Update: It looks like Netcraft was a little overzealous in reporting the dangers this policy change poses and I misunderstood what is at issue here. Michael Moncur explains:
1. This policy is for registrar transfers, not ownership transfers. It doesn’t make it any easier for a domain to be hijacked, except perhaps by a corrupt registrar.
2. The gaining registrar is still required to confirm the transfer: A transfer must not be allowed to proceed if no confirmation is received by the Gaining Registrar.
The policy change is to keep registrars from holding domains hostage when people wish to transfer them, which is a worthy goal. I don’t want my domains to go to another registrar, so I’ve still got them transfer locked, but it’s unlikely that anyone will have to cancel their vacation just to keep an eye on their domain names. Embarrassed apologies for any panic induced…my ass has been fact checked and it’s a little sore.
Many of you are domain owners and have probably seen this elsewhere lately, but in case you haven’t, pay attention. ICANN has a new policy about domain name transfers which will make hijacking domains much easier:
Domain transfer requests will be automatically approved in five days unless they are explicitly denied by the account owner. This is a change from current procedure, in which a domain’s ownership and nameservers remain unchanged if there is no response to a transfer request. This could mean trouble for domain owners who don’t closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk, as the domain’s WHOIS database information will be used to inform domain owners of transfer requests. A non-response becomes the equivalent of answering “yes” to a transfer request, according to the ICANN policy change.
What this means is that any dufus can drop 20 domain names into this form at register.com, hope that a couple of those folks don’t get the emails from their registrars about the transfer (because they’re on vacation for a week, the email gets spam filtered, etc.), and take those domains from their rightful proprietors. You probably have some sort of recourse through your registrar or ICANN, but I wouldn’t expect it to be particularly timely (more than 5 days certainly) or rigorous.
So, what can you do about this? Some suggestions:
1. Make sure your contact information listed with your domain registrar is up to date. If a transfer request comes in for a domain you own and your email address on file with them no longer works, you won’t hear about it until your domain name redirects to big-hot-mammas.com.
2. Don’t go on vacation for more than 4 days or have someone check your email while you’re gone. Impractical, but whaddya gonna do?
3. Make sure your spam filters aren’t filtering out email from your domain registrar.
4. Some domain registrars allow you to “transfer lock” your domains. Do so now. According to one disgruntled register.com customer, register.com has no such feature at this time….you’re on your own, sucker!