We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,812 News Articles

Is your domain name being hijacked?

New rule creates potential security flaw for domain name transfers

If you own a domain name for your business or personal use, you should get up immediately and run, don't walk, to the phone, then call the company you registered the name with, and make sure that name is "locked down".

If you don't, you could easily lose your rights to that domain. And depending on whether your website is an integral part of your business, or just keyed to your family's activities, waking up one morning without it could range from inconvenient to disastrous.

The danger stems from a new rule from ICANN (the Internet Corporation for Assigned Names and Numbers). Effective from today, the new regulation is designed to make it easier for website owners to escape from registrars with unfair tariffs or terms. However, some registrars worry it could lead to domain names being transferred and hijacked, unbeknownst to their owners.

Before November 12, a change of domain name registration had to be approved by both the "gaining" and "losing" registration companies. But the new rules state the transfer can occur without the approval of the registrar "losing" the account.

"This new rule is going to give [con artists] new opportunities to hijack domain names – basically hijack websites," says Fred Bunzl, who owns DomainsNow4U.com.

Tom Cunningham, CEO of BulkRegister.com, and other registrars say they fear con artists can now set up false accounts with a gaining company and initiate a transfer of a domain name, without the owner's knowledge.

"Now, if I ask and you don't answer, it's actually assumed [your domain name] is moving," Cunningham says.

Registrars are encouraged to notify owners when a transfer is requested, but it's not mandatory. If five days pass without your response, the domain name automatically switches.

Even if your registrar did notify you, it's most likely to be by email, and your busy life, your spam filter or a holiday could eat up your five-day response period.

Mike Tumolillo, a freelance journalist who runs miketumo.com and medillians.org, says he's skeptical that an email of the impending transfer provides sufficient warning. "I usually ignore emails if I don't know who it is," Tumolillo says. "I don't want to get infected with a virus."

Since the rule changes are so new, most domain name owners are unfamiliar with them.

"I haven't heard anything," says Tumolillo. Faced with the possibility of losing his domain names, Tumolillo had this response: "That would extraordinarily suck."

You can take steps to protect yourself against a switch, a process called locking down your account. Some domain registrars, like godaddy.com, let customers lock their domain names manually by changing settings on their account. If you can't figure out how to lock your account manually from your settings, or if it's not available, you should contact your domain registration company and ask how to proceed.

Companies like BulkRegister and DomainsNow4U say their firms now automatically lock customers' domain names from transfers as an added security measure. But not every company has a policy of automatically locking.

"[Customers] should contact their registrar and see if they have a lock in place," Cunningham advises.

ICANN says the rules change is essential for domain name owners. Tina Dam, an ICANN official, says customers have complained for years that large domain name registration companies deny transfers arbitrarily and have confusing renewal policies.

"Consumers right now are not able to choose their provider fairly," Dam says.

To initiate a transfer under the new rules, you need to fill out an Initial Authorisation for Registrar Transfer form and submit it to the gaining registrar.

ICANN put sufficient safeguards in place to prevent foul play, Dam says, noting that the person asking for the change has to provide valid identification, such as a valid driver's license, a passport, or a birth certificate, to submit a paper copy of the form.

"It's important to note that a transfer cannot be initiated by a gaining registrar until the gaining registrar has verified the identity [of the domain name owner],” Dam says.

However, according to ICANN's website, doing it electronically is easier – the only ID requirements are an electronic signature or an email confirmation.

For added protection, Dam says ICANN has created standardised forms for transfers of domain names, and that companies can file a dispute with an arbitrator to challenge a transfer.

That's not enough for at least one domain name registrar.

"I accept that the current procedure is not simple enough for the average domain owner," says Bunzl of DomainsNow4U.com. "But what ICANN has done is not solving the problem and is probably going to cause more problems."


IDG UK Sites

Samsung Gear S (Solo) curved-screen smartwatch confirmed: release date, price and specs UK

IDG UK Sites

Nostalgia time: Top 10 best selling mobile phones in history

IDG UK Sites

How Ford designs next-generation cars at its Melbourne Design Centre

IDG UK Sites

Apple 15-inch MacBook Pro with Retina review and the mystery of the processor benchmarks