[CPWG] Transfer Policy Review Team: Question about the 60-days lock

Theo Geurts atlarge at dcx.nl
Thu Nov 18 12:20:36 UTC 2021 

John, 

Can you explain the relationship between domain locks for 60 days and attacks using stolen payment details?
A lot of the EU ccTLD registries and other ccTLDs do not have such a 60-day lock and I never saw any issues in relation to stolen payment details. And to be clear, we process a lot of incoming and outgoing ccTLD transfers. 

In addition, to drastically reduce domain theft, you have to have a big issue of domain theft first. The current amount of unauthorized transfers complaints is very low as provided by compliance. I suspect domain theft (which is a different bucket) is even lower, though we do not have real statistics. With the exception of IRTP-D, from what I recall dispute providers had a total of 2 cases since 2016. 

I do not mind the 60 day lock in the sense that it bothers me. However, as a registrar, I would not mind the option to be able to remove the lock in certain scenarios. 

Thanks, 
Theo

On Wed, Nov 17, 2021, at 9:25 PM, John McCormac via CPWG wrote:
> On 09/11/2021 17:44, Steinar Grøtterød via CPWG wrote:
> > Dear all,
> > 
> > At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. 
> > The present policy – and the majority of Registry Operators, have a 
> > 60-days transfer lock after the initial registration of a domain name 
> > AND a 60-days lock after a successful inter-registrar transfer.
> > 
> > Based on the discussion in the TPR WG, I would like to hear the CPWG 
> > opinion by asking the following:
> 
> Following up on today's meeting:
> 
> > 1. Are we in favor of keeping the 60-days lock after the initial 
> > registration of a domain name?
> 
> Yes.
> This is still important to deal with issues of reversed creditcard 
> charges and non-payment. While payments systems have improved, this 60 
> day lock is still a defence against an orchestrated attack using stolen 
> payment details.
> 
> > 2. Are we in favor of keeping the 60-days lock after a successful 
> > transfer of a domain name?
> 
> Yes.
> This is one way of drastically reducing the chances of success for 
> domain name theft. Domain name thieves generally use multiple registrars 
> to make it difficult for the registrant to recover their stolen domain name.
> 
> > 3. Could the above be optional?
> 
> No.
> And ICANN Compliance should proactively enforce it.
> 
> > 4. Should the Registrant has the option to opt-out?
> 
> No.
> Do the people who came up with the proposal of making it opt-out for 
> registrants actually understand the issue of domain name theft/hijacking 
> and how the thieves transfer a stolen domain name from registrar to 
> registrar to make it difficult for registrants to recover their domain 
> name?
> 
> 
> On a related issue that came up in the call, Domain Tasting is very 
> different from registrars simply offering time limited promotions.
> 
> Domain Tasting involved registrars simply being set up for the purposes 
> of tasting and deleting millions of domain names in the five day Add 
> Grace Period. This exploitation of the AGP spread to retail registrars. 
> Over approximately five years, over 1 billion (1,000,000,000) .COM 
> domain names were tasted. The ICANN registry reports were flawed and 
> incomplete at the time and remained so until 2014. Those of us who were 
> tracking the issue at a domain name level measured it in worn out 
> harddrives.
> 
> It was only when legal action was taken against a few key registrars and 
> Google announced that it would not monetise registrations within their 
> five day AGP period that Domain Tasting took a near fatal hit. ICANN was 
> stuck in a procastination loop while Domain Tasting was happening but it 
> was convinced to eventually do the right thing by adding a "restocking" 
> fee for new registations deleted within the AGP. When that was 
> implemented, large-scale Domain Tasting stopped. Domain Tasting has 
> nothing to do with the 60 day locks.
> 
> Regards...jmcc
> -- 
> **********************************************************
> John McCormac  *  e-mail: jmcc at hosterstats.com
> MC2            *  web: http://www.hosterstats.com/
> 22 Viewmount   *  Domain Registrations Statistics
> Waterford      *  Domnomics - the business of domain names
> Ireland        *  https://amzn.to/2OPtEIO
> IE             *  Skype: hosterstats.com
> **********************************************************
> 
> -- 
> This email has been checked for viruses by AVG.
> https://www.avg.com
> 
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
> 
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/mailman/private/cpwg/attachments/20211118/9a040be6/attachment.html>

More information about the CPWG mailing list