Name.com and security/frontrunning problems?

[Domainace]

A couple of things have made me wonder about name.com, most recently the alteration of my whois info to a name's previous owner. They claimed I never changed it, even though it was parked at Sedo and they insist on an accurate whois.

Now, suddenly they have caught a dropped domain that I wanted to register for a friend, a broke musician. Funny that they caught it, as it has no apparent value except that I checked the name a couple times using.....(surprise) name.com.

I like their interface, and had considered moving more names their way. Now, I will move the couple of names I have there out and avoid them like the plague.

If anyone at Name has an answer to this sort of behavior, I'd like to hear it.

 

[siga]

Dont know if this is related to your whois problem. I think they may cache who.is results, Ie previous owners data is shown then it refreshs to show current owner.

Also was your domain actually dropped or was it waiting to drop? What registrar was it initially registered with? Is it possible that the domain had already been backordered at name.

 

[Domainace]

The domain was waiting to drop, and was not regged with name.com previously. Sure, there is a chance they would have back-ordered a valueless name for someone using domain privacy, and it might just be a coincidence that I used them to check on its availability. But it's highly unlikely. The only metric that would make this name attractive was that I checked on it twice at Name.

Regarding the whois, data, your explanation is better than theirs, though I don't quite understand it. I checked several times. The whois was all for the previous owner from over a year previous. If he was unethical and aware of it, he could have simply taken the name back for himself.

 

[MrRhee]

A couple of things have made me wonder about name.com, most recently the alteration of my whois info to a name's previous owner. They claimed I never changed it, even though it was parked at Sedo and they insist on an accurate whois.

Now, suddenly they have caught a dropped domain that I wanted to register for a friend, a broke musician. Funny that they caught it, as it has no apparent value except that I checked the name a couple times using.....(surprise) name.com.

I like their interface, and had considered moving more names their way. Now, I will move the couple of names I have there out and avoid them like the plague.

If anyone at Name has an answer to this sort of behavior, I'd like to hear it.

I've done lots of business with Name.com and never had any problems. Before you try to tarnish their reputation, have you taken 5 minutes of your valuable time to call them to ask about your whois/backorder issues? or Emailed their support staff? Their support number/email is on their site and they do answer. Or did you first run to this forum and tell them to explain their behavior while you try to spread conspiracy theories?

Re: your whois issues: I believe you are seeing cached data or results from their archive.

Based on my personal experience, the Name.com team works hard and has always offered great support above & beyond. Plus I use their whois checker & and I am still able to hand reg fresh drops without them taking the names first. And yes, other people who have backorders will always beat out my hand regs, so if the name is important enough to me, I'll backorder it EVERYWHERE I can.

If you truly want to solve your mystery, post the 2 domains in question, especially the domain name where you say Name.com altered your whois data.

.

 

[Domainace]

MrRhee, I did in fact use my "valuable time" to write them about the whois issue. They're answer was that I must not have changed it properly. Yours is better, if only because I don't understand it. (The contact data was from within my account, not from a 3rd party service.)

The dropped name was a small gesture for a down and out friend, whose name I will not used publicly.

I'm delighted for you that you have had nothing but good experiences with name.com. However, my experience is no less valid than yours.
Could I be overreacting? Maybe. I will watch the name over the year and see. So far as "spreading conspiracy theories," let's avoid the melodrama. I see a problem that I think should be shared. Don't accuse me of assumptions and then engage in your own.

 

[Erdy]

Based on my personal experience, the Name.com team works hard and has always offered great support above & beyond.

My experience with them is very different. There is a big security issue with their transfer approval emails.

They send you a transfer approval email which has a link that you must click. So far so good. Everybody does this. However the difference at name.com is that once you click that link, you are asked to login.

This is the absolute wrong way of doing it. The link that you click should not ask you to login. However it should be still functional to approve the transfer. The way you do this is to insert a random key to the link that is connected to the domain you approve.

I tried to explain them but they didn't listen and argued they are doing it the correct way.

In fact what they are doing is much worse because they mimic the random key method. Their links looks like it will not ask you for login. They make it look like they are using the correct method which is worse than using using an incorrect method.

If anybody knows that you are transferring a domain to name.com account (for instance a seller would know) they have 100% chance getting your name.com account password.

Here is my topic with screenshots:
http://www.namepros.com/domain-registrar-reviews/700020-security-risk-at-name-com.html

Here is their disappointing answer:

Hello,

Thank you for the information provided. There is no security risk in the way we ask our customers to approve their transfer requests. We actually use ICANN's recommendation for transfer approvals. If you feel this is not safe, please do not approve your transfer requests.

Regards,
Erika
Name.com

My email to them:

Hi,

I started a transfer to name.com and you have send me an email that has a
link which requires me to login.
I think you should never send any email for anything that has a login
request. This is a guaranteed way to get your account hacked because
scammers can copy those emails.

As a general rule, if you are a user, never click any link in any email to
login to your registrar account. If you are a registrar, never send such
emails.

I started a discussion here:
http://www.namepros.com/domain-registrar-reviews/700020-security-risk-at-name-com.html

Erdinc

 

[Makis.TV]

on top I 've emailed them about their password system that doesnt allow password that include special characters such as $% and so on.
This makes much easier to anyone who wants to hijack an account under name.com

 

[nameaddict]

@Domainace - First, I can assure you that we in NO WAY front run our customers. We don't store searches done on our site or tie them to individual users in any way. If you would email me directly at [email protected] I would be happy to look into your concern further. However, even without knowing the domain I can tell you that you concern about us front running is unnecessary because we don't engage in this type of behavior.

@Erdinc - We are conducting our transfer process with security in mind and I can't remember a time in recent history when a security issue has arisen from this process. That said I will follow-up with our developers again and make sure we review the process and see if there is a need to make a change.

@Makis - I will follow-up with our developers and see what we can do to allow special characters into our password system.

Sincerely,

Paul Carter
VP of Operations
Name.com

 

[Erdy]

Can you please explain your developer that they are not using the icann recommended method of transfer approval. They have misunderstood that method.

If you require users to login to their name.com to approve the transfer (you do this at the moment) then there is no need to insert a random key to the transfer approval link. However this is not the recommended method.

If you are using a random key in your transfer approval link (you do this at the moment), then there is no need to login because the whole idea of the random key is that it is connected to the domain that nobody can ever know.

In other words, once this link is clicked it should not ask for login:
name.com/transfers_in/accept.php?key=f27f0203c8e2dc54682263017ceae9e2

The only reason that you have such a random number here is that it will not ask for login. Of course it should not login you to your account either. It should be just an isolated landing page. Transfer a domain to namecheap to see how they do this correctly.

Here is what is wrong with your system:
1) You are the buyer. Somebody sells you a high value domain at sedo and notices that you want to transfer to name.com
2) He sends a fake transfer approval email with a fake link
3) You click the link and you land on a page like this: http://img810.imageshack.us/img810/421/afterclick.gif
This is the actual page that you land at the moment. However the page you open will be a copy of this.
4) You enter your login details and you see a message that says approved.
5) Now you have already give your account details to a stranger

Here is what should happen:
1) You generate a random key like this:
name.com/transfers_in/accept.php?key=f27f0203c8e2dc54682263017ceae9e2
The link already knows what domain this is and what account it is in. You don't ask for login.
2) Person clicks the link.
3) You approve the transfer.
This is how namecheap.com is doing it.

The reason why you create such random keys is because this way you can carry information such as what domain this is and what account it is in, without somebody else being able to reproduce the information. For instance if your link looked like this:
name.com/transfers_in/accept.php?domain=paul.com
you would have to ask for login because how do you know the right person is clicking the link? There is no way. However if you hide paul.com behind f27f0203c8e2dc54682263017ceae9e2 and somebody clicks that link, you automatically know that only the right person could have clicked that link. Nobody else can know that combination. It was created randomly and inserted into the email.

 

[Name Trader]

@nameaddict

@Erdinc - We are conducting our transfer process with security in mind and I can't remember a time in recent history when a security issue has arisen from this process. That said I will follow-up with our developers again and make sure we review the process and see if there is a need to make a change.

You definitely have a problem here. The problem is a scammer can reproduce your email and ask you to login an account which is not name.com It could be naame.com for example. then they've captured you password, and your account is compromised, and all your domains could be stolen.

 

[Domainate.com]

@nameaddict



You definitely have a problem here. The problem is a scammer can reproduce your email and ask you to login an account which is not name.com It could be naame.com for example. then they've captured you password, and your account is compromised, and all your domains could be stolen.

Name.com isn't the only one that does this too. Unless things have changed, I've had the same process take place with Moniker where the link I get to click takes me to a login page there, and while I didn't realize the security risk with that, after ErdInc explained it, I definitely do now. That process should definitely be changed.

As for the frontrunning - unless the name was absolute crap, chalk it up to there being other demand for it. It would be one thing if it was an available domain for a while and all of a sudden got scooped up there shortly after you searched, but with domains that are dropping, there's not much of a chance that you can prove they did anything but backorder a domain of value. You can't prove they put in the backorder sometime after you searched in other words.

 

[Domainace]

Paul, thanks for your response. I'll take the small consolation that whoever registered it wasted their money. I'll chalk it up to coincidence. Several little things happened in my transactions at Name and that was the capper after a rather rough week in general.

 

[ThreeD]

@nameaddict

You definitely have a problem here. The problem is a scammer can reproduce your email and ask you to login an account which is not name.com It could be naame.com for example. then they've captured you password, and your account is compromised, and all your domains could be stolen.

That's why I love the additional security Name.com offers through the verisign security codes. The pin code needs to be entered together with a username / password - if the pincode is incorrect the username and password are both useless.

 

[Tippy]

I've never had any strange happenings using Name.coms bulk search that I am aware of and I often check who regged the ones that suddenly got regged, nothing strange to be noted.

Kinda off topic but I know for a fact that GD tracks what you search, I was dumb and forgot a few times and searched a few names at their site, low and behold the naxt day I got an email from GD saying the name I searched for was still available and if I register it today I can save 20%. Whatever you do don't search names at GD besides the fact that they are well known for showing names as available when in fact they never where.

 

[markies]

Even though this thread is 4 years old, I just want to add a comment as I arrived here through my own searches about front running domain names with name.com

I can't say for sure, but recently I've definitely had my suspicions about name.com because on at least two occasions I've searched availability for a few 5 letter domains, and then within a couple of hours the same search comes up as "taken". In one case the domain became parked at GoDaddy. These were not trending words or hot-off-the-press TLDs. It could of been complete coincidence but I choose not to believe anymore. I will no longer use name.com to search unless I am absolutely ready there and then to register it.