Is Your Domain Name Being Hijacked?

New rule creates potential security flaw for domain name transfers.

Jason Tuohey, Medill News Service

If you own a domain name for your business or personal use, run, don't walk, to the phone, call the company you registered the name with, and make sure that name is "locked down."

If you don't, you could easily lose your rights to that domain. And whether your Web site is an integral part of your business, or just keyed to your family's activities, waking up one morning without it could range from inconvenient to disastrous.

The danger stems from a new rule from the Internet Corporation for Assigned Names and Numbers, effective today, that could lead to domain names being transferred and hijacked, unbeknownst to their owners, some registrars worry. There are hundreds of domain name registrars operating in the United States.

What's New

Before November 12, a change of domain name registration had to be approved by both the "gaining" and "losing" registration companies. But the new rules state the transfer can occur without the approval of the registrar "losing" the account. And that account could be yours.

"This new rule is going to give [con artists] new opportunities to hijack domain names, hijack Web sites," says Fred Bunzl, who owns DomainsNow4U.com.

Tom Cunningham, CEO of BulkRegister.com, and other registrars say they fear con artists can now set up false accounts with a gaining company and initiate a transfer of a domain name, without the owner's knowledge.

"Now, if I ask and you don't answer, it's actually assumed [your domain name] is moving," Cunningham says.

Registrars are encouraged to notify owners when a transfer is requested, but it's not mandatory. If five days pass without your response, the domain name automatically switches. Even if your registrar did notify you, it's most likely to be by e-mail--and your busy life, your spam filter, or a vacation could eat up your five-day response period.

Mike Tumolillo, a freelance journalist who runs miketumo.com and medillians.org, says he's skeptical that an e-mail of the impending transfer provides sufficient warning. "I usually ignore e-mails if I don't know who it is," Tumolillo says. "I don't want to get infected with a virus."

Since the rule changes are so new, most domain name owners are unfamiliar with them.

"I haven't heard anything," says Tumolillo. Faced with the possibility of losing his domain names, Tumolillo had this response: "That would extraordinarily suck."

Protect Yourself

You can take steps to protect yourself against a switch, a process called locking down your account. Some domain registrars, like godaddy.com, let customers lock their domain names manually by changing settings on their account. If you can't figure out how to lock your account manually from your settings, or if it's not available, you should contact your domain registration company and ask how to proceed.

Companies like BulkRegister and DomainsNow4U say their firms now automatically lock customers' domain names from transfers as an added security measure. But not every company has a policy of automatically locking.

"[Customers] should contact their registrar and see if they have a lock in place," Cunningham advises.

Why the Change?

ICANN says the rules change is essential for domain name owners. Tina Dam, an ICANN official, says customers have complained for years that large domain name registration companies deny transfers arbitrarily and have confusing renewal policies.

"Consumers right now are not able to choose their provider fairly," Dam says.

To initiate a transfer under the new rules, you need to fill out an Initial Authorization for Registrar Transfer form and submit it to the gaining registrar.

ICANN put sufficient safeguards in place to prevent foul play, Dam says, noting that the person asking for the change has to provide valid identification, such as a valid driver's license, a passport, or a birth certificate, to submit a paper copy of the form.

"It's important to note that a transfer cannot be initiated by a gaining registrar until the gaining registrar has verified the identity" of the domain name owner, Dam says.

However, according to ICANN's Web site, doing it electronically is easier--the only ID requirements are an electronic signature or an e-mail confirmation.

For added protection, Dam says ICANN has created standardized forms for transfers of domain names, and that companies can file a dispute with an arbitrator to challenge a transfer.

That's not enough for at least one domain name registrar.

"I accept that the current procedure is not simple enough for the average domain owner," says Bunzl of DomainsNow4U.com. "But what ICANN has done is not solving the problem and is probably going to cause more problems."