In the past day, I've read several different threads over on WHT about domain registrars handing out account name and password info to parties not listed as contacts for the domains. Why are these companies being so careless with domain names? The companies mentioned in the threads are stargate, namecheap and Netsol (no big shock there, I know :p: ).

I hope they start taking greater precautions with this type of information, otherwise somebody's gonna end up losing some valuable domains names. If somebody did lose domain names through their carelessness, I wonder if they could get them back?:confused:

Originally posted by VoxKeysGtr

I hope they start taking greater precautions with this type of information, otherwise somebody's gonna end up losing some valuable domains names. If somebody did lose domain names through their carelessness, I wonder if they could get them back?:confused:

People should definitely use the lock feature to further secure their domain -- but you are right, this is a troubling trend. One that should be addressed by ICANN.

Not sure, but you may be referring to one of my posts as well about Netsol. I couldn't believe it when the rep emailed me full login info for my customer's domain. And funny, I never even asked for it. I simply asked him to resend the info to the address in the Admin section of the account.

Very likely just an isolated mistake, but these are the types of mistakes that should never be made...

Vito

It does make you wonder though. I mean, most of the domains I own are special to me, but not to most people. What about the names that everyone likes? In the past, some high profile domains have brought attention to the problem (sex.com comes to mind). Thing is, no matter how good the systems are that domain registrars use to handle things like lost passwords, etc., there's always the human error factor which can never be fully solved.

Originally posted by vito
Not sure, but you may be referring to one of my posts as well about Netsol. I couldn't believe it when the rep emailed me full login info for my customer's domain. And funny, I never even asked for it. I simply asked him to resend the info to the address in the Admin section of the account.

Very likely just an isolated mistake, but these are the types of mistakes that should never be made...

Vito

Hi Vito,

Yes. Your thread was one of the ones that I was referring to. It is scary that you could get the info so easily. If someone who doesn't ask for the information can get it can you imagine what a really slick, con-man, smooth talker type of person can get from them? That is disturbing. They'd probably hand over Netsol.com, the dumb shmucks.;)

Originally posted by Chicken
It does make you wonder though. I mean, most of the domains I own are special to me, but not to most people. What about the names that everyone likes? In the past, some high profile domains have brought attention to the problem (sex.com comes to mind). Thing is, no matter how good the systems are that domain registrars use to handle things like lost passwords, etc., there's always the human error factor which can never be fully solved.


True. I wonder how the situation would be handled though. Would they acknowledge the error, and correct it, or would they just throw a bunch of bureacratic run arounds at you and delay taking responsibility for the problem until the everybody just lost interest in the matter, or had to resort to the legal system to get a solution?

Originally posted by VoxKeysGtr
... They'd probably hand over Netsol.com, the dumb shmucks.;)
Well, the upside to that would be that perhaps it might finally be put in the hands of someone who could run it properly... :D

Vito

Originally posted by vito
Well, the upside to that would be that perhaps it might finally be put in the hands of someone who could run it properly... :D

Vito

:cool: hehehe...we can only hope...:D

Hello
70% of the password requests that come through to us for manual processing are malicious or fraudulent.
None of them get through though because we will only send the info to the admin contact and if the admin contact is wrong
they need to produce tons of ID material and fax us or OpenSRS.

Its usually someone who doesn't like the domain owner.

Gordon

Originally posted by GordonH
Hello
70% of the password requests that come through to us for manual processing are malicious or fraudulent.
None of them get through though because we will only send the info to the admin contact and if the admin contact is wrong
they need to produce tons of ID material and fax us or OpenSRS.

Its usually someone who doesn't like the domain owner.

Gordon

That's the way that it's supposed to be, and all of the companies claim that this is the case, however, I believe that in the specific situations mentioned in the threads, human error played a key role. In Vito's case, he didn't even ask for the information and it was given to him. All of the registrars have the same policy that you mention, it's that the policy is ignored or disregarded by the techs that has created the suituation discussed in the threads.

Namecheaps's response claims that they did not release the information, that the hijacker got the information from somewhere else, but I do not know the actual details of the situation. It's hard to imagine somebody being able to get the account information from somewhere else unless they worked in the same office or something like that.

human error played a key role

Yes, and i can give you a good example.

We had someone new started work here and he got a request like this:

"I own the domain abcdefg.com my old email address whatever@isp.com no longer works, can you send it to the address I use at my domain webmaster@abcdefg.com"

I managed to stop the giving of the password just in time.

Now, on the surface this looks an OK thing to do.
It probably was legitimate but there is no way of telling.

Think about "hotmail.com".

If webmaster@hostroute.com requested the password would that be the real person.
Probably not.

Another issue is renewals.
Someone could renew somone elses domain.
We just take the money and ignore the email address on the renewal payment.
It would be easy to think you could update the billing contact this way but if you do,then anyone could steal anyone elses domain by paying a renewal fee.

The only safe way is to send only to the address used when the customer signed up.

No matter how much this upsets registrants who have not updated us properly prior to the email change.

Gordon