RE: [registrars] Grave Robbing and SEDO Fencing
From my understanding of the time line that John provided in his original post on this subject, the contact change occured in June 2007. Several days later the name was transferred to Directnic and put up for sale at Sedo. The name was sold on July 3, 2007 and then transferred to Go Daddy July 12, 2007 and was then put up for sale on eBay (auction now closed with zero bids). So it appears this all happened within a 30 to 40 day window of time.
First, I would suggest that registrars consider a policy similar to Go Daddy's when considering transfers for names that have gone through a change that affects ownership or authority. Our systems allow ownership changes but the registrant/account holder agrees to not transfer the domain for 60-days afterward, and we lock it down internally. We inform them that if they need to transfer the name right away, they should consider performing the transfer first and then complete the ownership/authority changes at the new registrar of choice. If this had been done in raven.com's case it would still have been with NSI when the rightful owner noticed the problem, and NSI could have fixed the problem much easier. Second, I don't understand how the name got transferred from Directnic to Go Daddy so quickly. Transfer policy only allows one transfer every 60-days. Yet it appears two transfers occured in about 40-days. It is the registrars' responsibility to enforce the 60-day rule. It is in the losing registrars' best interest to enforce that rule (the registries are not required to do so). The losing registrar knows when the domain was registered or transferred to them and should deny transfer requests if either took place within the 60-day period as required in the transfer policy. This does not appear to have been done. If either of the policies noted above had been followed, resolving this apparent hijacking would be much easier. Now we have two gaining registrars, both of which appear to have a *good* transfer in that they received approval from the party that appeared in the Whois at the time of the request. However, we are working with NSI to try and resolve this. Two other suggestions that may be worth considering: 1. We might lobby the registries to implement the 60-day transfer and new registration check themselves. This would be an additional safeguard against inappropriate transfers, and is better than relying completely on the registrars to enforce - errors happen, bad actors happen, etc. Perhaps we also lobby ICANN to change the transfer policy to require this. 2. Gaining registrars should attempt to check for this rule themselves. For example, Go Daddy checks the create date of transfers ordered and does not allow the process to proceed if the create date is within 60-days, per the transfer policy. Due to the raven.com problem, we are also looking at implementing a check of the update date. If the name has been updated within the last 60-days it may indicate that a transfer has occured. However, we are still considering how to best verify that since the udate date may indicate other changes, not just transfers. But it can at least be considered a warning flag that further checks need to be done before allowing the automated process to continue. Of course, registrars should continually hone their processes for verifying identity of users requesting changes. But relying on that as the sole mechanism to prevent hijacking is not wise. The above policies/rules would go a long way to minimizing damage when hijacking occurs, and make it much simpler and quicker to reverse. Tim -------- Original Message -------- Subject: Re: [registrars] Grave Robbing and SEDO Fencing From: Sam BAVAFA <s.bavafa@french-connexion.fr> Date: Mon, August 06, 2007 5:30 pm To: "'Registrars Constituency'" <registrars@gnso.icann.org> Hi guys, I am also interested by any solution that could avoid such ID usurpation. For now, we are asking to the registrant to provide his ID copy. When the owner change is requested, we are also asking for a copy again + physical owner change form printed and signed by both parties and if both ID copies are matching, and the signature is the same, we call the constumer on his original phone number provided at the registration time and then authorise the owner change. Sometimes infos has been changed so we cannot verify all infos it means that we somehow must get our own conviction that his is the real owner (askling for details on many different infos on his account). But when a domain belong to a company, and the responsible has changed to another one!. The only fact that this new person has access to the company account admin is not enought to my opinion. Is someone has a better process ? Thank you. Sam www.Domaine.fr www.Domaine.info De : Bashar Al-Abdulhadi <bashar@kuwaitnet.net> Date : Sat, 04 Aug 2007 01:27:22 +0300 � : Lau <richard@lau.com> Cc : 'Registrars Constituency' <registrars@gnso.icann.org> Objet : Re: [registrars] Grave Robbing and SEDO Fencing Thats what i thought too. but seeing this happen twice in less than 3 years scares me off (although the other domain was with different registrar) what might be possible to secure the domains of dead people to their heirs in future for other registrars? Lau wrote, On 8/4/2007 12:12 AM: Well, I'm just sitting here hypothesising. But really Domain Hijacking is usually a form of online identity theft, where the thief one way or another convinces the Registrar, (or the ISP hosting the Admin Email) that he is the owner. I'm not one to comment on NSI's security except to say that I highly respect their senior staff and have witnessed major efforts to stamp out fraud. If anything NSI could teach many other registrars how to protect domains. This is a far cry from the pre-Champ M. days. Richard From: Bashar Al-Abdulhadi [mailto:bashar@kuwaitnet.net] Sent: 03 August, 2007 10:12 PM To: Lau Cc: john@johnberryhill.com; 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing Hello Richard, Lau wrote, On 8/3/2007 7:42 PM: Hi John, So, in summary.... an identity theft occurs at NSI (hijacker pretends to be Don Teske likely by sending in a fax with faked ID) and the buyer at Sedo claims he's an innocent purchaser.... its that simple at NSI to change domain ownership with fake IDs? it should be harder for american registrant to be faked at american registrars due the easier methods to identify ownership?
Tim, The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have many customers who flip domains every day. With the hopes of making a few hundred bucks here and there. Ever since Verisign switched to EPP, my rule has been if you have the auth-info code you can do whatever you want with the domain, because it's yours. Donny -----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Tim Ruiz Sent: Tuesday, August 07, 2007 6:34 AM To: 'Registrars Constituency' Subject: RE: [registrars] Grave Robbing and SEDO Fencing
From my understanding of the time line that John provided in his original post on this subject, the contact change occured in June 2007. Several days later the name was transferred to Directnic and put up for sale at Sedo. The name was sold on July 3, 2007 and then transferred to Go Daddy July 12, 2007 and was then put up for sale on eBay (auction now closed with zero bids). So it appears this all happened within a 30 to 40 day window of time.
First, I would suggest that registrars consider a policy similar to Go Daddy's when considering transfers for names that have gone through a change that affects ownership or authority. Our systems allow ownership changes but the registrant/account holder agrees to not transfer the domain for 60-days afterward, and we lock it down internally. We inform them that if they need to transfer the name right away, they should consider performing the transfer first and then complete the ownership/authority changes at the new registrar of choice. If this had been done in raven.com's case it would still have been with NSI when the rightful owner noticed the problem, and NSI could have fixed the problem much easier. Second, I don't understand how the name got transferred from Directnic to Go Daddy so quickly. Transfer policy only allows one transfer every 60-days. Yet it appears two transfers occured in about 40-days. It is the registrars' responsibility to enforce the 60-day rule. It is in the losing registrars' best interest to enforce that rule (the registries are not required to do so). The losing registrar knows when the domain was registered or transferred to them and should deny transfer requests if either took place within the 60-day period as required in the transfer policy. This does not appear to have been done. If either of the policies noted above had been followed, resolving this apparent hijacking would be much easier. Now we have two gaining registrars, both of which appear to have a *good* transfer in that they received approval from the party that appeared in the Whois at the time of the request. However, we are working with NSI to try and resolve this. Two other suggestions that may be worth considering: 1. We might lobby the registries to implement the 60-day transfer and new registration check themselves. This would be an additional safeguard against inappropriate transfers, and is better than relying completely on the registrars to enforce - errors happen, bad actors happen, etc. Perhaps we also lobby ICANN to change the transfer policy to require this. 2. Gaining registrars should attempt to check for this rule themselves. For example, Go Daddy checks the create date of transfers ordered and does not allow the process to proceed if the create date is within 60-days, per the transfer policy. Due to the raven.com problem, we are also looking at implementing a check of the update date. If the name has been updated within the last 60-days it may indicate that a transfer has occured. However, we are still considering how to best verify that since the udate date may indicate other changes, not just transfers. But it can at least be considered a warning flag that further checks need to be done before allowing the automated process to continue. Of course, registrars should continually hone their processes for verifying identity of users requesting changes. But relying on that as the sole mechanism to prevent hijacking is not wise. The above policies/rules would go a long way to minimizing damage when hijacking occurs, and make it much simpler and quicker to reverse. Tim -------- Original Message -------- Subject: Re: [registrars] Grave Robbing and SEDO Fencing From: Sam BAVAFA <s.bavafa@french-connexion.fr> Date: Mon, August 06, 2007 5:30 pm To: "'Registrars Constituency'" <registrars@gnso.icann.org> Hi guys, I am also interested by any solution that could avoid such ID usurpation. For now, we are asking to the registrant to provide his ID copy. When the owner change is requested, we are also asking for a copy again + physical owner change form printed and signed by both parties and if both ID copies are matching, and the signature is the same, we call the constumer on his original phone number provided at the registration time and then authorise the owner change. Sometimes infos has been changed so we cannot verify all infos it means that we somehow must get our own conviction that his is the real owner (askling for details on many different infos on his account). But when a domain belong to a company, and the responsible has changed to another one!. The only fact that this new person has access to the company account admin is not enought to my opinion. Is someone has a better process ? Thank you. Sam www.Domaine.fr www.Domaine.info De : Bashar Al-Abdulhadi <bashar@kuwaitnet.net> Date : Sat, 04 Aug 2007 01:27:22 +0300 @ : Lau <richard@lau.com> Cc : 'Registrars Constituency' <registrars@gnso.icann.org> Objet : Re: [registrars] Grave Robbing and SEDO Fencing Thats what i thought too. but seeing this happen twice in less than 3 years scares me off (although the other domain was with different registrar) what might be possible to secure the domains of dead people to their heirs in future for other registrars? Lau wrote, On 8/4/2007 12:12 AM: Well, I'm just sitting here hypothesising. But really Domain Hijacking is usually a form of online identity theft, where the thief one way or another convinces the Registrar, (or the ISP hosting the Admin Email) that he is the owner. I'm not one to comment on NSI's security except to say that I highly respect their senior staff and have witnessed major efforts to stamp out fraud. If anything NSI could teach many other registrars how to protect domains. This is a far cry from the pre-Champ M. days. Richard From: Bashar Al-Abdulhadi [mailto:bashar@kuwaitnet.net] Sent: 03 August, 2007 10:12 PM To: Lau Cc: john@johnberryhill.com; 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing Hello Richard, Lau wrote, On 8/3/2007 7:42 PM: Hi John, So, in summary.... an identity theft occurs at NSI (hijacker pretends to be Don Teske likely by sending in a fax with faked ID) and the buyer at Sedo claims he's an innocent purchaser.... its that simple at NSI to change domain ownership with fake IDs? it should be harder for american registrant to be faked at american registrars due the easier methods to identify ownership?
tim, I would also strongly urge to not use a single situation with a clear case of social engineering and a high-profile name to justify a policy that causes confusion, frustration and money to thousands on a regular basis. the fact that this is in front of us and, I expect, will be rectified appropriately shows that those restrictive policies are not needed. what would be instructive in this matter would be for go daddy to let us all know how many transfers a month are refused on this basis. bad facts make bad law. Regards On 7-Aug-07, at 7:27 AM, Donny Simonton wrote:
Tim, The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have many customers who flip domains every day. With the hopes of making a few hundred bucks here and there.
Ever since Verisign switched to EPP, my rule has been if you have the auth-info code you can do whatever you want with the domain, because it's yours.
Donny
-----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Tim Ruiz Sent: Tuesday, August 07, 2007 6:34 AM To: 'Registrars Constituency' Subject: RE: [registrars] Grave Robbing and SEDO Fencing
From my understanding of the time line that John provided in his original post on this subject, the contact change occured in June 2007. Several days later the name was transferred to Directnic and put up for sale at Sedo. The name was sold on July 3, 2007 and then transferred to Go Daddy July 12, 2007 and was then put up for sale on eBay (auction now closed with zero bids). So it appears this all happened within a 30 to 40 day window of time.
First, I would suggest that registrars consider a policy similar to Go Daddy's when considering transfers for names that have gone through a change that affects ownership or authority. Our systems allow ownership changes but the registrant/account holder agrees to not transfer the domain for 60-days afterward, and we lock it down internally. We inform them that if they need to transfer the name right away, they should consider performing the transfer first and then complete the ownership/authority changes at the new registrar of choice. If this had been done in raven.com's case it would still have been with NSI when the rightful owner noticed the problem, and NSI could have fixed the problem much easier.
Second, I don't understand how the name got transferred from Directnic to Go Daddy so quickly. Transfer policy only allows one transfer every 60-days. Yet it appears two transfers occured in about 40-days. It is the registrars' responsibility to enforce the 60-day rule. It is in the losing registrars' best interest to enforce that rule (the registries are not required to do so). The losing registrar knows when the domain was registered or transferred to them and should deny transfer requests if either took place within the 60-day period as required in the transfer policy. This does not appear to have been done.
If either of the policies noted above had been followed, resolving this apparent hijacking would be much easier. Now we have two gaining registrars, both of which appear to have a *good* transfer in that they received approval from the party that appeared in the Whois at the time of the request. However, we are working with NSI to try and resolve this.
Two other suggestions that may be worth considering:
1. We might lobby the registries to implement the 60-day transfer and new registration check themselves. This would be an additional safeguard against inappropriate transfers, and is better than relying completely on the registrars to enforce - errors happen, bad actors happen, etc. Perhaps we also lobby ICANN to change the transfer policy to require this.
2. Gaining registrars should attempt to check for this rule themselves. For example, Go Daddy checks the create date of transfers ordered and does not allow the process to proceed if the create date is within 60-days, per the transfer policy. Due to the raven.com problem, we are also looking at implementing a check of the update date. If the name has been updated within the last 60-days it may indicate that a transfer has occured. However, we are still considering how to best verify that since the udate date may indicate other changes, not just transfers. But it can at least be considered a warning flag that further checks need to be done before allowing the automated process to continue.
Of course, registrars should continually hone their processes for verifying identity of users requesting changes. But relying on that as the sole mechanism to prevent hijacking is not wise. The above policies/rules would go a long way to minimizing damage when hijacking occurs, and make it much simpler and quicker to reverse.
Tim
-------- Original Message -------- Subject: Re: [registrars] Grave Robbing and SEDO Fencing From: Sam BAVAFA <s.bavafa@french-connexion.fr> Date: Mon, August 06, 2007 5:30 pm To: "'Registrars Constituency'" <registrars@gnso.icann.org>
Hi guys,
I am also interested by any solution that could avoid such ID usurpation.
For now, we are asking to the registrant to provide his ID copy. When the owner change is requested, we are also asking for a copy again + physical owner change form printed and signed by both parties and if both ID copies are matching, and the signature is the same, we call the constumer on his original phone number provided at the registration time and then authorise the owner change.
Sometimes infos has been changed so we cannot verify all infos it means that we somehow must get our own conviction that his is the real owner (askling for details on many different infos on his account).
But when a domain belong to a company, and the responsible has changed to another one!. The only fact that this new person has access to the company account admin is not enought to my opinion. Is someone has a better process ?
Thank you. Sam
www.Domaine.fr www.Domaine.info
De : Bashar Al-Abdulhadi <bashar@kuwaitnet.net> Date : Sat, 04 Aug 2007 01:27:22 +0300 @ : Lau <richard@lau.com> Cc : 'Registrars Constituency' <registrars@gnso.icann.org> Objet : Re: [registrars] Grave Robbing and SEDO Fencing
Thats what i thought too.
but seeing this happen twice in less than 3 years scares me off (although the other domain was with different registrar)
what might be possible to secure the domains of dead people to their heirs in future for other registrars?
Lau wrote, On 8/4/2007 12:12 AM:
Well, I'm just sitting here hypothesising.
But really Domain Hijacking is usually a form of online identity theft, where the thief one way or another convinces the Registrar, (or the ISP hosting the Admin Email) that he is the owner.
I'm not one to comment on NSI's security except to say that I highly respect their senior staff and have witnessed major efforts to stamp out fraud. If anything NSI could teach many other registrars how to protect domains. This is a far cry from the pre-Champ M. days.
Richard
From: Bashar Al-Abdulhadi [mailto:bashar@kuwaitnet.net] Sent: 03 August, 2007 10:12 PM To: Lau Cc: john@johnberryhill.com; 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing
Hello Richard,
Lau wrote, On 8/3/2007 7:42 PM:
Hi John,
So, in summary.... an identity theft occurs at NSI (hijacker pretends to be
Don Teske likely by sending in a fax with faked ID) and the buyer at Sedo
claims he's an innocent purchaser....
its that simple at NSI to change domain ownership with fake IDs?
it should be harder for american registrant to be faked at american registrars due the easier methods to identify ownership?
I would also strongly urge to not use a single situation with a clear case of social engineering and a high-profile name to justify a policy that causes confusion, frustration and money to thousands on a regular basis.
It was posed as a "suggestion to consider". Mr. Lecoultre's note on maintaining good communications are well-taken, as any system will result in errors, and being able to rectify them will always be important. There are also registrants who prefer being able to transfer domains more easily than others, and features such as ease of transfer and security are competitive trade-offs that differentiate registrar services. ICANN policy should merely set a baseline. The EPP system has cut down considerably on registrar transfers as a primary mode of hi-jacking, and as Mr. Lau points out, most hi-jackings appear to be precipitated by an identity theft external to the domain registration system (expired or hacked admin contact email address, control of nameservers for the admin contact, and so forth). Accordingly, a registrar transfer of a hi-jacked name will now normally be preceded by a whois change at the losing registrar. It would seem that, at the time of a sale, the marketplace participants would have an incentive to confirm the buyer and seller are real entities, and that the whois data is correct, particularly in circumstances where there appears to have been a sequence of rapid or recent changes leading up to the sale. Registrars cannot confirm whois data on all domains at all times. Pawn shops generally require positive identification of someone who drops off goods to be sold. Obviously, someone walking through the door with a diamond ring is in "control" of the ring, and there may not be a good way to determine if he/she "owns" the ring. However, that person's identity can be confirmed entirely apart from the mere fact of having possession of the ring upon entering the shop. Confirming seller authority "in band" - i.e. by confirming that the purported seller can be contacted through the admin contact email address - is not entirely reliable, as there is no separate "title" system for domain names apart from the whois data itself. For example, one "out of band" method for maintaining contact with a registrant is described in this document: United States Patent Application 20060031330 Kind Code A1 Ruiz; Tim February 9, 2006 Notification system and method for domain name registrars Abstract A system and method of the present invention allow communication via electronic messages between a Customer and a domain name Registrar, avoiding traditional electronic mail (email) communication. Email messages may not be delivered to the Customer for various reasons including the situations where the Customer employs anti-SPAM protective technologies. The system and method of the present invention establish a Communication Link between a Customer's Computer and Registrar's Server, which avoids anti-SPAM protective technologies and email messaging altogether. The implementation of this invention would result in a higher rate of delivered messages to the Customer. Inventors: Ruiz; Tim; (Cedar Rapids, IA)
participants (4)
-
Donny Simonton -
elliot noss -
John Berryhill -
Tim Ruiz