RE: [registrars] RE: Registrar Approval of Variable Accreditation Fee for 2003-2004

[Paul Stahura <stahura@xxxxxxxx>]

This is the main crux of the problem: it does not work in practice, but,
hey, it looks good.

Because even if an address was a precise and a valid address, 
it is not necessarily the address of the person making the registration.

This address is a valid address:
Smith, David
25242 Riverside Drive Ext
Seaford, DE 19973
Phone: 302-629-9829
(there are millions of them, just go to infospace.com, I picked this one at
random)

But did David Smith make the registration?
Or did a bad-guy just type in David's information?  
The bad-guy could just as easily use a valid address anywhere on the planet.
Only good-guys would enter true information.
Then, to bad for them, but that true information would be even more valuable
to the bad-guy whois-harvesters.

The only way to know if David Smith is the guy who controls the domain is to
send David Smith a postal letter at that 
address and have David confirm receipt of the letter and confirm intention
to register the name.
Even the .uk registry, a monopoly, has stopped sending paper around the
planet.
Then you'd have to do the same with the phone number (call it and have the
person who answers make the same confirmations),
but even that high-cost operation will be gamed by the bad guys because the
phone number can be 
the number of a disposable cell phone, public phone near the valid but
untrue street address etc.
Sending a message to an email address, though low-cost, proves nothing about
the registrant's identity besides the fact 
that the person who controls the domain also controls a nearly anonymous
free email address. 

The costs are too high and the real benefit too low.
The only benefit is that we would be seen as "doing something" at the time
of registration.

We (I mean the Internet and the public) get more bang for the buck by doing
the above 
(sending paper, calling phone numbers, sending email, etc) when there is a
known problem. 

Paul



-----Original Message-----
From: Donny Simonton [mailto:donny@xxxxxxxxxxxxxxx] 
Sent: Wednesday, September 03, 2003 8:15 AM
To: 'Rick Wesson'; 'Elana Broitman'
Cc: 'Registrars List'
Subject: RE: [registrars] RE: Registrar Approval of Variable Accreditation
Fee for 2003-2004


The biggest problem we have found is getting the address information from
all of the different countries to be able to have a 100% correct address
verification system.  In the US and Canada and I'm sure other countries you
can buy address information for a few thousand a year.  Then you have to buy
the phone numbers from somebody else, Neustar if I remember correctly.  That
would work fine for US and Canada.

But most of our fraud is not in the US or Canada, it's in other countries
that you are not able to get the address information from their postal
service.  And how would you verify this address anyway?  This is a real
address of one of our customers.  
"120 meters past McDonald's on Rue Flat Road".

Yes and it's valid, because a hotel that is also on the same street is 240
meters past McDonald's.

So address and phone number verification is a great idea, we spent almost 2
months working on it, then you get outside the US and Canada and you run
into all kinds of issues with trying to verify the address and phone number.
Good in theory, not good in practice.

Donny

> -----Original Message-----
> From: owner-registrars@xxxxxxxxxxxxxx [mailto:owner-
> registrars@xxxxxxxxxxxxxx] On Behalf Of Rick Wesson
> Sent: Wednesday, September 03, 2003 9:53 AM
> To: Elana Broitman
> Cc: Registrars List
> Subject: RE: [registrars] RE: Registrar Approval of Variable Accreditation
> Fee for 2003-2004
> 
> 
> 
> Elana,
> 
> do you have a link to information about the hearing?
> 
> my $.02...
> 
> doing registrant validation on signup cuts down fraud so if one reviews
> the amount of chargebacks one gets verses the cost of whois accuracy
> requirements performing such validation actually saves us more in
> chargebacks than costs us in performing the validation.
> 
> We allow just about anything through the signup process and just don't
> process the fraudulent or highly supcious applications.
> 
> We are working on more elaborate techniques to handle bounces and staging
> other automated means of communication such as: if email bounces and we
> have a fax, send a fax, if the fax bounces send a postcard, if all
> attempts bounce note the information is bad and lock the account with a
> note that will require additional information if the registrant comes to
> renew the domain.
> 
> We could get even more elaborate by identifying telephone numbers that are
> mobile numbers and sending an SMS message but we don't have the volume of
> registrations to make that interesting yet.
> 
> best,
> 
> -rick
> 
> 
> On Wed, 3 Sep 2003, Elana Broitman wrote:
> 
> > On the same note, I am again going out to everyone with a request for
> > some data (even merely anecdotal) on how you comply with whois
> > accuracy requirements in the RAA and cost of doing so.  This is very
> > important to provide before tomorrow's Congressional hearing in order
> > help protect us from "unfunded mandates" based on incomplete
> > information supplied by interest groups pushing for more Whois
> > verification and availability.
> >
> > Thanks
> >
> > Elana Broitman
> 
>