Home / Blogs

ICANN Transfer Policy: Domain Hijacking Got Easier or Did It?

Slashdot recently ran a story about the upcoming changes to the ICANN rules governing domain transfers between registrars. A blog entry at Netcraft referenced by the story stated that:

...domain transfer requests will be automatically approved in five days unless they are explicitly denied by the account owner. This is a change from current procedure, in which a domain's ownership and nameservers remain unchanged if there is no response to a transfer request. This could mean trouble for domain owners who don't closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk, as the domain's WHOIS database information will be used to inform domain owners of transfer requests. A non-response becomes the equivalent of answering "yes" to a transfer request, according to the ICANN policy change.

However, a closer look at the actual rules makes it clear that it is not as bad as the story makes it out to be. The registrars still have the right to deny transfers if the domain is in "lock" status (which is a free service from most registrars):

Upon denying a transfer request for any of the following reasons, the Registrar of Record must provide the Registered Name Holder and the potential Gaining Registrar with the reason for denial. The Registrar of Record may deny a transfer request only in the following specific instances:

...

7. A domain name was already in “lock status” provided that the Registrar provides a readily accessible and reasonable means for the Registered Name Holder to remove the lock status.

While the actual policy change is a bit worse than it was before, it is not as bad as people make it out to be. Just make sure to lock your domains!

By Yakov Shafranovich, Software Architect & Consultant. More blog posts from Yakov Shafranovich can also be read here.

Related topics: DNS, Domain Names, ICANN, Whois

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Jothan Frakes  –  Nov 11, 2004 3:23 PM PDT

This is going to play out in an interesting manner.

Although this was implemented to solve one problem (namely a situation where a registrant may be unable to transfer a domain away from their current registrar), it creates a new set of issues.

This new transfer policy has the potential to play out exactly way that long distance carrier slamming did in the 90's over the next few months.

The new ICANN Transfer policy, while streamlining one's ability to transfer names under one's own management to the registrar of their choice, does in fact create a more open opportunity for someone to transfer a name away from you.

Basically, the status-quo transfer policy is explicitly one where a transfer must be opted into, and works like this:
1] Transfer request made by gaining registrar via RRP/EPP the registry level.
2] IF a domain is on registrar-lock, the gaining registrar's RRP/EPP request is immediately denied at the registry level, STOP HERE.
3] IF the domain is not locked, the gaining Registrar's RRP/EPP Transfer request proceeds with the next step of the transfer request at the registry.  The domain is now in pending transfer status at the registry (the status is in place for 5 days), but no transfer has occurred.
4] The losing registrar has 5 days to ACK the transfer so that it can proceed.  At this point, most losing registrars notify their registrant is emailed by losing registrar notifying them of the transfer request and that they need to acknowledge that this is what they want.
5] Either a response of NO (NACK) or the absence of a response from losing registrar registrant within that 5 day period = Transfer Declined. STOP.
6] If the transfer request was explicitly acknowledged in some manner by the losing registrar, the transfer proceeds at the registry.
7] The gaining registrar becomes the registrar of record, and one year is added to the registration term.  FINIS

The new transfer policy is such that the first two conditions remain the same with regard to registrar-lock. 

The key difference is that a transfer must be explicitly declined within that 5 day period, or else the domain gets transferred away from your current registrar.

While it is a good scenario for those who have the best of intentions in transferring their own domain to the registrar of their own choice, the new policy creates opportunity for those with less altruistic intentions for your domain name to potentially take it from you.

I personally use over 80 Registrars' interfaces to manage a variety of domain names.  I have been frantically working to get all of my various names registrar-locked since this policy was approved. 

For the most part, there has been success, as most of the top registrars have interfaces in place to allow names to have their registrar lock status be controlled by the user, per name.  While these registrars may not add this registrar lock by default, a registrant can modify their settings themselves to their preference.

Many of the smaller registrars who either don't have an interface or lease their connection threads to (pool/drop) registrars simply may not have any form of management panels where a registrant may self manage this status.

It is not clear that names in these registrar's care are not exposed to potential rogue transfer requests.

The best and only protection one has against having a domain name transferred out from under them is to have their domains in registrar-lock status.

It is simple to check if a domain is on registrar-lock status by looking at the results of a registry whois for the name. 

The registry will identify that the name is on registrar-lock or not.

I have also found monitoring sites that watch domain names (i.e. DomainsBot, Godaddy, eNOM, Whois Source, more...)

I encourage domain holders who are not certain that they have their portfolios locked down to do so and validate their settings, just to have peace of mind.

I anticipate that we will be hearing of folks whose names are transferred away from them in the coming weeks, and I hope that it is not anyone in this readership.

-j

Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Michele Neylon  –  Nov 11, 2004 6:12 PM PDT

What I would be very concerned about is the likes of DROA. As things stand "companies" like them tend to prey on the not so technically literate clients. What will happen now? Will we see a situation where more of these scammers gain ground in the marketplace at the behest of our unsuspecting clients?
It is at times like this that I am extremely happy that ccTLDs like IE are fully managed.

Re: ICANN Transfer Policy: Domain Hijacking Got Easier or Did It? Jothan Frakes  –  Nov 19, 2004 5:05 PM PDT

Domain Adminstrators, Be alert!

I had the first opportunity to block an unauthorized transfer request on a domain name on 11/17 (exactly 5 days into this new policy).

An unauthorized transfer on a domain was initiated by BulkRegister.com (allegedly by a rogue member/reseller).

This new transfer policy is a completely subutopian in the way that the burden of responsibility has been shifted to the domain owner.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Nominum Announces Future Ready DNS

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New .ORGANIC Domain Sunrise Begins, Creating Verified Space 
for Organic Products and Services

Non-English "IDN Email" Addresses Are Finally Working!

TLD Registry to Speak at Inaugural World Domain Day India

Independent Endorsement of Dot Chinese Online & Dot Chinese Website

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

Introducing the New .ORGANIC Domain: A Trusted, Credible Space for Organic Products on the Web

.WANG - 15,000 Registrations on Day One of General Availability

Dot Brand: Why Your Brand Needs Its Own Top-Level Domain

Afilias Announces Start of .BLACK Sunrise Period

Radix Launches Three New TLDs in Sunrise With Backing from 50+ Registrar Partners

.WANG General Availability Opens on June 30, 2014

Continuing to Work in the Public Interest

.Press Domain Names - The Changing Face of Journalism

Radix Announces .Website Launch Timeline

.Host Timeline Released As Pioneer Program Kicks Off

TLD Registry Sponsored Xinnet's Partner Conference in Nanjing

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

Sponsored Topics