ICANN/GNSO GNSO Email List Archives

[registrars]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [registrars] RE: Registrar Approval of Variable Accreditation Fee for 2003-2004

  • To: "'Rick Wesson'" <wessorh@xxxxxx>
  • Subject: RE: [registrars] RE: Registrar Approval of Variable Accreditation Fee for 2003-2004
  • From: Paul Stahura <stahura@xxxxxxxx>
  • Date: Wed, 3 Sep 2003 16:23:42 -0700
  • Cc: "'Donny Simonton'" <donny@xxxxxxxxxxxxxxx>, "'Elana Broitman'" <ebroitman@xxxxxxxxxxxx>, "'Registrars List'" <registrars@xxxxxxxx>
  • Sender: owner-registrars@xxxxxxxxxxxxxx

Rick I see what you are saying but the problem is that the cost of
implementation is great,
and the cost of defeating it is very very small.  Its not that it is
possible to defeat it
(which you and I agree that it is), its that it costs no money to defeat it.
Its easy.

"Doing nothing" (which I should add none of us, to my knowledge, are
doing... we are all doing something, AFAIK)
is defeated by bad-guys for very nearly the same cost ($0) as "doing
everything possible" is defeated.

Plus, if we "do something" on the front-end (at registration) we have to "do
something" for every name, even when 
the vast majority of those names did not need for us to "do something"
(by far most registrants are good-guys), thereby increasing the costs
dramatically.

BTW if the costs increase too much, all registrars will offer
domains-by-proxy for free because it will be cheaper.
What happens when all the whois output is true, accurate.... and the same?

Which is why when we "do something" we should only "do something" when we 
know there is an issue (notice from ICANN for example).
Which is what I think most of us (all?) are doing, and where I'd devote
additionally resources 
as an industry because it would be effectively spent.

We all want more accurate, true, easily accessible, information in the
whois.
IMO, expensive front-end "checking" will not lead to accurate, true, easily
accessible
whois information on names where it counts (bad-guy names).

Best2,
Paul

-----Original Message-----
From: Rick Wesson [mailto:wessorh@xxxxxx] 
Sent: Wednesday, September 03, 2003 1:51 PM
To: Paul Stahura
Cc: 'Donny Simonton'; 'Elana Broitman'; 'Registrars List'
Subject: RE: [registrars] RE: Registrar Approval of Variable Accreditation
Fee for 2003-2004



Paul,

The example you and Donny put forth are both extremes. Postal validation
alone is not 100% accurate and not for any postal system including the
US Post Office. understand that all postal systems recognize this fact.

Any one of the examples below based solely on postal address and phone
numbers are going to have big holes for gaming. You have to go beyond just
evaluating the name and address in testing accuracy of a registration.

The big point that must be communicated to the congress critters is that
no matter the method or methodology of a heuristic to test accuracy of
registrant data, none are 100% accurate. They know this, credit card
companies know it and so does any large business that manages customer
lists or looks for terrorists at airports -- but it is good to remind
everyone involved that no system will provide 100% accuracy.

Paul's point (i think) is that even if we filter inaccurate data it is
still posable to commit fraud (ie successfully lie) From my conversations
with the concerned parties is that they understand there will always be
ways to lie but desire a higher standard that what our industry currently
implements which is -- effectively no checking at all.



best,

-rick




On Wed, 3 Sep 2003, Paul Stahura wrote:

> This is the main crux of the problem: it does not work in practice, but,
> hey, it looks good.
>
> Because even if an address was a precise and a valid address,
> it is not necessarily the address of the person making the registration.
>
> This address is a valid address:
> Smith, David
> 25242 Riverside Drive Ext
> Seaford, DE 19973
> Phone: 302-629-9829
> (there are millions of them, just go to infospace.com, I picked this one
at
> random)
>
> But did David Smith make the registration?
> Or did a bad-guy just type in David's information?
> The bad-guy could just as easily use a valid address anywhere on the
planet.
> Only good-guys would enter true information.
> Then, to bad for them, but that true information would be even more
valuable
> to the bad-guy whois-harvesters.
>
> The only way to know if David Smith is the guy who controls the domain is
to
> send David Smith a postal letter at that
> address and have David confirm receipt of the letter and confirm intention
> to register the name.
> Even the .uk registry, a monopoly, has stopped sending paper around the
> planet.
> Then you'd have to do the same with the phone number (call it and have the
> person who answers make the same confirmations),
> but even that high-cost operation will be gamed by the bad guys because
the
> phone number can be
> the number of a disposable cell phone, public phone near the valid but
> untrue street address etc.
> Sending a message to an email address, though low-cost, proves nothing
about
> the registrant's identity besides the fact
> that the person who controls the domain also controls a nearly anonymous
> free email address.
>
> The costs are too high and the real benefit too low.
> The only benefit is that we would be seen as "doing something" at the time
> of registration.
>
> We (I mean the Internet and the public) get more bang for the buck by
doing
> the above
> (sending paper, calling phone numbers, sending email, etc) when there is a
> known problem.
>
> Paul
>
>
>
> -----Original Message-----
> From: Donny Simonton [mailto:donny@xxxxxxxxxxxxxxx]
> Sent: Wednesday, September 03, 2003 8:15 AM
> To: 'Rick Wesson'; 'Elana Broitman'
> Cc: 'Registrars List'
> Subject: RE: [registrars] RE: Registrar Approval of Variable Accreditation
> Fee for 2003-2004
>
>
> The biggest problem we have found is getting the address information from
> all of the different countries to be able to have a 100% correct address
> verification system.  In the US and Canada and I'm sure other countries
you
> can buy address information for a few thousand a year.  Then you have to
buy
> the phone numbers from somebody else, Neustar if I remember correctly.
That
> would work fine for US and Canada.
>
> But most of our fraud is not in the US or Canada, it's in other countries
> that you are not able to get the address information from their postal
> service.  And how would you verify this address anyway?  This is a real
> address of one of our customers.
> "120 meters past McDonald's on Rue Flat Road".
>
> Yes and it's valid, because a hotel that is also on the same street is 240
> meters past McDonald's.
>
> So address and phone number verification is a great idea, we spent almost
2
> months working on it, then you get outside the US and Canada and you run
> into all kinds of issues with trying to verify the address and phone
number.
> Good in theory, not good in practice.
>
> Donny
>
> > -----Original Message-----
> > From: owner-registrars@xxxxxxxxxxxxxx [mailto:owner-
> > registrars@xxxxxxxxxxxxxx] On Behalf Of Rick Wesson
> > Sent: Wednesday, September 03, 2003 9:53 AM
> > To: Elana Broitman
> > Cc: Registrars List
> > Subject: RE: [registrars] RE: Registrar Approval of Variable
Accreditation
> > Fee for 2003-2004
> >
> >
> >
> > Elana,
> >
> > do you have a link to information about the hearing?
> >
> > my $.02...
> >
> > doing registrant validation on signup cuts down fraud so if one reviews
> > the amount of chargebacks one gets verses the cost of whois accuracy
> > requirements performing such validation actually saves us more in
> > chargebacks than costs us in performing the validation.
> >
> > We allow just about anything through the signup process and just don't
> > process the fraudulent or highly supcious applications.
> >
> > We are working on more elaborate techniques to handle bounces and
staging
> > other automated means of communication such as: if email bounces and we
> > have a fax, send a fax, if the fax bounces send a postcard, if all
> > attempts bounce note the information is bad and lock the account with a
> > note that will require additional information if the registrant comes to
> > renew the domain.
> >
> > We could get even more elaborate by identifying telephone numbers that
are
> > mobile numbers and sending an SMS message but we don't have the volume
of
> > registrations to make that interesting yet.
> >
> > best,
> >
> > -rick
> >
> >
> > On Wed, 3 Sep 2003, Elana Broitman wrote:
> >
> > > On the same note, I am again going out to everyone with a request for
> > > some data (even merely anecdotal) on how you comply with whois
> > > accuracy requirements in the RAA and cost of doing so.  This is very
> > > important to provide before tomorrow's Congressional hearing in order
> > > help protect us from "unfunded mandates" based on incomplete
> > > information supplied by interest groups pushing for more Whois
> > > verification and availability.
> > >
> > > Thanks
> > >
> > > Elana Broitman
> >
> >
>
>




<<< Chronological Index >>>    <<< Thread Index >>>