Friday, 3 June 2016

.uk domain transfers are scary

.uk transfers are a little different:
  • You instruct your old registrar to change the "IPS tag" to point the domain to your new registrar.
  • You tell your new registrar that the domain just assigned to them is yours.
The new registrar then dutifully updates all of Nominet's records. Even if the name... email... address... you provided them with bears no relation to the existing (private?) registration information. Who cares if you had 2 factor authentication enabled on the original Nominet account, your domain is gone.

Nominet says the onus is on the registrar to ensure they verify you're the owner when going through this process. But they don't?

What's to stop someone scraping whois records (that IPS tag is public) and racing to claim the domains you're transferring before you do?

Apparently nothing. A few weeks ago I ran a little test. I registered a new domain at one registrar and immediately asked they change the IPS tag to another. A coworker watched over my shoulder as I retrieved the whois details for my domain to see the tag change, but then I got distracted looking for cake/looking over their shoulder. They set up a new account at the second registrar and claimed the domain, using no secret information and without either registrar or Nominet gaining my consent.

What am I missing? Do some registrars I haven't tried put effort into verifying your ownership? Is it just a few bad actors?

UPDATE: One registrar I've contacted has now promised they've updated their systems to email the owner listed by Nominet for confirmation, before handing over the domain. Minor success...

No comments:

Post a Comment