New RAA satisfies boneheaded law enforcement request that will lead to more domain theft.
The proposed new registration accreditation agreement satisfies a law enforcement requirement of verifying whois information when someone registers a domain name.
The requirements can easily be satisfied by people who want to register domains for nefarious purposes. In fact, they’re downright stupid. But more troubling is that it will lead to more phishing of domain registrar accounts than we’ve ever seen before.
Here’s the deal. When you register or transfer a domain, the domain registrar must verify either your email address or phone number within 15 days.
Since phone verification is more costly, most registrars will opt for email verification and use phone verification as a failover.
You’ve seen this type of email verification when you’ve signed up for accounts with just about any service:
“Check your email for a confirmation message. Then click the link in the email message to verify your email address”.
So now when you register a domain you’ll get an email from your domain registrar to do just this. It will come with a stern warning, such as “failure to click the link in the email or login to your account with this special verification code may result in suspension or termination of your domain registration!”
This is a gift to phishers. They’ve successfully duped thousands of people into giving up their registrar account passwords by scaring them with messages such as “Must you confirm your account!!” and “You account suspended soon if no login soonly!”
Now they’ll be able to grab a list of yesterday’s domain registrations and phish away by copying the same email registrars actually send out when a new registration is made. It will be like fishing in one of those heavily stocked tourist ponds. It will almost be too easy.
If I recall correctly, the registrar is only required to verify the email address for each customer once. So subsequent registrations should not generate notices.
@ Kevin Murphy – I believe that was the plan, but in my initial reading of the proposed whois accuracy rules it seems to suggest it’s for each domain registration.
Except as provided for in Section 3 below, within fifteen (15) days of (1) the registration of a
Registered Name sponsored by Registrar, (2) the transfer of the sponsorship of a Registered
Name to Registrar, or (3) any change in the Registered Name Holder with respect to any
Registered Name sponsored by Registrar, Registrar will, with respect to both Whois
information and the corresponding customer account holder contact information related to
such Registered Name:
Perhaps there’s something in the actual RAA that says this is once per person.
And even if you need to confirm every time, phishing requires that you are supposed to login to the website. I expect that this confirmation will not require you to login to your registrar account. You click on the confirmation link and you are done.
@ Konstantinos – each registrar will do it differently, but even if the “official” method is to not have to login, the phisher just changes one line…or makes it so clicking the link takes you to a bogus registrar page asking you to log in. Many people will be duped.
It would have been better to authenticate both email AND telephone number (the latter perhaps by SMS, if it’s a mobile phone). Address verification via a mailed letter would have been even better (which as Kevin noted, would scale very well for those with multiple domains), as that would make a bigger obstacle for rogue registrants than email (free) and phone (easy to obtain temporary VOIP phone numbers at low cost, or even free).
Using systems like Twilio.com, phone verification can be done very inexpensively. Furthermore, once the technology is in place to do phone verification (esp. by SMS), the registrar has learned 95% of what they need to know in order to implement 2-factor authentication, which would benefit all registrants….
Maybe it’s time to increase the costs of Domain Name’s and charge $200.00USD, with renewals at a lesser annual fee of $20.00USD, then implement a $50.00 admin fee for transfers.
At $200.00 only the serious would apply. It would cover the administrative fee required to employ somebody, too do a proper application review; and it would impede the Domainer’s, to the same ratio as serial Trade-markers, if such exist.
The $50.00 fee would suitably deter phishers, as it would be their cost and they’d know that a proper due diligence communication was applied before the shift.
Cheers, Graham.
serious criminal would not baulk at paying a measly $200 when potential returns are vast .
@Graham Did you mix up the articles? Anyway why not increase the price of cars to 2.000.000 USD so noone drives one and nobody gets killed by car accidents?
@Andrew you are correct but people that are going to be duped are the same people that can be duped today as well.
The crooks are getting very creative in their qwest for .COM Gold.
Gratefully, Jeff Schneider (Contact Group) (Metal Tiger)
@Kevin
“If I recall correctly, the registrar is only required to verify the email address for each customer once. So subsequent registrations should not generate notices”
So, just make sure every domain registrant on the planet knows that, and we’re all set.
@Andrew
Here you go:
“Registrar is not required to perform the above validation and verification procedures … if Registrar has already successfully completed the validation and verification procedures on the identical contact information”
@Berryhill
Registrars already have to email Whois accuracy reminders to their customers once a year per ICANN policy, unless I’m mistaken. Also a good excuse for a phishing attack.
Thanks Kevin.
Fortunately the whois reminders don’t require a click through (well, not by ICANN’s rules anyway). But as John points out, they are used in phishing attacks.
“Registrars already have to email Whois accuracy reminders to their customers once a year per ICANN policy, unless I’m mistaken. Also a good excuse for a phishing attack.”
Yes, and it is.
@GK …
>It would have been better to authenticate
>both email AND telephone number
>Address verification via a mailed letter
>would have been even better
The only people that are going to be restricted from domain registration will be the innocent users who already don’t want their details on a public database only used by scammers and scumbags.
The criminal element are not stupid, they’ll simply find a way around this (as trivial as a maildrop company, free email address and throw away sim) – so any such measures implemented in the name of keeping people “safe” online will have about as much impact as any other pointless gov’t sponsored initiative – i.e. none at all.
No western government has successfully implemented an ID verifiaction scheme (although many have tried as part of limiting benefit fraud, terrorism and a whole host of other reasons), so the idea of pushing this to the registrars appeals to them – just because you’re told something is a good thing doesn’t make it true !
It’s time to retire whois completely as an irrelevance, not try and repurpose it as a general purpose identity database