Domain name game

Computerworld - It happened over the weekend, when no one was watching: Six domain names quietly disappeared from the registry of Herndon, Va.-based Network Solutions Inc. (NSI). This is a very bad thing when you're an Internet
business like Web Networks Inc., a Toronto-based Web hosting service for Canadian nonprofit organizations that had registered its domain name, Web.net, with NSI. The May 27 loss of its domain name cut it, along with the nonprofits that use its service, off from the Web for five days. It took seven days to restore ownership.
"It's been nutty. Nobody could get to our site, and we had no way of directing incoming traffic to our clients' sites," said a very tired Tonya Hancherow, Web Networks' executive director, from her Toronto office last week.
That same weekend, Naked.com, Valley.com, Web.org, Adultpass.com and Internetbanking.com also fell victim to domain name theft. Then, last week, Internet industry news provider Internet.com and GTE Internet both reported that their domain names had been stolen. All were registered with NSI.
It doesn't take a technical genius to steal a domain name when the change process is fully automated. Someone posing as the administrators of the actual sites simply filled out templates on the NSI Web site asking for an ownership change.
These administrative contacts and their e-mail addresses are conveniently provided free of charge through a "who is" lookup at any of the 40-odd accredited registrars around the world. In some cases, the perpetrator spoofed the return e-mail header to match that of the registered administrator.
In Web.net's case, the perpetrator didn't even have to spoof an e-mail header. He simply keyed the registered administrator's address into the template and, voilý, NSI's application template accepted the change of ownership, no questions asked.
At this point, the perpetrator simply transferred the hijacked domain names to another registrar, OpenSRS, managed by Toronto-based Tucows Inc.
Preventing such thefts seems simple enough. "Work it out so the only way (a domain name registrar can) accept changes is through telephone verification," says Peter Van de Gohm, director of information asset protection at Enron Energy Services in Houston.
But NSI, the official registrar of 10 million of the world's 15 million .com, .net and .org domain names, has no telephone or fax-in verification option. NSI instead offers the following three levels of authentication:
• "Mail from," which accepts all forms from the e-mail address as listed in its database or from the administrative/technical contact.
• Encrypted password, which allows updates from any e-mail address, as lo