PSA:New ICANN Rules Make DOMAIN HIJACKING Easier

alm4rr

Diamond Member
Dec 21, 2000
4,390
0
0
:(
Domain names could become easier to hijack as a change in domain transfer rules takes effect Friday. Under new rules set by the Internet Corporation for Assigned Names and Numbers (ICANN), domain transfer requests will be automatically approved in five days unless they are explicitly denied by the account owner. This is a change from current procedure, in which a domain's ownership and nameservers remain unchanged if there is no response to a transfer request.

This could mean trouble for domain owners who don't closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk, as the domain's WHOIS database information will be used to inform domain owners of transfer requests. A non-response becomes the equivalent of answering "yes" to a transfer request, according to the ICANN policy change.

"Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default 'approval' of the transfer," the new rules state. "In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed."

As the deadline for the change approaches, domain registrars are contacting domain owners and insisting that they update domain records to avoid unwanted changes. "From November 8-10, we are sending an email to all domain customers informing you of a new domain transfer policy, enforced by ICANN," Go Daddy told its users. "This policy dictates that we must honor any transfer requests, even if you do not personally confirm them. To prevent unauthorized transfers, lock your domains." There are reports of other registrars providing stern warnings to customers about the need to update their details within five days, perhaps to establish which domains may have outdated info.

Domains have become valuable business assets, yet are often loosely managed by business owners, who neglect to update their WHOIS information following changes in staff or e-mail addresses. Companies that have let critical domains lapse include The Washingon Post, the Gawker weblog and perhaps the most embarassing gaffe yet, the UK domain for Ogilvy Mather.

ICANN appears to be anticipating a spike in disputes, and today announced appointments to manage its domain dispute resolution policy.



GoDaddy says:
From November 8-10, we are sending an email to all domain customers informing you of a new domain transfer policy, enforced by ICANN (The Internet Corporation for Assigned Names and Numbers). This policy dictates that we must honor any transfer requests, even if you do not personally confirm them. To prevent unauthorized transfers, lock your domains. This service is free and takes only a minute.
 

Double Trouble

Elite Member
Oct 9, 1999
9,272
103
106
Thanks for the "heads up". I noticed it says "to prevent unauthorized transfers, lock your domains". I've made sure the contact info for my domains is up to date, but how does one go about "locking" a domain?
 

rh71

No Lifer
Aug 28, 2001
52,853
1,048
126
the only godaddy email I've gotten is one about the Marine's 229th birthday and how they're celebrating it today.
 

alm4rr

Diamond Member
Dec 21, 2000
4,390
0
0
for GoDaddy, you gotta go into your account settings / manage domains / Click on the domain name you want / right panel should have link to lock domain
 

rh71

No Lifer
Aug 28, 2001
52,853
1,048
126
Originally posted by: tagej
Thanks for the "heads up". I noticed it says "to prevent unauthorized transfers, lock your domains". I've made sure the contact info for my domains is up to date, but how does one go about "locking" a domain?
For Godaddy --> Manage Domains --> Set Locking --> Save Changes
 

dartworth

Lifer
Jul 29, 2001
15,195
1
81
Originally posted by: tagej
Thanks for the "heads up". I noticed it says "to prevent unauthorized transfers, lock your domains". I've made sure the contact info for my domains is up to date, but how does one go about "locking" a domain?



Under "manage domains" look for the "set locking" or "modify registrar lock" button...

Pretty self explanitory from there...
 

alm4rr

Diamond Member
Dec 21, 2000
4,390
0
0
Originally posted by: FoBoT
so the short lessson is, keep your contact info up to date.

ok, that seems a bit obvious

Tell that to the Washingtonpost.com

(which Maybe I can own after Friday ;) )
 

sciencewhiz

Diamond Member
Jun 30, 2000
5,885
8
81
On the other hand, if your contact information was out of date before, you'd never be able to transfer your domain.
 

jjones

Lifer
Oct 9, 2001
15,425
2
0
Originally posted by: rh71
now what was the reasoning behind this switch ?
Lack of timely responsiveness by registrars and admin contacts. Too often legitimate domain transfer requests are submitted only to be left without response from the registrar or approval from the admin contact, which then go past the approval deadline and fail to get tranferred. This can leave the owner of the domain very frustrated when they have to repeatedly do transfer requests only to have them go unapproved. This process takes time and can drag out indefinately.

I don't really see too much of a problem with this new rule from ICANN. It is only for transfers between registrars, not changes of domain ownership or contacts. If you have a good registrar, or have the option to lock your domains, this will never become an issue.

Edit: There is one issue of abuse that does concern me. An unsavory registrar could submit a bulk of various domain names to be transferred to themselves, reaping in the domains that fail to get the transfer disapproved, and then modifying the registrant and contact information through their own internal system. I don't really think this would happen as ICANN would be all over them in a short while as that kind of activity would catch up with them very soon.
 

waggy

No Lifer
Dec 14, 2000
68,145
10
81
hmm i wonder if namecheap has the lock feature.

but there are like 2 domains i would like. What ticks me off one is for sale and the other is blank.
 

VirtualLarry

No Lifer
Aug 25, 2001
56,331
10,043
126
As if Verisign was already notorious for Domain slamming"... now ICANN has basically given them the green light to start doing that. I'd be willing to bet that ICANN is going to profit mightily by this too, if the number of domain disputes rises greatly.

What a crock! This is why everything on the internet needs to move to a decentralized, P2P model. Centralization of power only leads to abuse. Free the internet - and your mind will follow. :)

 

fr

Diamond Member
Oct 10, 1999
6,408
2
81
Originally posted by: jjones
I don't really see too much of a problem with this new rule from ICANN. It is only for transfers between registrars, not changes of domain ownership or contacts. If you have a good registrar, or have the option to lock your domains, this will never become an issue.

This is how I remember the process worked the last time I did it:

1. Create an account at a registrar and elect to renew a domain and transfer from another registrar.
2. Type in the domain name.
3. Approval request is sent to the owner.
4. Owner chooses to approve or decline request.
5. Owner approves.
5. Domain is transferred to new registrar under the account that requested it.

If step 5 is no longer required and the domain is transferred by default when the request is ignored, the new account can change the ownership information and has complete control over the domain. Maybe the process has changed or I am not remembering it correctly.

 

sciencewhiz

Diamond Member
Jun 30, 2000
5,885
8
81
Originally posted by: fr
This is how I remember the process worked the last time I did it:

1. Create an account at a registrar and elect to renew a domain and transfer from another registrar.
2. Type in the domain name.
3. Approval request is sent to the owner.
4. Owner chooses to approve or decline request.
5. Owner approves.
5. Domain is transferred to new registrar under the account that requested it.

If step 5 is no longer required and the domain is transferred by default when the request is ignored, the new account can change the ownership information and has complete control over the domain. Maybe the process has changed or I am not remembering it correctly.

Your missing a few key steps. Specifically the step where the new registrar verifies the authenticity of the transfer. Look at the link I posted a few posts ago.
 

Yzzim

Lifer
Feb 13, 2000
11,990
1
76
Originally posted by: waggy
hmm i wonder if namecheap has the lock feature.

but there are like 2 domains i would like. What ticks me off one is for sale and the other is blank.

Login to Nameceap > select domain > click Modify > Click Go under 'MODIFY REGISTRAR LOCK' > Select "Set Reristrar Lock" > click Save Changes
 

fs5

Lifer
Jun 10, 2000
11,774
1
0
I just put in a name transfer for spicytuna.com ... the bastards that own it now simply redirect it to seeq.com (pay per click search site) .... we'll see how it goes. ethical or not?