Dynadot

security ICA Exploring Domain Theft Project To Counter Growing Abuse

NameSilo
Watch

jberryhill

Top Member
John Berryhill, Ph.d., Esq.
Impact
12,416
https://www.internetcommerce.org/domain-theft-project/

One component of the DTP would be to discuss the situation with leading registrars as well as ICANN’s Registrar Stakeholders Group to gather more information on the severity of the problem, as well as to better determine how these thefts are accomplished and what best practices on the part of both registrants and registrars might prevent them.

In addition, assuming that there will still be thefts occurring even if stronger preventative measures are adopted by registrars and registrants, the DTP will carefully explore at least three potential avenues of better redress for registrant victims of domain thieves:

...

This is an ambitious project and its goals will proceed on different timetables and take considerable effort to achieve. But we know that the current situation is not tolerable – and if domain investors don’t take the lead for change then who will?



------------------

Screen Shot 2020-10-01 at 4.06.18 PM.png
 
Last edited:
13
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
5
•••
4
•••
Well I guess the project should be wrapped up by now, eh?

Hahaha, Thanks for bringing it back up John, now is the time for Nat and Zak to consider it. Especially with these Go domains going to court.
 
4
•••
Now maybe with this cluster GoDaddy will refund, but Sedo and GoDaddy policy on if you bought a stolen domain name on their platform, they do not refund.

I emailed both Sedo and GoDaddy laying out the scenario completely

If I buy a domain at GoDaddy or Afternic or Sedo, pay for it, goes through fine, you get the name pushed to you and you push to me, and somewhere down the road, someone comes back to me and says this name is stolen, and I lose that name either through the registrar taking it back, or a UDRP or any other process. Will GoDaddy/Afternic reimburse me for the stolen goods I purchased on their website?

But Carolyn at Sedo was good enough to talk to their people and get me the direct answer

Unfortunately, as with anything sold on a secondary market, buyers bear a degree of risk that a domain was once stolen or that the seller has otherwise violated the terms of the purchase and sale agreement. While Sedo employs strict marketplace terms and conditions, between WHOIS privacy and disparate registry policies, it is impossible for Sedo or anyone to guarantee that a domain has never been stolen or remains subject to any other kind of legal dispute. The domain’s registrar, ICANN, or a court of law are the venues to resolve any dispute and Sedo gives our full cooperation once a dispute has been initiated.


We empathize with our buyer’s desire to eliminate that risk entirely but we ask buyers to perform their due diligence research prior to agreeing to a purchase (especially to ensure that their purchase or intended use does not violate a third party’s trademark which is a key element in UDRP proceedings) and to review their registrar policies on how they would handle a claim of domain theft.


Sedo does help our buyers minimize risk by requiring sellers to provide a legally binding representation and warranty that they have the authority to sell the name. Once a purchase and sale has been completed, however, Sedo cannot return the funds paid to a seller as we are not an appropriate party to arbitrate a dispute. If a domain is later taken away from a buyer because of the seller’s violation of the purchase and sale agreement Sedo advises the buyer to seek legal counsel to pursue the seller for breach of contract and will support the buyer by providing a documentation history regarding the transaction. This allows a buyer who ends up losing the domain because of theft to pursue the seller for a refund/damages.


Paul Nicks was kind enough to get GoDaddy Legal to answer

If I buy a domain at GoDaddy or Afternic, pay for it, goes through fine, you get the name pushed to you and you push to me, and somewhere down the road, someone comes back to me and says this name is stolen, and I lose that name either through the registrar taking it back, or a UDRP or any other process. Will GoDaddy/Afternic reimburse me for the stolen goods I purchased on their website?

The GoDaddy legal email is an auto reply, Sedo needed to speak to their legal team too, so I understand, I just wanted to make sure I could give GoDaddy's response in the article on how all marketplaces deal with theft and a customer left holding the bag.

Thank you

GoDaddy reply:

Sorry for delay. Here's our statement


When a customer lists a domain for sale at GoDaddy, they must state they are authorized to list and sell the domain name. If we find out a domain name has been stolen, we promptly remove it from the auction platform and ban the user.


One a domain auction is completed and there is a dispute regarding the rightful ownership of a domain, we do not get involved in the resolution of the dispute. That issue needs to be handled in the appropriate court of law.
 
5
•••
I expect that any extra effort incurred by ICAAN or registrars to adopt new policies and police these issues will incur some form of registration fee increase across the industry. Just saying...
 
1
•••
Pretty sure here in the UK under the consumer rights act (2015) if I can prove an item that I bought from a 3rd party is stolen and the police can confirm this then I am entitled to a full refund from the party I bought it from...would this would include a domain name though?

Anyone in the UK gone down this route before?

Would be interesting as an Auction house (Godaddy or Sedo in this instance) can always fall back on their T&C's and "caveat emptor " - buyer beware!

Which basically is what they are saying above, it is down to the individual to do their due diligence......and also the domain has been bought from an individual or trader not the auctioneer.
 
Last edited:
4
•••
Pretty sure here in the UK under the consumer rights act (2015) if I can prove an item that I bought from a 3rd party is stolen and the police can confirm this then I am entitled to a full refund from the party I bought it from...would this would include a domain name though?

Anyone in the UK gone down this route before?

Would be interesting as an Auction house (Godaddy or Sedo in this instance) can always fall back on their T&C's and "caveat emptor " - buyer beware!

Which basically is what they are saying above, it is down to the individual to do their due diligence......and also the domain has been bought from an individual or trader not the auctioneer.

I imagine that their jurisdiction only covers registrars trading within the UK.

You may also find that it is actually a civil matter that police are unwilling to spend time on unless it is a clear case of high-value fraud.
 
1
•••
Idea:
Two factor authentication using mobile phone message before domain is allowed to be pushed or transfered. This way a hacked email will not be enough for stealing a domain.
 
Last edited:
4
•••
It seems strange to me that when I buy real property my lawyer can do a title search and see all previous owners, and any liens owing taxes etc., but that something similar is not possible on a domain name. The more valuable domain addresses are worth a similar amount to real property. A full record of transactions would go a long way to avoiding theft issues. I am sure, with privacy issues, it is a more challenging problem than I see in my simple-minded view.

Thanks for restarting interest in this @jberryhill and for the background and added information @equity78 .

Bob
 
5
•••
It seems strange to me that when I buy real property my lawyer can do a title search and see all previous owners, and any liens owing taxes etc., but that something similar is not possible on a domain name. The more valuable domain addresses are worth a similar amount to real property. A full record of transactions would go a long way to avoiding theft issues. I am sure, with privacy issues, it is a more challenging problem than I see in my simple-minded view.

Thanks for restarting interest in this @jberryhill and for the background and added information @equity78 .

Bob
Maybe something like distributed ledger technology (DLT) could be introduced in the future for domains? I am not an expert in this field, maybe someone who knows a bit about it could chime in about the feasibility of it

Good breakdown on the benefits for mortgage market below - quite a lot surely is transferable to the domain market?

https://assurancemortgage.com/how-blockchain-technology-impacts-mortgage-industry/
 
2
•••
Idea:
Two factor authentication using mobile phone message before domain is allowed to be pushed or transfered. This way a hacked email will not be enough for stealing a domain.
Agree. Or even better, 2 FA before login into your registrar and email provider.
 
1
•••
2
•••
October 1, 2014 By Philip Corwin Comments are Off

It seems to me that this thread would be more accurate, if titled, "The ICA Forgot about exploring domain theft project to counter growing abuse."


It doesn't appear that corporate ICA members (eg. GoDaddy, Sedo, Escrow.com) are doing their part to help combat domain theft.

@Zak Muscovitch Please talk to your corporate members to help resolve/address the following outstanding domain theft related incidents. It's high tide this mockery comes to an end.

@GoDaddy selectively refunded the buyer (against the buyers will) of GoParts.com for an alleged stolen domain months after purchase citing "we cancelled and refunded the transaction, rather than having you in a legal dispute over the name", meanwhile GoDaddy has yet to refund or be of any assistance to multiple namePros members who purchased domains related to the alleged theft.

@Sedo not refunding @Daehler Ralph $19,950 for CWR.com

@Escrow.com facilitated the escrow of alleged stolen domain CQD.com when at least one other domain escrow company <DN.com> blocked the escrow. Further, after the alleged theft was reported, Escrow.com was of little to no assistance to the long time domain owner. In a sense, Escrow.com acted
as a proxy to shield the identity of the alleged thief. Thanks to namePros members, the long time domain owner of CQD.com was able to recover her domain. Meanwhile, unless I am mistaken the domain purchaser <@BoothDomains> lost some $25,000+/- on the non refunded escrow purchase. Leaving many who watched that unfold ask to themselves, what good is escrow.com's marketed licensed and bonded statement, if it doesn't come with purchase assurance? I have no idea why escrow hasn't righted this wrong yet by offering @BoothDomains a credit of escrow.com future services for the amount that he lost with escrow.com.
 
Last edited:
5
•••
Yes, but at least is better than nothing... and social engineering it's for a human error or mistake. There's not very much to do if people falls into a phising or fake email.
"Social engineering exploits human behaviors and psychology. By using emotional triggers as well as other psychological tactics, hackers persuade users to give up their personal information and other details."
 
4
•••
Yes, but at least is better than nothing... and social engineering it's for a human error or mistake. There's not very much to do if people falls into a phising or fake email.
"Social engineering exploits human behaviors and psychology. By using emotional triggers as well as other psychological tactics, hackers persuade users to give up their personal information and other details."
Most of us tend to make a mistake or two every now and then, when it happens hackers swoop and BAM - there goes your identity, money or a domain or 2......that's why I am intrigued by DLT, as I said it would be interesting if someone could explain the security and transparency benefits and if it would be an upgrade on the current system that is in place for the domain industry.....
 
3
•••
"Social engineering exploits human behaviors and psychology. By using emotional triggers as well as other psychological tactics, hackers persuade users to give up their personal information and other details."

The vast majority of the social engineering hacks are targeting large companies, not individual users.

There are entire areas devoted to this in some countries, and these hives call large registrars, telcos, cable companies, banks, cell phone providers, etc, and using readily available name, address, birth date, etc. info to try and trick some minimum wage drone to fork over your account.

And since these are "Customer Service Reps" (and not trained security personnel) they want to help their customers, and if that customer lost his password and had his phone stolen, and the CSR believes him, then you are deep trouble.

I have 2FA on all my accounts, but when a scam artist is talking directly to the source, none of that matters and these companies are giving it up like candy.
 
Last edited:
3
•••
The Internet Commerce Association (ICA) can only do so much. Like any organization they are limited by their available resources - mostly via member contributions.

Based in Washington D.C., the ICA's mission is to promote best practices and educate consumers, policy makers, law makers and the media about the value and benefits of the domain name industry.

In other words they represent the little guy! Us!!

Members also receive side benefits such as insider events at NamesCon and Zoom meetings with industry icons like Drew Rosener and Nat Cohen.

I became a member this year and I encourage others to do the same. Memberships are now as low as $25/month.
 
1
•••
In other words they represent the little guy! Us!!

Booking.com is not a little guy.

GoDaddy, Sedo, and Escrow.com aren't that little either.

I have yet to see where the ICA represents the little guy. If anything, the ICA is a little group, largely consisting/controlled by big/experienced industry players.

🤞 the big guys in the little group do something to combat domain theft within their own members respected ecosystem(s).
 
Last edited:
1
•••
1
•••
Back