Guarding Against Domain Name Hijacking
On Friday, Jan. 14, 2005, a high-profile hijacking occurred when the domain name “panix.com,” owned by the New York-based Internet service provider of the same name, was transferred without authorization to a third party. Before Panix was able to reclaim the domain two days later, countless emails sent by its customers were lost, possibly along with passwords and other sensitive information.
The problem began when a domain name “reseller” based in the United Kingdom received a fraudulent request to transfer the panix.com domain (as it turns out, the party requesting the transfer was also using stolen credit card information). When the reseller submitted the request to the domain name registrar Melbourne IT, based in Australia, the registrar reportedly failed to properly verify the request. As a result, the domain name switched hands.
In the few days following this fraudulent domain transfer, there has already been much finger-pointing by the parties involved in the transfer, as well as outside commentators. Some have pointed to new domain transfer rules promulgated by the Internet Corporation for Assigned Names and Numbers (ICANN) that went into effect in November 2004, which arguably make fraudulent transfers easier to accomplish because under the rules domains are automatically transferred unless the owner countermands the transfer request within five days. Panix employees have pointed to the fact that the company did not receive any notice of the transfer, which should have occurred even under the new rules. To its credit, Melbourne IT has admitted the problem stemmed in part from its own failure to confirm the validity of the transfer request.
Regardless of the cause of the problem, the result was a colossal waste of Panix’s time, financial resources and goodwill, and website owners—online service providers in particular—must be aware of this potential danger, and take precautions to prevent such a hijacking:
- Domain registration information should be monitored regularly—there are services available that do this automatically to detect any changes.
- Make use of any security features offered by the registrar with whom your domain name is registered, such as password protection. In addition, a protocol is in place for certain domain name extensions (such as .biz and .info) that includes creation of a separate password saved with the domain registration information, and a party seeking to transfer such a domain must provide the authorization password before a transfer can occur.
- Domain names should always be “locked” with the registrar. This service allows owners essentially to tell their registrar to refuse any transfer or change of registration information until the domain name is unlocked. (A note of caution, however: Panix spokespersons have reported that the panix.com domain was locked with the registrar, yet was still transferred).
Of course, domain name hijacking is illegal, and there are likely both civil and criminal remedies available to those whose names and websites have been stolen in this manner, depending on the jurisdiction where the offense occurs. However, the best cure for such fraudulent transfers is the classic “ounce of prevention,” beginning with the steps outlined above.