Security risk at name.com

[Erdy]

I'm transferring a domain from elsewhere to name.com. I started the transfer at name.com. A few hours later I received one of those, "You need to click here to proceed with the transfer emails.". So far so good. However when I clicked that link I landed on a page that asks me to login.

Screenshots:
before click: http://img835.imageshack.us/img835/935/beforeclick.gif
after click: http://img810.imageshack.us/img810/421/afterclick.gif

I like name.com. That's why I use them and transfer my domain to them. But they shouldn't send login requests in emails. On the contrary,they should be the one advising customers not to click any link in any email. Yes we always click those transfer approval links and thats normal but those links should not land on a login page.

As a general rule, never click any link in any email to login to your registrar account.

Another odd thing is they sent that email to the whois email of the domain and not to my name.com account email. Let's say if this was a sedo sale and I was buying the domain from somebody else, the email would have gone to the seller and it asks him to login to the name.com account that started the transfer, the buyer. But that's not possible because the seller and the buyer would be different people.

So, besides the big security risk I fail to understand how a transfer is possible if the losing and gaining parties are different.

 

[DU]

...

 

[Erdy]

Almost every week somebody click a link in his email and logs in to his registrar and gets his account hacked.

Somebody recently posted a thread here:
http://www.namepros.com/warnings-and-alerts/699697-domains-stolen-from-my-godaddy-account.html

The risk is very serious and real. Registrars should not send you an email with a login request for anything.

If you don't see a risk in that then you can continue clicking links in emails and logging in. I would never do that.

Also what they are doing is not standard. I worked with a lot of registrars, maybe 20 and it is the first time I have seen a transfer approval requiring login.

 

[DU]

...

 

[Erdy]

Yes godaddy is one of the registrars I use but they don't do it like name.com. They don't have a click here to proceed link.

I have actually emails from godaddy, name.com, namecheap and other registrars and name.com's email is similar to namecheap where you click and don't expect to login. They mislead you by using namecheap style no login links but then they ask you to login. Godaddy doesn't do that.

---------- Post added at 07:47 AM ---------- Previous post was at 07:33 AM ----------

How do you get that code into the new registrar if you DON'T log in?

This is done by a random key assigned to a no-login link. We use the same method for account activation on my site. Namecheap uses the same method. Their links looks like this:

< http://transfer-approval.com/u.asp?id=165FA9C4-E63C-4052-9535-D633572D32D8 >

Name.com copies this method and makes you think there will be no login. So you click it. But then they ask you to login. Godaddy doesn't do that. They don't have a link like that.

 

[vc]

Ha, wait until you transfer out! Then they send you no email or any way to expedite the transfer except for contacting one of their clowns, err, support representative.

 

[Name Trader]

Their support representative was very responsive to my request to expedite a transfer away from Name.com. Usually the transfer takes about 10 days. They expedited the transfer to transfer out immediately.