There is a potential for losing one's domain name, at least temporarily, with some registrars, perhaps all of them.

The problem is inherent in the way many of them handle transfers. They send a notice to the administrative contact on record in Whois. If no action is taken by the admin, the transfer goes through.

This is very much like e-mail marketers who add you to their mailing list unless you reply to be removed, only with more serious consequences.

This is wrong (in both cases). It should take action, not lack of action, to effect a transfer, much like NSI's e-mail method requires a reply to complete a registration process (though it too is a flawed process).

There are several instances in which a transfer could take place without the consent of the domain owner.

If the e-mail address on record is not valid, as a protection against harvesting by spammers, a transfer could be effected. If the admin is away on vacation, or just away from a computer for a few days, there would be the same result. Holidays are an easy time to victimize people. If a transfer request was made by an unscrupulous party at the beginning of a holiday week-end, the transfer could be effected before the week-end was over with the domain owner in for an unpleasant surprise the following week. The Christmas/New year holiday period is an especially vulnerable time.

This is a major security problem and its importance cannot be stressed too much. Once a domain has been transferred, the contacts can be changed and it may take longer to restore the domain name to its proper owner.

I use a registrar that uses the Open SRS system and have already notified them of my concerns. I know ICANN regulations require e-mail addresses be disclosed so the domain owner can be contacted. I have suggested they add a private, undisclosed e-mail address, to ensure communication without worries of receiving spam and that some other means, such as a password, be required in order to effect a transfer from one registrar to another.

I would suggest that everyone who owns one or more domains contact the registrar they use and address this issue with them, and implore others to do the same. The potential for fraud is too great to ignore.

There is one case of domain hijacking reported by yellowed at http://webhostingtalk.com/showthread.php?threadid=4251 It is even easier than that to hijack a domain name, as I mentioned above.

Please take action on this for all our sakes. A secure method of transferring to other registrars is imperative.

humm, yep.. :(

thanks for the info Duster

I've been worried about this ever since yellowed's post. I have opened a ticket with my concerns at Directnic.

Thank Duster.

Well, I don't think anyone will try and jack my domain.

That's not the point, John. The point is a vulnerability in the transfer process that makes any domain vulnerable to hostile takeover.

While I agree it's a potential problem, just to play Devil's Advocate consider what could happen if manual intervention was needed to transfer a domain.

First there would almost certainly be extra costs. Bye-bye free transfers. Probably not much but in an time when people haggle over 5 dollars difference between hosting packages even a few dollars fee could hurt business.

Second, what if you get a slow registrar? You're leaving their service. They aren't getting any more fees from you. So where's their motivation to process the transfer quickly?

And finally, if more than one entity has to effect a change to make the transfer the potential for errors increases.


Just some thoughts.

Nobody said anything about manual intervention, just a secure system for transfers. The present system is quite vulnerable.

The problem is not potential, it is real. The only potential lies in which names might be hijacked. With yellowed, that potential became an actuality.

Duster, you bet. I just fought a case against Taco Bell at the WIPO court about this. Somehow, the domain name tacobell.net got tranfered over to my name, without informing me. I dint even know I owned it, until I got the legal notice from Taco Bell. All this happened, when I was transfering another domain to another host, which I may add, never got transfered. NetSol sucks!!

It's not just Net Sol. The problem is more widespread and endemic to the whole registration process, possibly involving all registrars.

I started thinking about it in October ago when I transferred my last domains from NSI to 000domains. Even though I used the password authentication system for changes at NSI, I had to change my e-mail address there to one that works for the transfer to go through.

I was surprised at how easy it was to transfer a domain, too easy in fact. The transfer was completed with no action on my part other than the initial request. I saw the potential for abuse immediately.

Reading some recent comments here from people who have been victimized just put it all in focus and amde me realize that we all need to take action to get the process changed. ICANN has been unresponsive and unprepared for the real needs regarding domain names and we can't rely on them to do things in a smart way. They are as inept as any government bureaucracy.