Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.

Nominet account theft

Discussion in 'Domain Name Scams' started by boogle, Mar 29, 2011.

Thread Status:
Not open for further replies.
  1. boogle

    boogle Member

    Joined:
    Mar 2011
    Posts:
    6
    Likes Received:
    0
    Hello everyone,

    I’ve recently had an unsettling experience with Nominet that makes me question the safety of my UK domains. I don’t want to go too deep with specifics because this investigation is still on-going. Anyway, I own about 40 UK domains, all them being 1 and 2 word domains, and a few days ago I couldn’t login to my Nominet account – after several unsuccessful login attempts I decided to change my password using the “Access Your Account” section of Nominet. After waiting 24 hours and still no reply I decided to check my account with my registrar and that’s when I noticed one of my UK domains had vanished from my account. To cut a long story short, someone had changed the email address associated with my Nominet account and reset the password to gain access. Then transferred one of my domains into a separate Nominet account, re-tagged it and then transferred it again into their own Nominet account. I could have lost all of my UK domains but I got Nominet to lock the account before anything else could be re-tagged.

    What I wanted to know more than anything was “how did they manage to reset the email address associated with the Nominet account?” Nominet said it was done by my registrar!? But I thought registrars couldn’t alter the details on a Nominet account but apparently, according to Nominet, they can change anything accept the whois details (ownership info).

    Anyhow, my question is this; “Can a registrar change the admin email associated with a Nominet account?” If so, how without permission from myself?

    I now know the person responsible for all this and I want to prosecute. Just to clarify, they’ve fraudulently gained access to my account which has all my person details listed, then change my details to their own, transfer one domain out of the account and pay the £10 transfer charge, then leave my account in limbo. Who knows what else they would have done if I didn’t get Nominet to lock it down. I had to write a letter to Nominet explaining the situation before they released my account back to me, which they did today, but I will have to wait while Monday before I get the stolen domain back.

    My main goal is to find out how this happened, how this can be prevented from happening again and to sue the hell out of the thieving git who stole my domains.

    Any advice would be greatly appreciated, especially with the suing part. Do I contact the cyber division of the police!?

    Thanks for reading.
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
    IWA Meetup
     
  3. wb

    wb Well-Known Member

    Joined:
    Mar 2009
    Posts:
    2,122
    Likes Received:
    47
    Yes, they can. My guess is that someone has either contacted the registrar pretending to be you, or has gained access to the account you hold with your registrar and updated the admin email themselves.

    It has never happened to me, but I would assume as it's theft and therefore a criminal offence you would be able to report it to the police. With regards to civil law, best you take legal advice to find out what exactly you would be able to seek damages for.

    Most important thing is to keep full evidence and as much documentation you can get as proof for when it's needed.

    If you are concerned about security you could always apply for your own registrar 'tag' which would allow you further control over your domains.
     
  4. rob

    rob Founding Member

    Joined:
    Jan 2005
    Posts:
    5,966
    Likes Received:
    119
    Who was the tagholder?
     
  5. boogle

    boogle Member

    Joined:
    Mar 2011
    Posts:
    6
    Likes Received:
    0
    Thanks for the quick replies.

    They definitely didn’t gain access to my registrar account – I’d know if they did because it logs all IP addresses that login to the account. They could have contacted the registrar pretending to be me, that’s certainly plausible.

    I was hoping there would be a division of police that specialised with online crimes – I have a feeling the regular police won’t take it seriously.

    Thanks for the info on applying for my own tag, didn’t know that was possible, I’ll look into it.
     
  6. boogle

    boogle Member

    Joined:
    Mar 2011
    Posts:
    6
    Likes Received:
    0
    The tag holder was KEY-SYSTEMS-DE, I use Moniker. The domain that was stolen is now tagged with ENOM.
     
  7. anthony United Kingdom

    anthony Well-Known Member

    Joined:
    Dec 2006
    Posts:
    1,775
    Likes Received:
    37
    Can't help highlighting that a tag shouldn't be necessary if a system is secure enough.
     
  8. boogle

    boogle Member

    Joined:
    Mar 2011
    Posts:
    6
    Likes Received:
    0
    Just what I was thinking.

    But who’s security? The registrar, Moniker, or Nominet?
     
  9. wb

    wb Well-Known Member

    Joined:
    Mar 2009
    Posts:
    2,122
    Likes Received:
    47
    Very true and I completely agree, however having a tag reduces a variable in the security of domains (i.e. external registrars).
     
  10. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,203
    Likes Received:
    101
    Unfortunately it's not one system with just Nominet and the Registrant in the loop. There are Registrar's involved who can[/U ]change the email address associated with an account. So that's a potential weak link in the chain, if they are persuaded to make changes to a Registrant account frauduently. From reading through what the original poster has stated, what didn't happen was a change of Registrant. One very good thing about.uk is in this kind of situation, one call to Nominet and everything will be locked and can be easily undone. That's not possible in gTLDs because Registrants never deal with the Registry.
     
    Last edited: Mar 29, 2011
  11. boogle

    boogle Member

    Joined:
    Mar 2011
    Posts:
    6
    Likes Received:
    0


    The registrant was changed on the one domain that was illegally transferred out of my Nominet account. All the other domains where locked down quickly. The only reason I was easily able to get Nominet to transfer the stolen domain was because they could see the blatantly obtuse way it was stolen.
     
  12. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,203
    Likes Received:
    101
    I see. I forgot, for a moment, transfers are electronic transfers now! I often still think it's all still paper based because many transfers I am involved with do included paper based contracts. So either they compromised your email account, or they had your Registrar change the email address. If, as we suspect, it was the latter then it's between you and they as to why they accepted the request. Fortunately Nominet will have a trail of every database transaction and every access to their systems, and they can instantly put things right. I suspect they'll provide your solicitor with everything required to build a prosecution as well. :)
     
  13. grantw United Kingdom

    grantw Well-Known Member

    Joined:
    Mar 2005
    Posts:
    4,694
    Likes Received:
    93
    As the admin email address is the key to everything Nominet, at the very least, need to start sending a notification to the existing admin email address whenever it's modified.

    Grant
     
  14. boogle

    boogle Member

    Joined:
    Mar 2011
    Posts:
    6
    Likes Received:
    0
    Agreed. Plus, registrars should not be allowed to change any details within Nominet. If I’d looked in my account a few days later I could have seen more than one domain disappear.
     
  15. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,203
    Likes Received:
    101
    Registrar's have always been able to update email addresses, and many other fields. They're trusted by Nominet to do it. If you want to remove them the right to update records, then why not abolish all Registrar's all together and have everyone deal with the Registry directly? What would be the point of having them if they couldn't update records? Incidentally Registrants can deal with the Registry directly. However it costs about £80 + VAT to do it per domain name.

    What happened is unfortunate. Fortunately you were able to resolve the issue very quickly. If you want more security, there are options open to you but they will cost you more money. Alternatively change to a Registrar who has better security in place and, perhaps, requires a copy of your passport, or will setup additional passwords with you in the same way as online banking, before they will make a change to a record. :)
     
Thread Status:
Not open for further replies.