Comments from Andrew Allemann

[Andrew Allemann <editor@xxxxxxxxxxxxxxxxxx>]

Running Domain Name Wire, I'm often made aware of domain name thefts.  Many
victims reach out to me in an effort to publicize their case and (hopefully)
get the word out before a stolen domain name is resold.  I have also nearly
been a victim myself, having almost purchased a stolen domain name before
getting suspicious and doing more research on the ownership history.

But it occurs to me, as I consider this initial report, that I have no idea
how many domain names are actually stolen on a monthly basis.  Furthermore,
I have no idea how many of those are never returned.  From my conversations
with various industry companies, this number seems to be very small.

Before embarking on an effort to change the system, I think it would be wise
to scope out the size of the problem.  Large registrars should be asked to
voluntarily disclose the number of domain names stolen in a typical month,
and how many aren't recovered after 30 days.  For some reason a handful of
registrars seem unwilling to provide this data, but many more will.  In an
effort to anonymize the data, it could be provided to a secure third party
that aggregates it and reports it as a single number.

If, after collecting this data, it is determined to be a large enough
problem, please consider the following with regards to ETRP and the
inter-registrar transfer policy:

1. Any changes should carefully consider effects on the secondary market for
domain names.  Every day, hundreds (thousands?) of domain names are sold in
the secondary market.  Not only do "evil domainers" use this market, but
Fortune 500 companies depend on the secondary market as well.

2. It seems that a common hijacking approach is to gain control of the
victim's email address and/or registrar account.  Security efforts should be
aimed at this problem, and not extended to become overly broad.  For
example, if someone changes the mailing address of their domain's
administrative contact, should the domain be unnecessarily locked down?  I
don't think so.  Unless a registrar provides *specific data* showing this is
a sign of hijacking, it shouldn't be considered, and registrars should be
specifically forbidden from placing a transfer lock on a domain in this
circumstance.

3. One pattern I've noticed in thefts is that domains are transferred from
one respected domain name registrar to another respected registrar, and then
quickly transferred to a questionable registrar.  Consider limiting the
number of registrar transfers within a specific time period.

4. 6 months is way too long to allow someone to initiate a theft claim.  At
most it should be 30 days.  If the domain is important enough, it will be
discovered within hours or days.

5. The new registrant of the domain must be given sufficient time to respond
to an ETRP.

Regards,
Andrew Allemann
http://domainnamewire.com Transfer Policy Part B Initial Report Inter-Registrar
Transfer Policy Part B Initial Report