Domain Theft is Still a Little Too Easy

Domain Theft is Still a Little Too Easy

By Larry Seltzer


Several years after the infamous case, it’s still possible to rip off a domain name using technologies that date to the Carter administration. Why are the registrars so unwilling to talk about it?

Do you ever get spam offering to sell you fake IDs? Here’s one reason why some people want to buy one: a fake ID, a fax machine, and an absence of morals are all that’s needed to hijack any domain name.

Yes, stealing a domain name from its rightful owners still appears to be child’s play. A reader contacted me about his case involving the domain name Several weeks ago Arnold Jones of Visionario Inc., a storage consulting firm and owner of, discovered that this domain had been transferred to someone else.

This person had sent in to Network Solutions, the registrar holding the registry of, a request by fax to change the e-mail contacts on the registration to a free address. Even though his identification information had been forged, including a copy of a fake Florida drivers license with Jones’s work address on it, Network Solutions happily obliged and did not scrutinize the license.

Once the e-mail contact had been changed, the domain pirate simply sent a request to reset the password on the account, and he replied from the new address. Now that he had control over the account, he could transfer the registration to another registrar.

However, according to Jones’ account, there were many other glaring red flags that should have alerted Network Solutions to a possible hijacking:

  • The fax requesting the e-mail change came from area code 530, in California, but all registrant information was for Florida.
  • The key administrative contact e-mail address was changed to a free, untraceable address.
  • The fake Florida drivers license lacked all the major characteristics of a legitimate Florida drivers license.

Jones required two weeks of time and effort before he got his domain back. If he was less sophisticated about these matters, it might have taken him much longer to take control of the domain. To compensate him for the two weeks of time and the lack of his domain, Network Solutions extended his registration by a year, a $35 value. Gosh, I hope he declares this on his taxes.

Neither Network Solutions nor the registrar to whom the pirate moved the domain, Domain Name Systems, Inc., would provide any information about the hijacker, and Domain Name Systems had actually received payment from him. They told Jones that they would only release the information pursuant to a court order.

There’s actually a famous case just like this, the case. This is a pretty strategic domain name for some people, as you can imagine. and it was owned by one Gary Kremen, who must have thought about such things often enough that he registered the domain name before anyone else. Stephen Cohen, a convicted felon straight out of the big house, duped Network Solutions (remember them?) into transferring the domain to him by using a transfer letter with a forged signature and a number of fake supporting documents.

Long story short, Kremen eventually sued and got his domain back with some damages, although far less than the tens of millions Cohen is reputed to have earned from the name.

Most of the attention to legal issues with domain names have to do with violations of trademarks, like some stranger before Exxon though to do it. There is an administrative process for dispute resolution available through the Internet Corporation for Assigned Names and Numbers, the body which oversees domain issues, called theuniform dispute resolution process. However, this is a very different issue than the hijacking of domain names.

I contacted Network Solutions to ask them about Mr. Jones’s case in particular and about domain theft generally. They declined to talk to me about any aspect of the story, including generic guidelines for people to follow in order to deal with or avoid domain theft.

Here are some of the specific questions that Network Solutions declined to answer:

  • When Network Solutions discovers a fraudulent attempt to change registrant information, does it pass the information on to the proper authorities?
  • What does Network Solutions do to prevent someone from hijacking a domain via fax?
  • What advice does Network Solutions have for customers trying to protect themselves?

Given the history and the recent problems, these aren’t abstract or absurd questions. I don’t know about you, but I’d think twice about doing business with a company that won’t answer questions like this. Of course, everyone with a .com domain has to do business with Network Solutions, at least indirectly. But at least we have a choice.

Sad to say, Network Solutions’ refusal to talk to me was more communication than I got out of any other domain registration business. I tried to get in touch with the two companies with which I have registered domains, and GoDaddy. (To be truthful, just the other day I transferred my only GoDaddy domain to, so I don’t really have any business anymore at GoDaddy.)

I couldn’t get through to anyone at GoDaddy who would talk to the press on the subject. All would say is that they take measures to prevent theft, but they can’t discuss the measures for security purposes. (Perhaps they could tell me, but then they’d have to kill me.)

Getting back to the generic issue of what we can do to protect ourselves, Jones said you can’t do it alone. Once he convinced Network Solutions that they had been scammed, he sent them a copy of his own ID with instructions that they only make transfers when the ID matched it, and he recommends everyone do the same. Sounds like a good idea, if your registrar will listen to you and accept such a directive in advance.

I have run into domain registrations, such as,) that include mention of how the domain is "protected." I haven’t been able to determine what this means, but I presume that it involves some sort of enhanced authentication before any transfer can take place.

There is also at least one service, Domains By Proxy, which creates an indirection in the registration. The whois database contains no information about you, just about Domains By Proxy. You can tell Domains By Proxy to forward e-mail sent to the contact information for the domain, or you can have them bounce it. Since domain registration contact info is a major source of addresses for spammers, this also helps to keep your Inbox clean. And anyone who wants to make changes in the registration information will first have to convince Domains By Proxy.

There are two problems with the Domains By Proxy service: they cost $9 a year per domain, which seems like a lot for the amount of work they do. And they only work with GoDaddy registrations, or so it appears from their site. I wanted to learn more about them, such as whether they would be available for other registrars. Here’s the punch line: they didn’t return my phone calls.

Discuss This in the eWEEK Forum

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Leave a Reply