[gnso-rpm-wg] Identity Theft -- how it affects various proposals submitted

George Kirikos icann at leap.com
Fri Sep 7 12:09:45 UTC 2018


Hi folks,

Reviewing some of the proposals that were submitted by last night's
deadline, I think that they'd encounter some very serious problems in
terms of implementation, because of lack of WHOIS verification and
vulnerabilities associated with identity theft.

For example, there were multiple "loser pays" submissions (I too am on
the record as being strongly in favour of "loser pays" as a concept,
but I qualified my support, noting (without going into too much
detail):

https://mm.icann.org/pipermail/gnso-rpm-wg/2018-August/003226.html

that (in point #11) the system had to be carefully constructed, with
systems of checks and balances in place.

While I made submissions on other topics, folks will note I didn't
submit one on "loser pays" at this time, because I realized that in
order to properly implement a loser pays system one would need to
solve a whole series of other problems first. And to solve those other
problems first might become a monumental task (I'd be up to that
monumental task, but not sure the rest of the PDP members would be
willing to do it! If the rest of the group does want to solve them,
I'd love to rise to the challenge too).

So, here's just one of the major problems that would need to be solved
before implementing "loser pays" or penalties --- lack of WHOIS
verification which relates to identity theft. Registrars generally
don't have any "Know Your Client" requirements and there is no real
verification of the true identity of the person/entity that purports
to be the registrant. There might be verification that the email
address and/or the telephone number are verified. But, all the rest of
the fields in the WHOIS can easily be faked, or used to impersonate
others to commit identity theft.

This is not some theoretical issue. I know first hand, as someone
using a Chinese registrar copied my company's WHOIS for a malware
domain, see the historical WHOIS at:

https://research.domaintools.com/research/whois-history/search/?q=antivirusan.com&date=2011-06-16&origin=permalink

(I had a Google Alert triggered, and that's how I noticed it; the
attacker changed the phone number by 1 digit from my real phone
number, but copied my name, company name, fax, address, and used a
gkirikos@ address (obviously not matching my real email address).

[I complained to the registrar, and also using an ICANN WHOIS complaint]

[NB: with GDPR and redacted WHOIS out there, it could be happening
*now* -- how would I know??]

This has even happened within UDRP cases, where there has been
identity theft, see:

http://www.udrpsearch.com/search?query=identity%20theft&search=text&results=100&start=1

for various matches. e.g.:

http://www.adrforum.com/domaindecisions/1774660.htm
http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-1843

So, let's consider various scenarios. If there's a "loser pays"
system, new vulnerabilities would be created if a system is not
carefully constructed. An attacker could copy someone else's
name/identity, use it for cybersquatting, and "lose" a UDRP/URS. Now
that victim of identity theft would potentially have a liability for
damages on a domain they never actually registered, using a registrar
that they never had any relationship with.

Most of the time, the registrar simply has a relationship with a
purported identity, not a verified identity with a verified
relationship (i.e. "Tom Cruise" is a real person, but the famous actor
Tom Cruise is unlikely to be the actual registrant with a real
relationship with a registrar, if that actor's name is placed into the
WHOIS by an attacker).

One of the proposals went even further, saying:

https://community.icann.org/display/RARPMRIAGPWG/URS+Proposals

"the penalties should include (i) a requirement that the registrant
deposit funds into an escrow account, or provide an equivalent
authorization on a credit card, with each new domain registration
(such funds could be dispersed to prevailing complainants in future
domain name disputes against that registrant as part of a “loser pays”
system), and (ii) a universal blocking of all domain registrations for
a set period for the registrant (i.e. “blacklisting” the registrant on
a temporary basis)" (from proposal #30)

It should be fairly obvious that such a scheme would enable an
attacker to engage in a Denial of Service attack against a victim, by
impersonating them (stealing their identity).

e.g. (a) spend $20 total on a few dozen "throwaway" domains that have
a sub-$1 dollar promo price (b) copy the victim's identity on a series
of "famousbrand-authorized-store.newgtld" domains (c) wait for the
victim to lose the URS/UDRP and be labelled a "repeat offender" or
"high volume cybersquatter"

Now when the *real* victim wants to register a domain at their real
registrar, they'll suddenly encounter their name on a "blacklist"!!

To show how truly vulnerable the system is to an attack, there's
likely no real verification by the URS/UDRP providers that a
*Complainant* is who they say they are!

So, let's suppose the "victim" is "John Smith". The attacker has
created the cybersquatting domains under the "John Smith" name, using
multiple trademarks of Amazon, for example. Instead of waiting for the
brandholder Amazon to file a URS (i.e. step (c) above), a truly
motivated attacker (think state-funded actors, as an example, that
want to interfere with a business competitor or an election) could go
even further, and go impersonate the brandholder and file the URS or
UDRP actions as a complaint!

This email's getting long, and the more sophisticated readers can see
where this takes us. I won't go into too much more detail now (can
expand later, if desired), but you'd need to develop a system not only
to verify identity properly, but also a system to *DISAVOW* domain
name registrations. That disavowal system would be very hard for
domains (a disavowal system was developed by Google for backlinks,
https://support.google.com/webmasters/answer/2648487?hl=en , but
that's much easier). [Real verification could take place via a digital
signature system, like the one that exists in Estonia, for example]

And even if one did verify identity properly (e.g. "John Smith" is
labelled a serial cybersquatter), there are so many people that share
common names (think China, India) that the blacklist would have
collateral damage on many innocent registrants.

And here's the thing -- an attacker can simply create a new real
identity (even a "verified" one) very cheaply. For £12, (USD $15.59 at
the time of this post), one can create a real UK company online within
24 hours:

https://www.gov.uk/limited-company-formation/register-your-company

(or effectively "free" if one uses a stolen credit card, as criminals
tend to do!)

So, even a "properly" implemented system would not be effective, if
one can create new verified identities at low cost.

The only real parties within the ICANN system that *are* verified are
registrars and registries, and I think they would likely push back
very hard if they are the "losers" who have to pay up. [an unverified
Complainant can put up a security bond before filing a complaint, and
to that extent that bond could also represent security if the
Complainant loses, albeit the Complainant themselves may not be who
they say they are.

[by the way, I do like the idea of posting security bonds, but not in
the manner that the proposals have suggested --- I would want security
bonds as a means for registrants to completely *opt-out* of URS/UDRP,
so that any disputes for a "bonded" registrant/domain can be handled
only by the courts]

Even the real legal system (court system) could be subject to attempts
at foul play using these kinds of tricks. However, real courts have
much stronger due process mechanisms and machinery (e.g. court orders,
contempt, etc.) to deal with them (e.g. subpoena the registrar who
enabled the identity theft, discovery, etc.) and the real victim would
have to be properly served, etc.. URS/UDRP providers don't have those
strong mechanisms or powers.

So, I'm very sympathetic to the motivation behind these proposals, and
the objective to go after the bad guys. I want loser pays too, in
order to protect my company from frivolous complaints. I know others
with valuable domains want the same thing. But, the proposals on the
table right now will need much, much more work before I can support
them. All the various vulnerabilities that are present in the system
*today* will be magnified if "loser pays" or "penalties" are adopted
without addressing issues like verification and identity theft first.

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/

P.S. I don't know if we have any SSAC members on this PDP, but the
broader issue of vulnerabilities and identity theft might be passed on
to them for advice.


More information about the gnso-rpm-wg mailing list