Web community puts price on head of super highwayman VeriSign
Domain transfer madness at Hoopla.com
Domain registrar VeriSign has infuriated the Web community by wrongly transferring a New York writer's domain to an unchecked person in Germany.
The transfer of Hoopla.com was the result of a faked fax request but even though VeriSign has admitted its error, it has refused to sort out the situation, prompting real owner Leslie Harpold to hire a Florida lawyer in pursuit of the domain.
At the same time, hundreds of Internet users are working on a "Google bomb" to embarrass the company. A Google bomb works by putting up hundreds of links to a particular URL and naming it after the search term that people type into the Google search engine. In this case, the link is to Harpold's tale of events and the search name is VeriSign.
Hopes are not high though that either action will prompt VeriSign to do the decent thing and return ownership to Harpold, especially considering the company's track record. The trouble lies in VeriSign antiquated mechanism for changing domain name information.
The company, which owns Network Solutions, was the original Internet registrar, building and maintaining the first domain lists. However, following enforced competition in the domain name market, the company has faced many accusations that it is using unfair methods
to protect its ailing monopoly from cheaper competitors.
The seriousness of the situation - which has seen hundreds of domains wrongly transferred to others in the last two years - is such that Internet overseeing body ICANN even put registrar transfers on the agenda at its last meeting. Its recommendations are currently in a white paper which critics argue still do not tackle the main problem of verification.
The facts in this case are that VeriSign received a forged fax from a Sarah at a fake address in Berlin, stating that Leslie Harpold had given permission for the domain Hoopla.com to be transferred to her. The domain was not itself due for renewal until June this year. The company did so, and Harpold was frozen out the domain. Upon complaining, she was told that she would have to personally contact the new owner to agree terms, despite the fact that VeriSign never checked the transfer was correct.
Under ICANN rules, VeriSign is not actually obliged to doublecheck with the original owner that a transfer is agreed to, and it assumes authorisation is correct if the fax it receives contains the same email address as the contact address it has for that domain. This situation, inevitably, has led to hundreds of falsely transferred domains. The company efforts to prevent this happening by asking for extra authorisation have also met with criticism.
The problem lies with the company's insistence on using printed and faxed forms, rather than Web-based password-protected entry to registrant details that many other registrars use. VeriSign does offer more secure options but at a premium and even this has been seen to fail, with hijackers grabbing domains with even so-called top-level security (Internet.com is a case in point).
The company has been reluctant to move from its form method as it not only makes transfer to other registrars a more time-consuming and complicated affair, but also leaves it in ultimate power over the domain details. And there are no shortage of complaints that VeriSign continually refuses simple requests to change over to a new registrar or even that the forms have vanished between leaving the registrant and arriving at VeriSign. VeriSign does offer a $199 premium service however that will see domains re-registered within two days. There are no known complaints from those who have used this service instead of the cheaper $15 option.
But while the financial benefits of not creating a new, more secure system for domain details and transfers are clear, VeriSign is skating on thin ice. Despite a close relationship with those in power at ICANN, large sections of the Internet business and increasingly Internet community are at odds with its approach.
This was further heightened recently when the company sent emails to customers of competing registrars warning them they needed to renew their domain before it is was released to the public and apparently offering to save them $20 - months before the domain was actually due for renewal.
It is clearly a flawed system when a single fax can see the transfer of a domain that someone has worked on for years to a complete stranger without verification. If VeriSign doesn't mend the error of its ways, it could soon see itself as a minor player in what was once its playground. ®
Sponsored: Becoming a Pragmatic Security Leader