[registrars] Grave Robbing and SEDO Fencing

elliot noss enoss at tucows.com
Tue Aug 7 12:18:16 UTC 2007 

tim, I would also strongly urge to not use a single situation with a  
clear case of social engineering and a high-profile name to justify a  
policy that causes confusion, frustration and money to thousands on a  
regular basis. the fact that this is in front of us and, I expect,  
will be rectified appropriately shows that those restrictive policies  
are not needed. what would be instructive in this matter would be for  
go daddy to let us all know how many transfers a month are refused on  
this basis.

bad facts make bad law.

Regards

On 7-Aug-07, at 7:27 AM, Donny Simonton wrote:

> Tim,
> The ICANN transfer policy says that I "may" deny a transfer within  
> the 60
> days after a domain is transferred to us, it doesn't say that we  
> "must" deny
> the transfer.  As more and more registrants start selling domains  
> stopping
> them from transferring a domain just causes more problems.  We have  
> many
> customers who flip domains every day.  With the hopes of making a few
> hundred bucks here and there.
>
> Ever since Verisign switched to EPP, my rule has been if you have the
> auth-info code you can do whatever you want with the domain,  
> because it's
> yours.
>
> Donny
>
> -----Original Message-----
> From: owner-registrars at gnso.icann.org
> [mailto:owner-registrars at gnso.icann.org] On Behalf Of Tim Ruiz
> Sent: Tuesday, August 07, 2007 6:34 AM
> To: 'Registrars Constituency'
> Subject: RE: [registrars] Grave Robbing and SEDO Fencing
>
> From my understanding of the time line that John provided in his
> original post on this subject, the contact change occured in June  
> 2007.
> Several days later the name was transferred to Directnic and put up  
> for
> sale at Sedo. The name was sold on July 3, 2007 and then  
> transferred to
> Go Daddy July 12, 2007 and was then put up for sale on eBay  
> (auction now
> closed with zero bids). So it appears this all happened within a 30 to
> 40 day window of time.
>
> First, I would suggest that registrars consider a policy similar to Go
> Daddy's when considering transfers for names that have gone through a
> change that affects ownership or authority. Our systems allow  
> ownership
> changes but the registrant/account holder agrees to not transfer the
> domain for 60-days afterward, and we lock it down internally. We  
> inform
> them that if they need to transfer the name right away, they should
> consider performing the transfer first and then complete the
> ownership/authority changes at the new registrar of choice. If this  
> had
> been done in raven.com's case it would still have been with NSI  
> when the
> rightful owner noticed the problem, and NSI could have fixed the  
> problem
> much easier.
>
> Second, I don't understand how the name got transferred from Directnic
> to Go Daddy so quickly. Transfer policy only allows one transfer every
> 60-days. Yet it appears two transfers occured in about 40-days. It is
> the registrars' responsibility to enforce the 60-day rule. It is in  
> the
> losing registrars' best interest to enforce that rule (the registries
> are not required to do so). The losing registrar knows when the domain
> was registered or transferred to them and should deny transfer  
> requests
> if either took place within the 60-day period as required in the
> transfer policy. This does not appear to have been done.
>
> If either of the policies noted above had been followed, resolving  
> this
> apparent hijacking would be much easier. Now we have two gaining
> registrars, both of which appear to have a *good* transfer in that  
> they
> received approval from the party that appeared in the Whois at the  
> time
> of the request. However, we are working with NSI to try and resolve
> this.
>
> Two other suggestions that may be worth considering:
>
> 1. We might lobby the registries to implement the 60-day transfer and
> new registration check themselves. This would be an additional  
> safeguard
> against inappropriate transfers, and is better than relying completely
> on the registrars to enforce - errors happen, bad actors happen, etc.
> Perhaps we also lobby ICANN to change the transfer policy to require
> this.
>
> 2. Gaining registrars should attempt to check for this rule  
> themselves.
> For example, Go Daddy checks the create date of transfers ordered and
> does not allow the process to proceed if the create date is within
> 60-days, per the transfer policy. Due to the raven.com problem, we are
> also looking at implementing a check of the update date. If the  
> name has
> been updated within the last 60-days it may indicate that a  
> transfer has
> occured. However, we are still considering how to best verify that  
> since
> the udate date may indicate other changes, not just transfers. But it
> can at least be considered a warning flag that further checks need  
> to be
> done before allowing the automated process to continue.
>
> Of course, registrars should continually hone their processes for
> verifying identity of users requesting changes. But relying on that as
> the sole mechanism to prevent hijacking is not wise. The above
> policies/rules would go a long way to minimizing damage when hijacking
> occurs, and make it much simpler and quicker to reverse.
>
> Tim
>
>
> -------- Original Message --------
> Subject: Re: [registrars] Grave Robbing and SEDO Fencing
> From: Sam BAVAFA <s.bavafa at french-connexion.fr>
> Date: Mon, August 06, 2007 5:30 pm
> To: "'Registrars Constituency'" <registrars at gnso.icann.org>
>
> Hi guys,
>
> I am also interested by any solution that could avoid such ID
> usurpation.
>
> For now, we are asking to the registrant to provide his ID copy. When
> the owner change is requested, we are also asking for a copy again +
> physical owner change form printed and signed by both parties and if
> both ID copies are matching, and the signature is the same, we call  
> the
> constumer on his original phone number provided at the registration  
> time
> and then authorise the owner change.
>
> Sometimes infos has been changed so we cannot verify all infos it  
> means
> that we somehow must get our own conviction that his is the real owner
> (askling for details on many different infos on his account).
>
> But when a domain belong to a company, and the responsible has changed
> to another one!. The only fact that this new person has access to the
> company account admin is not enought to my opinion. Is someone has a
> better process ?
>
> Thank you.
> Sam
>
> www.Domaine.fr
> www.Domaine.info
>
>
>
> De : Bashar Al-Abdulhadi <bashar at kuwaitnet.net>
> Date : Sat, 04 Aug 2007 01:27:22 +0300
> @ : Lau <richard at lau.com>
> Cc : 'Registrars Constituency' <registrars at gnso.icann.org>
> Objet : Re: [registrars] Grave Robbing and SEDO Fencing
>
> Thats what i thought too.
>
>
>
> but seeing this happen twice in less than 3 years scares me off
> (although the other domain was with different registrar)
>
>
>
> what might be possible to secure the domains of dead people to their
> heirs in future for other registrars?
>
>
>
>
>
> Lau wrote, On 8/4/2007 12:12 AM:
>
>
>
> Well, I'm just sitting here hypothesising.
>
>
>
> But really Domain Hijacking is usually a form of online identity  
> theft,
> where the thief one way or another convinces the Registrar, (or the  
> ISP
> hosting the Admin Email) that he is the owner.
>
>
>
> I'm not one to comment on NSI's security except to say that I highly
> respect their senior staff and have witnessed major efforts to  
> stamp out
> fraud. If anything NSI could teach many other registrars how to  
> protect
> domains. This is a far cry from the pre-Champ M. days.
>
>
>
>
>
>
>
> Richard
>
>
>
>
>
>
>
>
>
>
> From: Bashar Al-Abdulhadi [mailto:bashar at kuwaitnet.net]
>  Sent: 03 August, 2007 10:12 PM
>  To: Lau
>  Cc: john at johnberryhill.com; 'Registrars Constituency'
>  Subject: Re: [registrars] Grave Robbing and SEDO Fencing
>
>
>
>
> Hello Richard,
>
> Lau wrote, On 8/3/2007 7:42 PM:
>
>
> Hi John,
>
>
>
> So, in summary.... an identity theft occurs at NSI (hijacker  
> pretends to
> be
>
> Don Teske likely by sending in a fax with faked ID) and the buyer at
> Sedo
>
> claims he's an innocent purchaser....
>
>
>
>
>
> its that simple at NSI to change domain ownership with fake IDs?
>
> it should be harder for american registrant to be faked at american
> registrars due the easier methods to identify ownership?
>
>
>
>
>
>
>
>
>
>
>
>

More information about the registrars mailing list