How to steal a domain name in easy stages
- 20 November, 2003 07:57
There is a long and nasty history of people having their domains stolen from under their nose, thanks to the sloppy security of the companies the domain was registered with.
It was every webmaster's worst nightmare -- waking up one day to find that your site had disappeared and someone else owned it. Then the phone call in which you were told that it was nothing to do with the registrar and you had to try to sort it out yourself.
All that was supposed to be in the past though. Recognizing that losing customers' domains was not good for business, extra security measures were drafted in. We were guaranteed that from now on it would take more than a spoofed email and follow-up phone call to shift ownership.
However, it appears that it is still possible to steal domains with the minimum of effort. We have been contacted by the owner of the valuable domain DVDmovies.com who was amazed, only last month, to find that his domain had been moved and registered with another company, without his knowledge.
That the registrar at fault was no less than VeriSign -- owner of all .com and .net domains -- makes it worse. The fact that the company was also recently chastised by the U.S. Appeals Court and ordered to pay millions of dollars in compensation to the owner of Sex.com for wrongly transferring his domain makes it all the more incredible.
Nevertheless, the owner of DVDmovies.com, Arnold Jones, saw his ownership pulled away with no more than a clearly forged fax of a Florida driving licence. Mr Jones managed to get a copy of the fax in which his name and address had been transposed onto a different state's licence and he immediately noticed no fewer than six clear discrepancies.
The licence had the word "Florida" where "Sunshine State" would normally be; it lacked a vital graphic; the licence number and date were in the wrong format; the address was his company's address -- the address listed on the domain's Whois -- as opposed to his home address; and the fax came from California, on the other side of the U.S.
In short, it was a shoddy job. However, VeriSign made no attempt to contact Jones, either by phone or e-mail, to confirm that he wanted to change ownership of the domain and simply gave it away.
VeriSign seems to have learnt one lesson though. After Jones complained, provided evidence of who he was and worked through VeriSign's convoluted investigation process, VeriSign managed to get the domain back and it is now back in Jones's possession.
While the return of Jones' property is a step forward (previously customers were told the company would do nothing without a lawsuit) the situation will still come as a shock to many companies who assume decent security processes are in place.
Arnold Jones was subsequently moved onto VeriSign's corporate support service and has faxed a copy of his real driving licence with instructions that domains are to be changed only with the presentation of the exact same licence. How many other companies can claim to have the same procedure?
Apart from the poor security however, there remains a missing cog in the system if domain fraud is to be effectively tackled. Jones contacted the registrar that had been used to wrongly re-register the domain but it refused to provide any details on who the thief was, unless served with a court order. As such, there remains no comeback on those that attempt to defraud companies and individuals, serving only to encourage them.
Until a way by which fraudulent registrants can be held to account, the problem will continue. In the meantime, however, do you know what level of protection you and your companies' domain names have? If you don't, you can be certain it's not enough.