Unlocking a Domain on a Transfer....Vulnerable?

[DomainTalker]

This has always bothered me...


If we want to transfer one of our own domains from one Registrar to another, the process requires us to unlock our domain at the losing Registrar...

After we initiate the transfer process at the gaining Registrar, the process then takes about 5 days for the domain transfer to complete.


But, that means the domain is sitting unlocked & unprotected in our losing Registar's account for FIVE days...


If you have a very valuable name that you want to transfer to another Registrar, the process appears to be placing the domain at a serious risk of theft, during those five days...Its unlocked.


Is there a way to transfer a domain between Registrars that doesn't place the domain in an unlocked/unprotected position for 5 long days?


I'd appreciate suggestions on this. Thanks.

.

 

[SpareDomains]

even if someone saw it unlocked and put in their own transfer on it without the authorization code the transfer wont initiate, all of my transfers from fabulous to godaddy and godaddy to fabulous have always taken 2 days, I have waited 5 days+ at some other registrars but without handing out your authorization code I see no risk, biggest risk on thefts is people using free email accounts on whois that get hacked and then they steal your authorization code, don't use free email accounts for whois, use strong passwords on your accounts, don't use the same password for all your accounts, have good virus software to scan for keyloggers etc... I have bounced hundreds back and forth for 9 years and never had an issue.

 

[DnEbook]

i had a trnsfer to be done from bottledomains/au and when i couldn't find the unlock feature i contacted them only to be told all domains are unlocked unless you reqest otherwise !

 

[Fastlancer]

why all the moving back and forth? benefits?

 

[SpareDomains]

why all the moving back and forth? benefits?

generally consolidation, sometimes you pick up domains on the aftermarket and before you know it you have domains scattered across 5,6,7 different registrars, much easier to manage when you can log into 1-3 registrars and manage them all.
Also some extensions are a lot cheaper at other registrars, for .com I like godaddy, but .mobi and .us is cheaper at moniker, .name is cheaper at name.com etc...

 

[DomainTalker]

Thanks one & all for your comments...

I agree, I've never had a problem transferring domains between Registrars...And, I understand the security options/defences.


But, I'm still concerned about moving a really valuable name, 'cos of the 'unlock' requirement whilst its going through for those necessary days.....After all, we lock our domains for a reason.


I was hoping to hear that the system, in fact, 'locked down' the domain once a transfer process was initiated, or something similar....Eg whilst the gaining Registrar process was in train, no one could deal in the domain until either the transfer process was complete - or, the transfer process was terminated by the initiator....Or, something like that.


The 'unlock' step on a transfer just seems to be a weak link in the system to me.

.

 

[Kate]

The registrar-lock looks like a legacy option to me. Without the EPP code the name cannot be transferred away. It makes the lock redundant.

In the past stealing domains was much easier, all it took was a domain unlocked (could be a default setting depending on the registrar) and an outdated/out of service admin E-mail.
If the admin contact wouldn't object, the transfer would then proceed without further approval. That was scary. Many domains were stolen like that before EPP was implemented in 2006 (I believe).

So the owner might not notice until long after the harm was done.

 

[SpareDomains]

also when transferring out of fabulous and a few others no email is sent with an authorization code as you grab the code straight from your account which is even safer than getting an email with the code in broad view that could be intercepted if using an insecure email.

 

[Domagon]

The registrar-lock looks like a legacy option to me. Without the EPP code the name cannot be transferred away. It makes the lock redundant.

Spot on. Registrar-Lock, from a security aspect, is a legacy work-around stopping unauthorized transfers. It wasn't even designed for that purpose originally; was intended for expired domains and in dispute situations...

Later, registrar-lock was upgraded with various sub-statuses, such as "clientTransferProhibited", "clientDeleteProhibited", "clientUpdateProhibited", "clientRenewProhibited", etc; it's potentially possible for a "locked" domain to transfer out (assuming EPP code is supplied) depending on what the sub-status(es) are.

EPP is far superior. For TLDs supporting EPP, regardless of registrar-lock status, most always an EPP code is required to facilitate the transfer process.

Ron

 

[mynpid2010]

Hi,

I hope following links help...

How to Lock Down Your Domains at Go Daddy

VeriSign Offers Tools to Secure Domain Names

They are specific to particular registrars but I think there should be similar mechanism with other registrars too. Also these articles talk about lock in general but I think they must be having similar mechanism for transfer of high value domain names...

 

[DomainTalker]

The registrar-lock looks like a legacy option to me. Without the EPP code the name cannot be transferred away. It makes the lock redundant.

Very good point. And, that's true.....But, we do need an even tighter system on a transfer, imo.

I hope following links help...

How to Lock Down Your Domains at Go Daddy

VeriSign Offers Tools to Secure Domain Names

Excellent articles, thank you...

It seems Verisign has been working on much greater protection processes, lately, and, that'll be great when the Registrars adopt them...

I hope they tighten up the domain transfer process, itself, too.


Fabulous has an Executive Lock system that looks good, here:

Domain Name Wire » News » Fabulous’ Executive Lock Would Have Saved CheckFree.com - The Domain Industry's News Source


.

 

[Domagon]

...It seems Verisign has been working on much greater protection processes, lately, and, that'll be great when the Registrars adopt them...

I wasn't aware that Registry-Lock was being made available to registrars to use to protect domains of registrants. Or is that still just a proposal?

On a related note, VeriSign itself, despite touting registry-lock for security, doesn't use it for verisign.com - the domain is only registrar-locked, and not even fully, only with "clientTransferProhibited".

Register.com is an example of a truly locked-down domain:

Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Status: serverDeleteProhibited
Status: serverTransferProhibited
Status: serverUpdateProhibited

(client prefix is a registrar-lock status; server prefix is a registry-lock status)

Ron

---------- Post added at 02:22 PM ---------- Previous post was at 01:59 PM ----------

Addendum:

After reading another thread on here discussing google.com expiring next year, I did a quick whois lookup and it appears that the registrar MarkMonitor offers Registry-Lock security.

Ron

 

[DomainTalker]

Good input, Ron.

Lol verisign.com...

.

 

[labrocca]

I can't ever recall seeing someone post this happening to them.