[registrars] Grave Robbing and SEDO Fencing

Donny Simonton donny at intercosmos.com
Tue Aug 7 11:27:14 UTC 2007 

Tim,
The ICANN transfer policy says that I "may" deny a transfer within the 60
days after a domain is transferred to us, it doesn't say that we "must" deny
the transfer.  As more and more registrants start selling domains stopping
them from transferring a domain just causes more problems.  We have many
customers who flip domains every day.  With the hopes of making a few
hundred bucks here and there.

Ever since Verisign switched to EPP, my rule has been if you have the
auth-info code you can do whatever you want with the domain, because it's
yours.

Donny

-----Original Message-----
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org] On Behalf Of Tim Ruiz
Sent: Tuesday, August 07, 2007 6:34 AM
To: 'Registrars Constituency'
Subject: RE: [registrars] Grave Robbing and SEDO Fencing

>From my understanding of the time line that John provided in his
original post on this subject, the contact change occured in June 2007.
Several days later the name was transferred to Directnic and put up for
sale at Sedo. The name was sold on July 3, 2007 and then transferred to
Go Daddy July 12, 2007 and was then put up for sale on eBay (auction now
closed with zero bids). So it appears this all happened within a 30 to
40 day window of time.

First, I would suggest that registrars consider a policy similar to Go
Daddy's when considering transfers for names that have gone through a
change that affects ownership or authority. Our systems allow ownership
changes but the registrant/account holder agrees to not transfer the
domain for 60-days afterward, and we lock it down internally. We inform
them that if they need to transfer the name right away, they should
consider performing the transfer first and then complete the
ownership/authority changes at the new registrar of choice. If this had
been done in raven.com's case it would still have been with NSI when the
rightful owner noticed the problem, and NSI could have fixed the problem
much easier.

Second, I don't understand how the name got transferred from Directnic
to Go Daddy so quickly. Transfer policy only allows one transfer every
60-days. Yet it appears two transfers occured in about 40-days. It is
the registrars' responsibility to enforce the 60-day rule. It is in the
losing registrars' best interest to enforce that rule (the registries
are not required to do so). The losing registrar knows when the domain
was registered or transferred to them and should deny transfer requests
if either took place within the 60-day period as required in the
transfer policy. This does not appear to have been done.

If either of the policies noted above had been followed, resolving this
apparent hijacking would be much easier. Now we have two gaining
registrars, both of which appear to have a *good* transfer in that they
received approval from the party that appeared in the Whois at the time
of the request. However, we are working with NSI to try and resolve
this.

Two other suggestions that may be worth considering:

1. We might lobby the registries to implement the 60-day transfer and
new registration check themselves. This would be an additional safeguard
against inappropriate transfers, and is better than relying completely
on the registrars to enforce - errors happen, bad actors happen, etc.
Perhaps we also lobby ICANN to change the transfer policy to require
this.

2. Gaining registrars should attempt to check for this rule themselves.
For example, Go Daddy checks the create date of transfers ordered and
does not allow the process to proceed if the create date is within
60-days, per the transfer policy. Due to the raven.com problem, we are
also looking at implementing a check of the update date. If the name has
been updated within the last 60-days it may indicate that a transfer has
occured. However, we are still considering how to best verify that since
the udate date may indicate other changes, not just transfers. But it
can at least be considered a warning flag that further checks need to be
done before allowing the automated process to continue.

Of course, registrars should continually hone their processes for
verifying identity of users requesting changes. But relying on that as
the sole mechanism to prevent hijacking is not wise. The above
policies/rules would go a long way to minimizing damage when hijacking
occurs, and make it much simpler and quicker to reverse.

Tim 


-------- Original Message --------
Subject: Re: [registrars] Grave Robbing and SEDO Fencing
From: Sam BAVAFA <s.bavafa at french-connexion.fr>
Date: Mon, August 06, 2007 5:30 pm
To: "'Registrars Constituency'" <registrars at gnso.icann.org>

Hi guys,

I am also interested by any solution that could avoid such ID
usurpation.

For now, we are asking to the registrant to provide his ID copy. When
the owner change is requested, we are also asking for a copy again +
physical owner change form printed and signed by both parties and if
both ID copies are matching, and the signature is the same, we call the
constumer on his original phone number provided at the registration time
and then authorise the owner change.

Sometimes infos has been changed so we cannot verify all infos it means
that we somehow must get our own conviction that his is the real owner
(askling for details on many different infos on his account).

But when a domain belong to a company, and the responsible has changed
to another one!. The only fact that this new person has access to the
company account admin is not enought to my opinion. Is someone has a
better process ?

Thank you.
Sam

www.Domaine.fr
www.Domaine.info



De : Bashar Al-Abdulhadi <bashar at kuwaitnet.net>
Date : Sat, 04 Aug 2007 01:27:22 +0300
@ : Lau <richard at lau.com>
Cc : 'Registrars Constituency' <registrars at gnso.icann.org>
Objet : Re: [registrars] Grave Robbing and SEDO Fencing

Thats what i thought too.



but seeing this happen twice in less than 3 years scares me off
(although the other domain was with different registrar)



what might be possible to secure the domains of dead people to their
heirs in future for other registrars?





Lau wrote, On 8/4/2007 12:12 AM:
    
 

Well, I'm just sitting here hypothesising.



But really Domain Hijacking is usually a form of online identity theft,
where the thief one way or another convinces the Registrar, (or the ISP
hosting the Admin Email) that he is the owner.



I'm not one to comment on NSI's security except to say that I highly
respect their senior staff and have witnessed major efforts to stamp out
fraud. If anything NSI could teach many other registrars how to protect
domains. This is a far cry from the pre-Champ M. days.







Richard





  




From: Bashar Al-Abdulhadi [mailto:bashar at kuwaitnet.net] 
 Sent: 03 August, 2007 10:12 PM
 To: Lau
 Cc: john at johnberryhill.com; 'Registrars Constituency'
 Subject: Re: [registrars] Grave Robbing and SEDO Fencing

 


Hello Richard,
 
Lau wrote, On 8/3/2007 7:42 PM:


Hi John,



So, in summary.... an identity theft occurs at NSI (hijacker pretends to
be

Don Teske likely by sending in a fax with faked ID) and the buyer at
Sedo

claims he's an innocent purchaser....  

 



its that simple at NSI to change domain ownership with fake IDs? 
 
it should be harder for american registrant to be faked at american
registrars due the easier methods to identify ownership?

More information about the registrars mailing list