Domain Transfers (and Hijackings) to Become Easier

Domain names could become easier to hijack as a change in domain transfer rules takes effect Friday. Under new rules set by the Internet Corporation for Assigned Names and Numbers (ICANN), domain transfer requests will be automatically approved in five days unless they are explicitly denied by the account owner. This is a change from current procedure, in which a domain’s ownership and nameservers remain unchanged if there is no response to a transfer request.

This could mean trouble for domain owners who don’t closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk, as the domain’s WHOIS database information will be used to inform domain owners of transfer requests. A non-response becomes the equivalent of answering “yes” to a transfer request, according to the ICANN policy change.

“Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default ‘approval’ of the transfer,” the new rules state. “In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.”

As the deadline for the change approaches, domain registrars are contacting domain owners and insisting that they update domain records to avoid unwanted changes. “From November 8-10, we are sending an email to all domain customers informing you of a new domain transfer policy, enforced by ICANN,” Go Daddy told its users. “This policy dictates that we must honor any transfer requests, even if you do not personally confirm them. To prevent unauthorized transfers, lock your domains.” There are reports of other registrars providing stern warnings to customers about the need to update their details within five days, perhaps to establish which domains may have outdated info.

Domains have become valuable business assets, yet are often loosely managed by business owners, who neglect to update their WHOIS information following changes in staff or e-mail addresses. Companies that have let critical domains lapse include The Washingon Post, the Gawker weblog and perhaps the most embarassing gaffe yet, the UK domain for Ogilvy Mather.

ICANN appears to be anticipating a spike in disputes, and today announced appointments to manage its domain dispute resolution policy.