Re: [registrars] Grave Robbing and SEDO Fencing
tim, I would also strongly urge to not use a single situation with a clear case of social engineering and a high-profile name to justify a policy that causes confusion, frustration and money to thousands on a regular basis. the fact that this is in front of us and, I expect, will be rectified appropriately shows that those restrictive policies are not needed. what would be instructive in this matter would be for go daddy to let us all know how many transfers a month are refused on this basis. bad facts make bad law. Regards On 7-Aug-07, at 7:27 AM, Donny Simonton wrote: Tim,The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have manycustomers who flip domains every day. With the hopes of making a few hundred bucks here and there. Ever since Verisign switched to EPP, my rule has been if you have theauth-info code you can do whatever you want with the domain, because it'syours. Donny -----Original Message----- From: owner-registrars@xxxxxxxxxxxxxx [mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of Tim Ruiz Sent: Tuesday, August 07, 2007 6:34 AM To: 'Registrars Constituency' Subject: RE: [registrars] Grave Robbing and SEDO Fencing From my understanding of the time line that John provided in hisoriginal post on this subject, the contact change occured in June 2007. Several days later the name was transferred to Directnic and put up for sale at Sedo. The name was sold on July 3, 2007 and then transferred to Go Daddy July 12, 2007 and was then put up for sale on eBay (auction nowclosed with zero bids). So it appears this all happened within a 30 to 40 day window of time. First, I would suggest that registrars consider a policy similar to Go Daddy's when considering transfers for names that have gone through achange that affects ownership or authority. Our systems allow ownershipchanges but the registrant/account holder agrees to not transfer thedomain for 60-days afterward, and we lock it down internally. We informthem that if they need to transfer the name right away, they should consider performing the transfer first and then complete theownership/authority changes at the new registrar of choice. If this had been done in raven.com's case it would still have been with NSI when the rightful owner noticed the problem, and NSI could have fixed the problemmuch easier. Second, I don't understand how the name got transferred from Directnic to Go Daddy so quickly. Transfer policy only allows one transfer every 60-days. Yet it appears two transfers occured in about 40-days. It isthe registrars' responsibility to enforce the 60-day rule. It is in thelosing registrars' best interest to enforce that rule (the registries are not required to do so). The losing registrar knows when the domainwas registered or transferred to them and should deny transfer requestsif either took place within the 60-day period as required in the transfer policy. This does not appear to have been done.If either of the policies noted above had been followed, resolving thisapparent hijacking would be much easier. Now we have two gainingregistrars, both of which appear to have a *good* transfer in that they received approval from the party that appeared in the Whois at the timeof the request. However, we are working with NSI to try and resolve this. Two other suggestions that may be worth considering: 1. We might lobby the registries to implement the 60-day transfer andnew registration check themselves. This would be an additional safeguardagainst inappropriate transfers, and is better than relying completely on the registrars to enforce - errors happen, bad actors happen, etc. Perhaps we also lobby ICANN to change the transfer policy to require this.2. Gaining registrars should attempt to check for this rule themselves.For example, Go Daddy checks the create date of transfers ordered and does not allow the process to proceed if the create date is within 60-days, per the transfer policy. Due to the raven.com problem, we arealso looking at implementing a check of the update date. If the name has been updated within the last 60-days it may indicate that a transfer has occured. However, we are still considering how to best verify that sincethe udate date may indicate other changes, not just transfers. But itcan at least be considered a warning flag that further checks need to bedone before allowing the automated process to continue. Of course, registrars should continually hone their processes for verifying identity of users requesting changes. But relying on that as the sole mechanism to prevent hijacking is not wise. The above policies/rules would go a long way to minimizing damage when hijacking occurs, and make it much simpler and quicker to reverse. Tim -------- Original Message -------- Subject: Re: [registrars] Grave Robbing and SEDO Fencing From: Sam BAVAFA <s.bavafa@xxxxxxxxxxxxxxxxxxx> Date: Mon, August 06, 2007 5:30 pm To: "'Registrars Constituency'" <registrars@xxxxxxxxxxxxxx> Hi guys, I am also interested by any solution that could avoid such ID usurpation. For now, we are asking to the registrant to provide his ID copy. When the owner change is requested, we are also asking for a copy again + physical owner change form printed and signed by both parties and ifboth ID copies are matching, and the signature is the same, we call the constumer on his original phone number provided at the registration timeand then authorise the owner change.Sometimes infos has been changed so we cannot verify all infos it meansthat we somehow must get our own conviction that his is the real owner (askling for details on many different infos on his account). But when a domain belong to a company, and the responsible has changed to another one!. The only fact that this new person has access to the company account admin is not enought to my opinion. Is someone has a better process ? Thank you. Sam www.Domaine.fr www.Domaine.info De : Bashar Al-Abdulhadi <bashar@xxxxxxxxxxxxx> Date : Sat, 04 Aug 2007 01:27:22 +0300 @ : Lau <richard@xxxxxxx> Cc : 'Registrars Constituency' <registrars@xxxxxxxxxxxxxx> Objet : Re: [registrars] Grave Robbing and SEDO Fencing Thats what i thought too. but seeing this happen twice in less than 3 years scares me off (although the other domain was with different registrar) what might be possible to secure the domains of dead people to their heirs in future for other registrars? Lau wrote, On 8/4/2007 12:12 AM: Well, I'm just sitting here hypothesising.But really Domain Hijacking is usually a form of online identity theft, where the thief one way or another convinces the Registrar, (or the ISPhosting the Admin Email) that he is the owner. I'm not one to comment on NSI's security except to say that I highlyrespect their senior staff and have witnessed major efforts to stamp out fraud. If anything NSI could teach many other registrars how to protectdomains. This is a far cry from the pre-Champ M. days. Richard From: Bashar Al-Abdulhadi [mailto:bashar@xxxxxxxxxxxxx] Sent: 03 August, 2007 10:12 PM To: Lau Cc: john@xxxxxxxxxxxxxxxxx; 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing Hello Richard, Lau wrote, On 8/3/2007 7:42 PM: Hi John,So, in summary.... an identity theft occurs at NSI (hijacker pretends tobe Don Teske likely by sending in a fax with faked ID) and the buyer at Sedo claims he's an innocent purchaser.... its that simple at NSI to change domain ownership with fake IDs? it should be harder for american registrant to be faked at american registrars due the easier methods to identify ownership?
|