Re: [gnso-irtp-b-jun09] 60 day lock following registrant change

["Michele Neylon :: Blacknight" <michele@xxxxxxxxxxxxx>]

On 7 Jul 2010, at 00:23, George Kirikos wrote:

> 
> Hello,
> 
> On Tue, Jul 6, 2010 at 5:04 PM, Rob Golding <rob.golding@xxxxxxxxxxxxxxx> 
> wrote:
>> George Kirikos wrote ...
>> 
>>> Fraud by a buyer is easy for you to manage -- insist upon a wire
>>> transfer. It's your choice to use credit cards or other risky forms of
>>> payments
>> 
>> I'm certain it was explained to you during the working group held during the
>> recent ICANN meetings in Brussels, a "wire-transfer" is no more secure than
>> any other payment method - any EFT can be recalled by the sending bank
>> should the account holder report it as unauthorised/fraudulent. This is the
>> same with personal and business cheques upto 2 years after they've been
>> cashed !
> 
> Perhaps you should do more research into payment systems. Wire
> transfers are considered the most secure form of payment.  See:
> 
> http://www.cdnpay.ca/publications/general_lvts_payments.asp
> http://www.federalreserve.gov/paymentsystems/lowvaluepay/lowvaluepayments.pdf

George

It may not be possible to reverse them in the US or Canada, but in Ireland and 
the UK you can. Not easily, but you can.


> 
> and search the pages for the words "irrevocable" or "secure."
> Escrow.com, for example, isn't going to accept a large payment unless
> it's by wire transfer:
> 
> https://www.escrow.com/support/payment.asp
> 
> While it's *possible* in very obscure circumstances to recall a wire
> transfer, it's definitely not guaranteed. And it's a lot more serious
> to undo a wire transfer falsely.

It's not a trivial matter to undo a credit card payment or even a debit card 
transaction. I had to go through the entire process earlier this year when my 
personal card was abused resulting in a lot of unauthorised charges 


> 
> If you truly believe that you can unconditionally recall a wire (or
> even a cheque) 2 years later, feel free to wire me $100,000 (in
> exchange for a low quality domain name, and we'd have a written
> contract that is binding), and then try to undo it 2 years from now.
> Let me pick a new bank, so I can guarantee that I close the account
> the week after I've received the funds, too. :-)
> 
>>> Given fraud can happen from both buyer and seller, what happens when
>>> the seller commits fraud *after* a sale, by undoing it on a whim,
>>> using the current ETRP proposal
>> 
>> The proposal to provide a *registrar* with the ability to "recall" a
>> transfer isn't about fraudulent sales of domains - that's a change of
>> *registrant* - it's about fraudulent transfers to another registrar which
>> the registrar has to believe was done without the registrants consent.
> 
> For all intents and purposes, it's the old registrant who is recalling
> it (why would a losing registrar not cooperate with their old client?)
> with the registrar cooperating with them do initiate the command to
> the registry. If there's no "change of registrant", then the
> registrant has actual control of the domain at the new registrar! They
> can just transfer it back, as there's no theft.
> 
> The change of registrant often happens around the same time as a
> transfer. Read item (c) of this workgroup's charter. It's common for a
> purchaser to want the domain to end up at their favourite registrar.
> If the purchaser completes the deal by initiating a transfer to the
> gaining registrar,  which is then accepted by the prior owner at the
> losing registrar, the WHOIS at the new registrar will immediately
> change to the purchaser when the transfer is complete. That
> transaction will then be caught and affected by the ETRP proposal
> (i.e. prior owner, at losing registrar, can invoke the transfer
> reversal).
> 
> [If the purchaser does the change of registrant entirely at the old
> registrar, with the desire to them move it to their favourite
> registrar, then they'd have to deal with situations like that at
> GoDaddy, where potentially the name is forced to stay there for 60
> days, or more.......(ICANN hasn't said why *60 days* is magical, and
> why one can't "opt-in" to a 50 year lock when presented with that
> option by the old registrar) and subject to its own set of "risks"
> (e.g. not being in a desirable legal jurisdiction, or being subject to
> a registrar's ad-hoc procedures)]
> 
>>> not having clear title to a domain name for a period of up to
>>> 6 months after
>> 
>> My personal opinion is that 6 months is too long a window.
>> 
>>> Depending on the "urgency", a court can act much more swiftly to
>>> return a hijacked domain name.
>> 
>> Or not as the sex.com debacle showed.
> 
> Mr. Kremen was compensated financially for his losses. Perhaps
> NSI/VeriSign care to comment.
> 
> http://www.prnewswire.com/news-releases/sexcom-settles-monumental-case-against-verisignnetwork-solutions-72557542.html
> http://www.circleid.com/posts/sexcom_settles_monumental_case_against_verisign_network_solutions/
> 
> That settlement, if registrars/registries were rational, should have
> caused them to be more proactive about security. It should have been a
> "teachable moment." But, I guess not, since the Panix.com incident was
> *after* that. Let's go back to the report from 5 years ago:
> 
> http://www.icann.org/en/announcements/hijacking-report-12jul05.pdf
> 
> top of page 14 says:
> 
> "Such a mechanism would require a determination of what qualifies as
> urgent, how to determine whether the allegation of fraud is valid, and
> who is authorized to make this determination."
> 
> That language shows some balance. Contrast that with the proposed ETRP.
> 
> (a) ALL cases are considered "urgent" (i.e. absolutely zero
> qualification is made)
> (b) ALL allegations are considered "valid" (shoot first, ask questions later)
> (c) ONLY the losing registrar (the one who had weak "security" to
> begin with) is authorized to make the determination
> 
> Now, continue on page 14 (and, the rest of the document was also
> prepared with great care and balance, unlike the workgroup report),
> which notes:
> 
> "One means of dealing with the hijacking question would be to assign
> the financial and legal risks associated with fraudulent hijacking to
> the party most able to control the risk: the registrar closest to the
> wrongdoer. Holding registrars accountable in this manner would create
> incentives for registrar to take whatever steps are necessary to
> prevent the occurrence of fraudulent hijackings."
> 
> That's really the "elephant in the room". Holding the registrars
> responsible both financially and legally creates the proper
> incentives. Why didn't the workgroup go down this route -- perhaps
> because registrars/registries have so much voting power in the GSNO,
> in contrast to lowly registrants? The ETRP? All the wrong incentives.
> 
>> And if the domain is moved to an "unhelpful" registrar (as the group is
>> often referring back to certain unresponsive Far-East providers) do you
>> really think even with a judgement, you'll be able to get it enforced ?
> 
> You don't move against the registrar, that's just dumb. You enforce it
> with the registry (VeriSign), in the good old USA (realistically, most
> hijackings of any importance occur in .com). The examples I provided
> (Microsoft botnet, movie piracy) all involved foreign registrars that
> were trumped by seeking an order from VeriSign. VeriSign might be able
> to add some color and fill in the details? I could probably go into
> PACER and download the relevant orders for "proof", though, but
> perhaps Barbara can save me the 8 cents/page.
> 
>> Having to (rather than having the *option* to) go through the court method
>> for a registrant to obtain their transferred domain back IMHO means you're
>> restricting this to a very small subset of potential registrants - I firmly
>> believe that *all* registrants should be taken care of, not just those with
>> fatter cheque books.
> 
> You're suggesting once again that *all* cases are equal. That wasn't
> what even the report from 5 years ago said about "require a
> determination of what qualifies as urgent." Remember, the TDRP already
> exists, and that has due process.
> 
> If you want all registrants to be "taken care of", the best way to do
> that is to raise minimum standards at all registrars, taking the best
> practices that were recommended in the past reports (which have mostly
> been ignored; you know, 2-factor security, out-of-band
> communications.....I sound like a broken record, perhaps, but I'll
> keep repeating them until folks explain why those recommendations have
> not been implemented, which proactively reduce hijackings).
> 
> Let me leave a couple of analogies. Suppose we had a world where
> payment systems varied in their level of security, from the low
> security of credit cards to the highest security of wire transfers.
> The ETRP would be the equivalent of outlawing wire transfers, and
> forcing everyone to only accept credit cards. What would be the
> result? It would undermine the financial system, because folks would
> no longer be able to rely upon the irrevocability of payments, and
> would need to deal with credit risk in *every* transaction (i.e.
> chargebacks, etc.). The ETRP would be permitting "domain clawbacks",
> essentially, a new risk for those involved in the secondary market.
> When ICANN mandates that all registrars *must only* accept credit
> cards, and must cease using wire transfers, then it might be able to
> make a case for the ETRP --- both policies would be equally dumb
> (given the number of registrars that go out of compliance for not
> paying their bills, perhaps ICANN needs to learn more about credit
> risk....).
> 
> Here's the other analogy for the geeky crowd. Various operating
> systems allow one to do 'dangerous' things from a shell or logged in
> as root. Stuff like deleting all the fieles on your hard disk, for
> example (rm -rf / ). The ETRP would be the equivalent of saying "no
> one can use a shell, you shall all only use a file manager." (or, "you
> shall all switch to Mac, and further use of Windows is not permitted")
> For some (or even a large class of) users, these kinds of broads
> restrictions would cause real damage. If you want to be a nanny to a
> certain class of users (who in a competitive system certainly have the
> incentives and ability to choose secure registrars, if security is
> important to them), you shouldn't do so at the expense of another
> class of users who need certain functionality (the functionality in
> the domain name transfer system being the irrevocability, or at least
> due process like the TDRP offers). For those who know what they're
> doing, we should be able to continue, e.g. with a parallel
> "irrevocable transfer procedure" as per:
> 
> http://forum.icann.org/lists/gnso-irtp-b-jun09/msg00334.html
> 
> without suffering the economic damage that would be felt by those
> caught by the policy.
> 
> ************ IMPORTANT BELOW ***************
> 
> When all is said and done, if you want to solve the domain name
> hijacking issue, it's simple. Go to section 3.3 of the Workgroup
> report's Annex C, where it says (page 51):
> 
> "3.3 PTRa must obtain an ETRP Authorization from the Registrant to
> initiate a ETRP."
> 
> To solve the domain name hijacking issue, all you need to do is
> require that registrant changes and outgoing transfers have the
> identical standard! (of course, one also needs to look at section 3.4,
> including 3.4.2, to say the form of that authorization) Instead of
> wasting everyone's time on a *clawback* procedure, that can and will
> be *misused*, why not focus on the actual problem, authenticating the
> real transfers and registrant changes? That's the other "elephant in
> the room."
> 
> If *that* had been the focus of the workgroup, it would be on the
> right track, and I wouldn't be here. I'd be applauding the report,
> instead of picking it apart.


It's a draft report, so "picking it apart" is fine  - it's not anything more 
than a draft report at this juncture, which is exactly why we need constructive 
input so that we can hopefully come up with recommendations that help resolve 
issues for all affected parties.

If that means that the ETRP proposal gets thrown out in favour of (an)other 
recommendation(s) then so be it. 

As for the WG's focus - we're restricted by the charter questions. Whether the 
charter questions are asking the "right" questions or not is always going to be 
a sticking point.

Regards

Michele


> 
> Sincerely,
> 
> George Kirikos
> 416-588-0269
> http://www.leap.com/

Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
ICANN Accredited Registrar
http://www.blacknight.com/
http://blog.blacknight.com/
http://blacknight.mobi/
http://mneylon.tel
Intl. +353 (0) 59  9183072
US: 213-233-1612 
UK: 0844 484 9361
Locall: 1850 929 929
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845