP period that Domain Tasting took a near fatal hit. ICANN was
stuck in a procastination loop while Domain Tasting was happening but it
was convinced to eventually do the right thing by adding a "restocking"
fee for new registations deleted within the AGP. When that was
implemented, large-scale Domain Tasting stopped. Domain Tasting has
nothing to do with the 60 day locks.
Regards...jmcc
--
**********************************************************
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
IE * Skype: hosterstats.com
**********************************************************
--
This email has been checked for viruses by AVG.
_______________________________________________
CPWG mailing list
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (
https://www.icann.org/privacy/policy) and the website Terms of Service (
https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.