New RAA satisfies boneheaded law enforcement request that will lead to more domain theft.
The proposed new registration accreditation agreement satisfies a law enforcement requirement of verifying whois information when someone registers a domain name.
The requirements can easily be satisfied by people who want to register domains for nefarious purposes. In fact, they’re downright stupid. But more troubling is that it will lead to more phishing of domain registrar accounts than we’ve ever seen before.
Here’s the deal. When you register or transfer a domain, the domain registrar must verify either your email address or phone number within 15 days.
Since phone verification is more costly, most registrars will opt for email verification and use phone verification as a failover.
You’ve seen this type of email verification when you’ve signed up for accounts with just about any service:
“Check your email for a confirmation message. Then click the link in the email message to verify your email address”.
So now when you register a domain you’ll get an email from your domain registrar to do just this. It will come with a stern warning, such as “failure to click the link in the email or login to your account with this special verification code may result in suspension or termination of your domain registration!”
This is a gift to phishers. They’ve successfully duped thousands of people into giving up their registrar account passwords by scaring them with messages such as “Must you confirm your account!!” and “You account suspended soon if no login soonly!”
Now they’ll be able to grab a list of yesterday’s domain registrations and phish away by copying the same email registrars actually send out when a new registration is made. It will be like fishing in one of those heavily stocked tourist ponds. It will almost be too easy.