Looking for some light bedtime reading?
ICANN today released a report entitled “Domain Name Hijacking: Incidents, Threats, Risks, and Remedial Actions”. It’s a big topic, and ICANN made a long response to the tune of 48 pages.
The reports main findings are:
(1) Failures by registrars and resellers to adhere to the transfer policy have contributed to hijacking incidents and thefts of domain names.
(2) Registrant identity verification used in a number of registrar business processes is not sufficient to detect and prevent fraud, misrepresentation, and impersonation of registrants.
(3) Consistent use of available mechanisms (Registrar-Lock, EPP authInfo, and notification of a pending transfer issued to a registrant by a losing registrar) can prevent some hijacking incidents.
(4) ICANN Policy on Transfer of Registrations between Registrars specifies that “consent from an individual or entity that has an email address matching the Transfer Contact email addressâ€ is an acceptable form of identity. Transfer Contact email addresses are often accessible via the Whois service and have been used to impersonate registrants.
(5) Publishing registrant email addresses and contact information contributes to domain name hijacking and registrant impersonation. Hijacking incidents described in this report illustrate how attackers target a domain by gathering contact information using Whois services and by registering expired domains used by administrative contacts.
(6) Accuracy of registration records and Whois information are critical to the transfer process. The ICANN Whois Data Reminder Policy requires that registrars annually request registrants to update Whois data, but registrars have no obligation to take any action except to notify registrants. Registrants who allow registration records to become stale appear to be more vulnerable to attacks.
(7) ICANN and registries have business relationships with registrars, but no relationship with resellers (service providers). Resellers, however, may operate with the equivalent of a registrar’s privileges when registering domain names. Recent hijacking incidents raise concerns with respect to resellers. The current situation suggests that resellers are effectively “invisibleâ€ to ICANN and registries and are not distinguishable from registrants. The responsibility of assuring that policies are enforced by resellers (and are held accountable if they are not) is entirely the burden of the registrar.
(8) ICANN requires that registrars maintain records of domain name transactions. It does not appear that all registrars are working closely enough with their resellers to implement this requirement.
(9) The Inter-Registrar Transfer Policy incorporates formal dispute mechanisms. These were not designed to prevent incidents requiring immediate and coordinated technical assistance across registrars. Specifically, there are no provisions to resolve an urgent restoration of domain name registration information and DNS configuration.
(10) Changes to transfer processes introduced with the implementation of the ICANN Inter-Registrar Transfer Policy have not been the cause of any known attacks against domain names. There is no evidence to support reverting to the earlier policy.
Finding #5 is insightful and gives individual domain owners something they can do to reduce the chances of being a victim. Basically, people are using WhoIs to find e-mail address hosted on expired domains, then register the domain to re-establish the email address as its own. It is then fairly easy to request a transfer on an unlocked domain.
Finding #9 is also interesting. ICANN should set up a formal process for returning a domain to its rightful owner. Time is money.
I’m not impressed with ICANN’s recommendations for handling the problem. I think a major overhaul needs to occur, especially with regards to resellers. There should also be more education about rights of domain name owners to file complaints against registrars. Perhaps each domain registration confirmation should include a statement about registrants rights.