ICANN79: Addressing Fraudulent Domain Registrations - Seeking AGP Policy Reform
Cui bono? Fraudulent domain name registrations made using stolen payment methods and/or via illegal access to customers’ accounts are skyrocketing. While registrars are fully refunding the victims, registries and ICANN are keeping the proceeds of this fraud.
AGP Policy: A gateway for Domain Name Fraud?
During the ICANN79 San Juan meeting, in Puerto Rico, Registrars and Registries gathered to explore the possibility of jointly urging ICANN to reform the Add Grace Period (AGP) policy. This policy was initially intended to allow registrants to receive refunds for accidental domain registrations if they deleted them within five days. However, to prevent abuse, the refund process is strictly limited.
Before the implementation of AGP in April 2009, millions of domain names were registered and deleted within this five-day period each month, a practice known as "domain tasting." This practice allowed registrants to assess domain performance based on internet traffic. If a domain failed to attract enough visitors, it was deleted, and the registrar received a refund from the registry, which was then passed on to the registrant.
To curb this misuse, ICANN introduced non-refundable fees and limited refunds to 10% of the number of domain names registered per registrar per month. The AGP policy, while designed to offer flexibility, has unintentionally opened doors for cybercriminals targeting domain registration.
First of all, despite registrars' efforts to prevent fraudulent orders, criminals can still exploit anti-fraud measures put in place by registrars and payment service providers. Some fraudsters have reached a level of sophistication that makes their orders indistinguishable from legitimate ones. Registrars often only discover fraudulent domain registrations when they are reported by individuals whose identity or payment methods have been stolen, or when the domain names are used for illicit purposes.
Another tactic employed by criminals is gaining access to customers' registrar accounts and using the associated payment methods to place fraudulent domain registration orders. To mitigate this, customers must secure their accounts with strong, unique passwords and use security measures such as 2FA, IP whitelisting…
When registrars identify fraud before the end of the five-day period, they revoke the domain names and request refunds from the registries. However, the volume of fraudulent orders often exceeds refund limits, resulting in registries and ICANN retaining proceeds from illegal orders, while registrars refund defrauded payment method holders.
The magnitude of this issue is significant, with reports indicating over six figures of domain names affected by fraudulent activity across multiple registrars.
Towards a consensus on AGP Policy reform
While there have been some positive outcomes, such as informal agreements between registries and registrars to share fraud prevention best practices, there is no consensus on reforming the AGP policy. Registries believe a unique policy approach is necessary, leaving registrars in a holding pattern until a new policy is developed and implemented.
The Registrar Stakeholder Group is likely to urge ICANN to reform the AGP Limits Policy to better address the current landscape, where domain tasting has been eradicated but maliciously registered domain names are ordered in bulk via coordinated criminal attacks.
About the Author:
Luc Seufer is the Chief Legal Officer at EuroDNS. He's been deep in the trenches, negotiating with ICANN to make the internet a safer place. With tons of experience in the domain name world, he's super passionate about tackling DNS abuse and making the online world a better place for all of us.