Provide feedback about how domain transfers should work.
ICANN is asking for feedback about a Working Group’s Initial Report that includes recommendations to change how domain transfers work.
Here’s how a domain transfer works today:
1. Customer gets an authorization code from their existing registrar and provides it to the gaining registrar
2. Gaining registrar verifies the transfer request and initiates transfer
3. Losing registrar sends notice (a “Form of Authorization, or FOA) of pending transfer to the customer, giving them up to 5 days to cancel the request
The proposal would eliminate step #3 but add a notification at step #1. When you request an authorization code (which will be called a Transfer Authorization Code), your registrar will be required to notify you of this request.
But here’s the thing: even if it takes just minutes to email the customer about the request, the domain transfer could already be complete before it can be stopped.
This seems like a step back for domain transfer security. I also think that registrars will create a backdoor security feature (as outlined below) similar to the dreaded delay you experience when you try to transfer a domain away from web.com’s registrars.
Here’s the comment I submitted to ICANN:
Thank you for your work modernizing domain transfers.
I’m concerned about the decision to remove the losing registrar’s Form of Authorization (FOA). With the FOA, a domain owner could be made aware of a fraudulent transfer and have time to contact the registrar to stop it. Under the proposed system, the domain registrant likely won’t learn of a transfer until after the transfer is complete.
While this will make transfers easier and — in the words of the Initial Report — instant, I’m concerned that it will result in fraudulent transfers.
It would be interesting to hear from registrars about how many times customers try to stop fraudulent transfers after receiving the FOA.
There is a backdoor security measure that registrars could undertake to reduce the chances of this happening: domain registrars could delay the time between people asking for Transfer Authorization Codes (TACs) and issuing them to customers. I fear that registrars will feel compelled to implement this backdoor security measure, which will ultimately burden domain registrants; they will have to request the code and then wait a long time for it to arrive before providing it to the gaining registrar. They would not be able to complete the domain transfer process in one sitting.
I understand the Working Group is working on transfer rollback procedures in a later phase. Approving a less secure transfer system prior to determining rollback features doesn’t make sense to me.