RE: [gnso-rap-dt] revised WHOIS note

["James M. Bladel" <jbladel@xxxxxxxxxxx>]

Roland and Group:

In reply to some of Roland's specific points:

---------------
(Yes, some domains will be paid by stolen CC, but shouldn't they be
cancelled as soon as that is discovered?)

JB:  Any service that is purchased fraudulently is canceled upon
detection.
---------------
I appreciate that as a registrar (I used to be one too), or Proxy
operator, any extra work will be resisted....

JB:  It is not a question of effort.  Our investment of significant
monies, personnel, and tools in order to operate a 24 x 7 department to
investigate and remedy abuse issues should sufficiently make this case. 
And because  we recognize that complacency only aids the bad guys, these
individuals and teams continuously strive to improve our anti-abuse
systems, processes, and expertise.

Rather, I'm seeking to challenge the assumption that privacy / proxy
services are "only" tools for abusive conduct.  There are millions of
legitimate users of our privacy services, but just like any other online
service provider (email, ISP, social network), they can be abused by a
small percentage of customers.    Rod made an excellent point earlier,
in stating that proxy / privacy services are also be victimized by
fraud.

---------------
I would be surprised if the SSAC understands the extent to which online
fraud is being perpetrated upon the public.

JB:  I believe that the SSAC is an excellent source of research and
expertise on a variety of issues, and the focus of this particular
report was on the subject of Domain Hijacking. It notes that privacy
services provide what could be described as "security in depth," by
including an additional layer of authentication / credentials that a
would-be hijacker faces even if they successfully compromise a registrar
account.  In the case of one well-known privacy service, they "NACK" all
transfer requests without exception.

---------------

JB:  Stepping back a bit from this issue, however, I do welcome Rod's
offer of collecting and sharing data relevant to these questions.  And I
eagerly await the results of studies and surveys being conducted in
other areas of ICANN.   

Too often, ICANN working groups will devolve into "dueling anecdotes,"
and the conversations hit an impasse.  Until we have something to better
inform our deliberations, I think we should avoid any type of deep-dive
into the subject.

Thanks--

J.


-------- Original Message --------
 Subject: Re: [gnso-rap-dt] revised WHOIS note
 From: Roland Perry <roland@xxxxxxxxxxxxxxxxxxxxxxxx>
 Date: Wed, July 22, 2009 2:21 am
 To: "James M. Bladel" <jbladel@xxxxxxxxxxx>
 Cc: gnso-rap-dt@xxxxxxxxx
 
 
 In message 
 <20090721151652.9c1b16d3983f34082b49b9baf8cec04a.fadb9ba6ac.wbe@xxxxxxxxx
 ureserver.net>, at 15:16:52 on Tue, 21 Jul 2009, James M. Bladel 
 <jbladel@xxxxxxxxxxx> writes
 >But does this not present the paradox of a criminal entering
fraudulent
 >WHOIS data, and then purchasing (or stealing) Proxy Services to
obscure
 >that fraudulent data?
 >
 >Or, does this scenario presume that a (not very bright) criminal will
 >operate a fraudulent website, but enter their -valid- contact
 >information behind a Proxy service? This is analogous to someone
 >burglarizing an darkened home, but leaving their wallet behind.
 
 I thought I'd covered those objections when I said:
 
 "I'm aware that they might just be hiding false details, but shouldn't 
 registrars be doing more checks on such things? For example, where a 
 domain is paid for by a Credit Card, making available as default the 
 address details used to verify that payment."
 
 (Yes, some domains will be paid by stolen CC, but shouldn't they be 
 cancelled as soon as that is discovered?)
 
 Here in the UK we can't enter any serious financial transaction (or
even 
 pay large amounts of cash into a bank) without proving ID. It's money 
 laundering regulations.
 
 >In fact, the recent SSAC report seems to indicate that these services 
 >provide some security benefits for registrants versus hijacking /
 >compromised accounts.
 
 I would be surprised if the SSAC understands the extent to which online

 fraud is being perpetrated upon the public. Almost no-one else seems to

 (including most governments and police, who typically don't even have a

 way to record crime reports, let alone investigate all but the most 
 serious).
 
 I appreciate that as a registrar (I used to be one too), or Proxy 
 operator, any extra work will be resisted, but I have a feeling that 
 it's time a sturdier "know your customer" philosophy should kick in.
 -- 
 Roland Perry