Domain Manage

Nominet Transfer Concerns

Discussion in 'Nominet General Information' started by mojoco, Jul 2, 2008.

Thread Status:
Not open for further replies.
  1. mojoco United Kingdom

    mojoco Well-Known Member

    Joined:
    Mar 2006
    Posts:
    1,231
    Likes Received:
    20
    Dear Diedre,

    I think most will agree that the new online transfer process is a huge step forward and a welcome change. The problem I see is that Nominet have now gone from one extreme to another. Those of you that have used the system will know, that it is now too easy. There appears to be no saftey net.

    What happens if someone hacks your email account and transfers your names away.

    For .com's with the registrar I use (I think most registrars are the same) the current registrant gets a notification email to let you know that a transfer request has taken place. If they don't hear from you the transfer is completed in five days. Five days is not a long time, but at least you have some chance to stop a fraudulent transfer.

    The Nominet system gives no warning and the transfer is almost instant.

    I am in no doubt that some smart hackers will be eyeing the system and getting ready to transfer our domains away.

    Are there any additional safegaurds we can take to prevent this happening?

    Sincerely,

    Worried Domainer.
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
     
  3. mofo

    mofo Active Member

    Joined:
    Feb 2005
    Posts:
    307
    Likes Received:
    18
    Although I have the same concerns, it would be easy to get the domains back as ultimately its Nominet that controls .UK unlike .com which can be moved to some obscure registrar overseas.

    Although it would be inconvenient I don't see it as a big issue.

    Thks

    MZ
     
  4. bb99 United Kingdom

    bb99 Well-Known Member

    Joined:
    Mar 2005
    Posts:
    1,598
    Likes Received:
    38
    I've not done any online transfers yet, but I think that the fact that it's "almost" instant means that someone at Nominet is manually reviewing each one and checking for iffy patterns/etc.

    Maybe not though, I'm just guessing :)
     
  5. mofo

    mofo Active Member

    Joined:
    Feb 2005
    Posts:
    307
    Likes Received:
    18
    By almost instant we mean 2-3 seconds and they can be done at any time. I just can't imagine a registrant agent sitting there at Nominet HQ around 2am hitting 'approve' button :mrgreen:
     
  6. bb99 United Kingdom

    bb99 Well-Known Member

    Joined:
    Mar 2005
    Posts:
    1,598
    Likes Received:
    38
    Noted. I'll get my coat :)
     
  7. bluerock

    bluerock Well-Known Member Exclusive Member

    Joined:
    Jan 2005
    Posts:
    5,825
    Likes Received:
    16
    Just a quick thought but why can't a registrar choose not to use online transfers by default.

    We do have the option to not accept incoming tag changes in our account settings so surely a similar option could be added?
     
  8. bb99 United Kingdom

    bb99 Well-Known Member

    Joined:
    Mar 2005
    Posts:
    1,598
    Likes Received:
    38
    This could be described as a (semi-) lock state, which is what the PAB discussed at today's meeting I think. Maybe one of our PAB chums could help us out with some info...
     
  9. mofo

    mofo Active Member

    Joined:
    Feb 2005
    Posts:
    307
    Likes Received:
    18
    All depends on when paper transfers are likely to be phased out. No mention of it anywhere but I am sure they won't be around for too long.
     
  10. mojoco United Kingdom

    mojoco Well-Known Member

    Joined:
    Mar 2006
    Posts:
    1,231
    Likes Received:
    20
    Some of the safeguards currently in use for .com transfers


    Registrar Lock: A name cannot be transferred until the name is unlocked.

    Email Notification: The registrant is notified that an attempt to transfer the name has taken place.

    Transfer delay: Once a transfer request has been made, 5 days pass before the transfer is complete.

    Executive lock: In addition, Fabulous have an "Executive Lock" feature. This gives you the option for your top tier names, to create precise instructions to be adhered to before a name can be transferred.

    Lets hope Nominet are planning on implementing some safeguards with the online process some time soon.

    Take it easy mofo, too much exertion for one day!
     
  11. grantw United Kingdom

    grantw Well-Known Member

    Joined:
    Mar 2005
    Posts:
    4,649
    Likes Received:
    82
    I assumed paper transfers had already been dumped, this is from the announcement email on nom-announce:

    Grant
     
  12. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,108
    Likes Received:
    81
    It could be a bigger issue than you think. Imagine a scenario where you were the registrant of 1000 .uk domain names but didn't also operate the tag they were hosted on. There's nothing far fetched about that. How would you *know* if someone had stolen one of your domain names if you didn't WHOIS every single one of them, say, once a day? You'd know if you lost email, a web site or any other service that relied on that domain name to remain as it were. You wouldn't know if that domain name didn't resolve when you had it or was one of many domain names that provided a trickle of PPC income.

    The only safe way is to control the tag the domain names are managed by and to watch for emails with "Registrant transfer notification" in the subject line.

    It was also a problem for the paper based system until Nominet introduced photo ID checking.
     
  13. rob

    rob Founding Member

    Joined:
    Jan 2005
    Posts:
    5,953
    Likes Received:
    68
  14. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,108
    Likes Received:
    81
    Sorry to quote my own post but I've just realised that if you control the registrar and registrant, then the chances are the domain names are registered to the same Registrant as the Registrar and in the same account. Therefore if someone hacks into your email account and gets the account password they can change the email address where "Registrant transfer notification" emails get sent before helping themselves to any domain names. If the domain names are in a separate account, but all accounts use the same email address then a hacker can still get the password to both accounts.

    The best thing is to split things up a bit and have different, complicated passwords and use different email addresses with each account. Even think about the domain name used in the different email addresses. Could someone gain control of that domain name and then compromise all the email accounts beneath it? If they could then they could then retrieve all passwords and break into your accounts.

    If you are sensible and use different email addresses at different domain names, are those domain names still hosted on the same server? If so, could the server be hacked and then you still have the same problem if it all coming to a single point of failure.

    I suggest everyone WHOIS's all of their domain names once daily. The DAC won't work as it doesn't list the Registrant. Check for changes to any fields, particularly Registrant and Name Servers.

    Do I sound like I am over-reacting?
     
  15. grantw United Kingdom

    grantw Well-Known Member

    Joined:
    Mar 2005
    Posts:
    4,649
    Likes Received:
    82
    No, you don't. Online transfers are a great step forward but I can't believe they've been introduced with so few security measures in place.

    I received a password reset email yesterday to my main accounts email address, someone requested it and it wasn't me!

    I'm off to scan my domains - or make that a quarter of them as I'm on a static IP and limited by Nom's insane whois lookup limit :rolleyes:

    Grant
     
  16. retired_member12

    retired_member12 Retired Member

    Joined:
    Aug 2006
    Posts:
    1,505
    Likes Received:
    23
    Whilst we're on about Registrars, is it possible to determine the exact date when someone/company became a Registrar, i'm interested to know about two of them?
     
  17. invincible

    invincible Well-Known Member

    Joined:
    Feb 2005
    Posts:
    4,108
    Likes Received:
    81
    I knew of people who monitored this web page several times a day and kept records of when tags were added and deleted. In the past it helped to identify the time when half a dozen female tag holders appeared over the space of a couple of weeks. If nobody on here has the data, email Nominet and ask them?
     
  18. retired_member12

    retired_member12 Retired Member

    Joined:
    Aug 2006
    Posts:
    1,505
    Likes Received:
    23
    That interesting about past monitoring, maybe there should be a 'whois' type database for TAG holders, it's not so easy keeping track of the changes.

    As it happens, i found the information i needed to know in my notes, it was under my nose all the time. :roll:

    Cheers for the feedback, nevertheless!
     
Thread Status:
Not open for further replies.

Share This Page