Provide feedback about how domain transfers should work.
ICANN is asking for feedback about a Working Group’s Initial Report that includes recommendations to change how domain transfers work.
The Initial Report (pdf) proposes a slew of changes to inter-registrar domain transfers. The biggest one is to remove the Form of Authorization step in domain transfers.
Here’s how a domain transfer works today:
1. Customer gets an authorization code from their existing registrar and provides it to the gaining registrar
2. Gaining registrar verifies the transfer request and initiates transfer
3. Losing registrar sends notice (a “Form of Authorization, or FOA) of pending transfer to the customer, giving them up to 5 days to cancel the request
The proposal would eliminate step #3 but add a notification at step #1. When you request an authorization code (which will be called a Transfer Authorization Code), your registrar will be required to notify you of this request.
But here’s the thing: even if it takes just minutes to email the customer about the request, the domain transfer could already be complete before it can be stopped.
This seems like a step back for domain transfer security. I also think that registrars will create a backdoor security feature (as outlined below) similar to the dreaded delay you experience when you try to transfer a domain away from web.com’s registrars.
Here’s the comment I submitted to ICANN:
Thank you for your work modernizing domain transfers.
I’m concerned about the decision to remove the losing registrar’s Form of Authorization (FOA). With the FOA, a domain owner could be made aware of a fraudulent transfer and have time to contact the registrar to stop it. Under the proposed system, the domain registrant likely won’t learn of a transfer until after the transfer is complete.
While this will make transfers easier and — in the words of the Initial Report — instant, I’m concerned that it will result in fraudulent transfers.
It would be interesting to hear from registrars about how many times customers try to stop fraudulent transfers after receiving the FOA.
There is a backdoor security measure that registrars could undertake to reduce the chances of this happening: domain registrars could delay the time between people asking for Transfer Authorization Codes (TACs) and issuing them to customers. I fear that registrars will feel compelled to implement this backdoor security measure, which will ultimately burden domain registrants; they will have to request the code and then wait a long time for it to arrive before providing it to the gaining registrar. They would not be able to complete the domain transfer process in one sitting.
I understand the Working Group is working on transfer rollback procedures in a later phase. Approving a less secure transfer system prior to determining rollback features doesn’t make sense to me.
Prior to GDPR/Temp Spec, registrars used the email address present in whois to send the gaining FOA. As that is now not available, registrars are unable to send gaining FOAs and compliance with gaining FOA has been deferred since 2020 (https://features.icann.org/defer-compliance-enforcement-gaining-registrar-form-authorization). Removing this requirement from the transfer policy will simply reflect current practice by registrars. There are additional security options proposed for the TAC (what AuthInfo code will be called in the future), so transfers will be more secure than they are now. Please do provide feedback though- the working group does want to hear from as many people as possible.
Andrew Allemann says
I understand why the gaining FOA doesn’t make sense anymore. It’s the losing FOA I’m concerned about. It’s not clear to me how removing the 5 day notice period from the losing registrar will make things more secure, but I’d appreciate hearing more perspectives about that.
Ooops, silly me confusing “gaining” and “losing”.
As for the TAC notification which replaces the losing FOA, it will indeed be more secure. Currently the losing FOA is sent to the registrant email, and that can be changed by someone with improper access to the registrant’s account. The TAC notification is not required to be sent by email, and can thus be via SMS, app, or other more secure options that are less susceptible to improper access.
Andrew Allemann says
That could be helpful. Would it be more secure if it still maintained the 5 day waiting period (or something longe than instant) + the notification was sent via SMS or App?
5-day notice period is a non-issue.
The real issue is the 60-Day lock which should be completely eliminated or dropped to 30 days max, with registry option to override 30-day lock by registrant request.
Andrew Allemann says
They propose reducing lock to 30 days for both new reg and transfer
Faster transfer seems to be a bad thing to me. A stranger listed my domain name on a famous secondary market place WITHOUT my consent. Before listing the domain for sale, the secondary market operators should have asked me, the domain owner, if I requested for the listing. It can be done even if the domain’s whois privacy is on. What is worse, I was surprised to see that a stolen domain name can be transferred to somebody in a minute through the Fast Transfer process. This Fast Transfer system should be perfectly designed to protect the legitimate domain owner’s right and interest.
Bill Hartzer says
We deal with this regularly, it is one way that domain names are stolen. The marketplaces don’t check to see if a domain name is stolen or not. There are plenty of domains listed for sale that are NOT for sale, and were not listed by the domain owner.
It’s a big issue that needs to be addressed. There’s currently no “clearinghouse” or list of domains that shouldn’t be listed in a domain marketplace, and there certainly aren’t any lists of stolen domains like the one that we have internally.
Mark Thorpe says
What ever happened to the buyer and seller both having to approve the domain transfer? It’s annoying but more secure.
Mark Thorpe says
Like when both registrars had to approve the transfer. Wasn’t an ICANN rule though.
I think it’s better to leave it as it is now, though if ICANN chooses to make the decision to change the transfers. I hope it’s the right one.