[registrars] POTENTIAL LEGAL PITFALL

["Michael D. Palage" <michael@palage.com>]

Yesterday, I voice concerns about the potential illegal activity of
compiling information in connection with credit card fraud. Despite these
concerns there appears that some people want to start moving ahead with
compiling such information. Let me restate the legal concerns that Amadeu
raised on the list earlier today.

I would encourage everyone to read the presentation I gave one Friday and
which I posted to the list yesterday. On Slide #25 you will see the Fair
Credit Reporting Act, 15 USC 1681 et seq. Under this act you may be
committing a violation of the law if you compile fraudulent credit card
information and use it inappropriately. THIS IS SERIOUS STUFF. I have always
said that the road to hell was paved with good intentions.

Lets recap on where we are at and what we need to do.

#1 Credit card fraud is a problem that represents a serious threat to our
industry. In the last year I have seen several instances in which registrars
have been hit with credit card fraud charges in excess of $50,000 dollars.
In some of the cases the registrars were not able to delete all of the names
at the registry level. In addition, in those cases where the registrar was
able to delete the names within the five day grace period, the registrar
(merchant) still got hit with substantial penalties.


#2 Over the past couple of months I have been trying to increase an
awareness of this problem. Listed below is an email that I first sent out
last summer listing some of the trends I had heard from various registrars.


#3 Although I share some of the concerns voiced by Rick Wesson and Paul Kane
about the motive of the FTC in working with registration authorities, I
approach the situation preferring to look at the glass half full, instead of
half empty. The FTC wants to catch the bad guys, and we want the bad guys to
be caught. Hopefully the FTC is learning that US and foreign registrars are
not in the position to give them everything they want, when they want it.
However, I believe there is an opportunity to work together in stopping
credit card fraud. This is one of the reasons why I continue to talk on a
regular basis with people within the FTC and law enforcement. Remember the
meeting I scheduled back in 2000 with the FBI and the Department of Justice
to address the first wave of domain name hijacking. Cooperation with law
enforcement agencies both in the US and abroad is not going to go away. As
this industry matures, so will the lines of communication with established
public and private sector bodies.


#4 The first and easiest step in minimizing credit card fraud is for the
registrar to implement available fraud safeguard mechanisms. The security
code or CCV2 safeguard is one mechanism that I hear from registrars has
significantly reduced their fraud. It is not perfect and will not eliminate
all fraud, but it is a big safety feature which should be implemented if
possible.


#5 A more difficult next step is to work with law enforcement in tracking
down the bad guys. This is something that I will continue to work on, even
after my current term as Chair is up. I spoke with the FTC yesterday and I
will be sending them a letter next week documenting some of the problems
certain registrars have encountered and suggesting possible solutions.


#6 Another difficult step in the equation is working with registries to
mitigate the financial burden which currently registrars must almost
exclusively bear in connection with credit card fraud. Although I believe
registries are not unsympathetic to our concerns, as indicated by Chuck's
post last week to the list, there needs to be a lot more communication in
this area. I would like to purpose another joint session (couple of hours)
in Rio with registrars and registries where the sole topic is a brain
storming session on credit card fraud.

In summary, the problem of credit card is serious, but it will not be solved
quickly. However, this should not distract us from working individually and
collectively as an industry to stop the problem.

Best regards,

Mike


EMAIL SUMMER 2002

Listed below are some of my preliminary trends/solutions that I have found.
If you have any other suggestions that you would like to share please let me
know.

- extended holiday weekends always seem to be a prime time for fraud. One
registrar I spoke with had upwards of $100,000 in fraudulent charges during
the memorial day weekend. When this registrar called his credit card
processing company he was unable to get prompt service because of the
minimum staffing levels. Although he was able to cancel the registrations at
the registries within the 5 days grace period, the registrar had significant
problems with the credit card company which ended up withholding other funds
because of the fraudulent charges.

- Not all credit card processors are created equal. Some of the larger
registrars have told that they have switched credit card processors several
times trying to find the best one that was most responsive to their
inquiries relating to fraud. The cheapest credit card processor may actually
cost you more money in the long run because of customer service
delays/unresponsiveness, i.e. penny wise, pound foolish. I will try to
compile a list of credit card processors with pros and cons listed for each.

- Several registrars have began incorporating into the credit card
processing system the additional four digit security code physically
imprinted on the card. This step has reduced credit card fraud significantly
at several registrars.

- Be sensitive to large transactions from certain geographic locations -
particularly during the weekends and holidays. There appears to be a large
amount of questionable credit card activity in the Asia pacific region and
the former Soviet Block countries.

- Most registrars pass all five year plus registrations through a separate
review process. Catching this early is important as some bad guys will run
some small batch transactions through before launching a large scale
submission.

- One or two registrars have tried subscribing to companies that claim to
have databases of stolen credit cards. Those registrars that have used these
services have NOT found them very useful in reducing fraud.

- Some registrars use address verification when available against the
provided whois data.

- Make sure to review your registration agreement to make sure that if you
decide to delete a domain name for suspected fraud your legal but is
covered. The last thing a registrar needs is

- Potential ICANN related issues that we may want to consider. Requesting
that registrars have a larger than 5 day grace period with the registries in
the case of documented fraud in excess of a certain value. Currently there
is a five day grace period at the registry. Addition the registry currently
imposes a 60 days bar on transfers after registrations. We may want to
explore extending this to transfers into a registrar. Some fraud/hijacking
occurs when a domain name is transferred to registrar to registrar with
additional years added along with the way.