I woke up on September 1st, Labor Day, to an email alert that one of my domains had been transferred out of my account at Moniker without my authorization. I soon learned that my account had been hacked, the account email had been changed, a new user had been created, and five domains had been transferred away to another Moniker account.
Since that day, I’ve encountered numerous security flaws with Moniker’s system, including one that renders Portfolio MaxLock ineffective as it allows all the domains in an account to be transferred to another registrar without needing to answer the Portfolio MaxLock security questions.
As is well reported elsewhere, KeySystems caused massive disruptions when they replaced the legacy Moniker domain management system with a new system from their DomainDiscount24 (DD24) registrar. Unfortunately all the pain and trouble caused by the “upgrade” served primarily to replace a reasonably secure system with one with gaping security holes that have been exploited by hackers. The problem was exacerbated by Moniker’s failure to enact basic security procedures.
Another massive security breach was recently reported on Acro.net and DotWeekly. This appears to be a separate breach from the one I experienced which occurred in late August, as it happened much later and the IP involved was different, though it may involve the same people.
I called Moniker to alert them to the breach the same day I learned of it, and they locked down my account and the account that the stolen domains had been transferred to. Later that week I spoke to a manager at Moniker and exchanged emails with her. On September 5th, she wrote: “Our technicians are working very hard to ensure that breaches such as this never happened again.” Clearly they failed.
I was told that the technical team in Germany was investigating the breach and that I would receive a report within a few days. Despite several requests, it has now been over a month and I have yet to receive any account of what happened in the breach.
Yet from my own experience with the new Moniker interface I learned of several security flaws.
I had purchased and auto-renewed Portfolio MaxLock for several years on the old Moniker system. Portfolio MaxLock creates two security questions that must be answered successfully before any domain can be transferred out of the account. Portfolio MaxLock seemed to work well and I had peace of mind that the account was secure.
With the transition to the new DD24 interface, Portfolio MaxLock was dropped without any notice and I didn’t realize it was no longer active on my account.
When calling in to Moniker’s customer support team to make changes to the account, the customer support team verifies that you are the legitimate account owner by asking you to verify the following information from the account profile: Company name, company address, company phone number and they often, but not always, ask for the account email address. As most, if not all, of this information is available in public whois records, it is a ludicrous way to verify identity. A few years ago I changed the account email to be different from the whois email, but for many accounts the account email is likely the same as the whois email.
After my account was hacked the account email address was changed to one that was very similar to the correct one. It makes me wonder whether the hack was the result of social engineering one of the customer service reps. It is plausible that the hacker called to say that there was a typo in the account email address, and persuaded the customer service rep to make the slight change in the email address so that the email address then became one under the hacker’s control. I don’t know for certain since I haven’t received the report on how the breach happened so I can only speculate.
Moniker keeps a handy IP log showing the IP address and date stamp of anyone who has logged in or attempted to log in to the account. Yet worryingly the day that the hacker logged into my account and pushed out the domains the IP log showed no access at all. The customer service reps said that should only happen if the account was accessed internally, such as by the customer service reps themselves. This was disturbing and reinforced my suspicion that the hack was the result of the hacker persuading a customer service rep to make the changes.
I received no email to the original account email when the account email was changed. After I suggested that it is a basic security rule to send an alert to the original email address when the account email is changed, the folks at Moniker agreed that sounded like a good idea and they would ask their team to implement it.
After the hack was discovered, my account was kept in locked status and I had to call customer support, often enduring lengthy waits on hold, and having to go through the drill mentioned above “proving” my identity before the customer service rep would temporarily unlock the account to allow me to make whatever changes I needed to make.
Eventually I decided that if I purchased Portfolio MaxLock that they would not need to lock down the account each time after I was done logging in. So I spent the $124 to purchase Portfolio MaxLock. I thought it would have been a nice gesture if they had offered Portfolio MaxLock at no charge, since my account had been breached and domains taken from it. But they didn’t offer, and I didn’t press it, so I paid for Portfolio MaxLock.
The new Portfolio MaxLock works somewhat differently than the legacy version, but the key functionality is the same as it requires that two security questions be answered before a requested job will run. According to the customer support reps, even they don’t know the answers to the questions, and it would take a high level member of the technical team to be able to reset the answers if I ever forgot them.
Once I got the hang of it, Portfolio MaxLock seemed to work well. If I wanted to have an auth-code sent to me, I would navigate to the desired domain in the admin interface to request the auth-code but then I would need to go to the Jobs section to answer the security questions before the job would execute and the auth-code would then be sent. Even minor items such as changing the Time to Live (TTL) record in the DNS required answering the security questions.
One day though, I couldn’t log into my account. I called Moniker customer support assuming that the account had been relocked. But the support rep said that it hadn’t been locked, but he did say the password had been recently changed. I hadn’t requested a password change and was suddenly concerned that my account had been hacked again. The rep investigated some more and said that someone had requested a password reset, but they weren’t logged in when they requested the password change. I asked if this meant that anyone could force the password on my account to be changed at any time. The rep said that this is the way the system works. So here is another flaw in the design. You may have your password memorized, or saved in a password keeper program, and anyone at any time could force the password on your account to change so that your password is obsolete.
You may question my complacency that I would leave my domains at Moniker through the flawed transition to the new interface that blocked account access for a long time. You may question my complacency that I didn’t immediately move out all of my domains after discovering the account breach. I also question my complacency.
Yet after weeks went by without any report of what had gone wrong with the breach and without any assurance that the problem had been fixed, combined with the troubling fact that no IP was logged the day the account was breached suggesting an internal system may have been compromised, I finally decided it was time to move away my domains.
The next time I talked to customer service, I told the rep that I had heard that Moniker had recently added a feature that allowed a bulk export of auth-codes. The rep showed me where to find the link in the interface. I clicked the link and received a message that the list of auth-codes would be sent to the account email address. I went to the ‘Jobs’ section where one must go to answer the Portfolio MaxLock security questions. But there was no need. A few minutes later a report with the auth-code of every domain in my account showed up in my inbox.
Even though I had paid to add Portfolio MaxLock to my account, and even though I couldn’t change the TTL for one domain without answering the security questions, the bulk auth-code export feature was added without linking it to Portfolio MaxLock so I was able to receive every auth-code for every domain in the account without needing to answer any security questions.
That is a major security flaw, but one would think it is of little practical consequence since the domains couldn’t be transferred out to a different registrar without unlocking them first. And when I navigated to the management page for an individual domain and requested to unlock it, that change required answering the Portfolio MaxLock questions first.
However, I noticed on the account summary page that lists all the domain in the account, there is a little ‘lock’ symbol beside each domain. The symbol shows whether the domain is locked or unlocked. A nice feature is that you can click on the ‘lock’ symbol to change its status, from unlocked to locked, or from locked to unlocked. When you click on the lock symbol to unlock the domain, you don’t need to answer the Portfolio MaxLock security questions.
So I tested out whether I could move domains to another registrar without needing to answer the Portfolio MaxLock questions. I chose a few domains, click the ‘lock’ symbol for each one to unlock the domains, and then entered the auth-codes for the domains at the gaining registrar. The auth-codes were accepted, the gaining registrar emailed me to approve the transfer, a little while later Moniker emailed me a link to cancel the transfers if I wanted to keep the domains at Moniker, and a few days later the domains moved to the new registrar.
So now as I transfer out the domains in my account, I don’t bother bulk unlocking the domains and then answering the Portfolio MaxLock security questions. I just go down the list of domains clicking the ‘lock’ symbol to unlock them. And the domains are leaving my Moniker account. And Portfolio MaxLock is still active on my account, utterly useless for safeguarding the domains.
I will give a shout-out to DomainTools, as thanks to their Registrant Alert report I learned that the domains had been moved out of my account in time to prevent them from being transferred away from Moniker. Moniker’s team froze the thief’s Moniker account that the domains had been moved to, and eventually moved the domains back to my account. I need to do a thorough review but I am not currently aware of any domains that are missing from the account.
It makes me sad to write this post. I was one of Moniker’s first customers. I was a Moniker customer before there was a Moniker, before it was a registrar, back when it was DomainSystems, a NetworkSolutions reseller. When Monte was changing the name from DomainSystems he asked my opinion of the new ‘Moniker’ name. I told him I had always thought the word was spelled “Monicker”. But Moniker is a great name, and Moniker has been the home of my core domain portfolio for nearly as long as Telepathy has been in business.
So it is sad to say goodbye to Moniker, and to witness the self-destruction of this company that played such a large role in the development of the domain industry.
I must say that everyone I dealt with at Moniker after the breach was friendly and helpful to the extent that they could be. But they were saddled with a buggy system, and they couldn’t provide the account security that the customers needed. Yet someone continues to make poor decisions, such as the recent one to change all the passwords and send out the new passwords in unencrypted plain text emails.
Unfortunately it appears that Moniker’s President, Bonnie Wittenburg, is experiencing serious health issues as her email auto-reply includes the following message: “I am out of the office on medical leave and will be out for several weeks.” Bonnie’s absence may be contributing to the lack of leadership and the ineffective response to the security breaches so far. I wish Bonnie, and Moniker, a return to good health. But I will be watching from a distance.
Driving through DC, I noticed new maroon flags waving from lampposts promoting something called “DigitalDC”. In small print on the flag was a web address. At first I couldn’t tell if I was having trouble reading the domain name, but then I got a good look. Yes, the URL for innovation in DC is digitaldc.co.
Digital DC’s mission, according to the website, is to promote DC as “the leading community in the innovation and high-tech economy”. Announced in March by soon-to-be ousted Mayor Vincent Gray, Digital DC is offering $1 million in funding to tech companies that move into a so-called “tech corridor” in a mostly residential, transitional neighborhood.
The organization has a sharp looking website but hasn’t yet chosen which high-tech companies will receive the “catalytic” government grants.
Last year, I received an email offering MLA.com for sale. DomainTools showed that the domain had been held for years by Michael Lee and Associates in Illinois. Yet the seller was from Russia. I contacted Michael Lee who confirmed that the domain had been stolen.
Today the Huffington Post published an article on the difficulties domain owners face trying to recover stolen domains. The focus of the story is on Michael Lee and his years long struggle to recover mla.com.
Interesting reading for all domain investors.
In the recent HoldOn.com decision, sole panelist Christopher Pibus found the domain owner guilty of bad faith for simply placing the domain on a parking page. Pibus made the bad faith finding despite there being no evidence that any of the ads on the parked page were infringing. When I visited the page at HoldOn.com, the ads were related to cars (screenshot below). Swedish company Amicus Trade AB, the Complainant, has a trademark on ‘holdon’ for clips.
Pibus found bad faith because that the seventeen year-old holdon.com domain was interfering with the Complainant’s business-
The Panel is further prepared to accept the Complainant’s uncontested assertions that the use of the disputed domain name in association with a click-through site has interfered and/or is interfering with the Complainant’s business, and that the disputed domain name is leading Internet customers seeking the Complainant’s website to the Respondent’s unauthorized website for purposes of monetary gain. In the absence of any evidence to the contrary, the Panel finds that the disputed domain name was registered and used in bad faith by the Respondent.
I fail to see how using, in a non-infringing way, a generic domain that long predates the existence of the Complainant is interfering with the Complainant’s business. If merely using the holdon.com is interfering with Amicus Trade’s business, then the domain began interfering with the Complainant’s business the moment that Amicus Trade starting making use of the ‘holdon’ brand fifteen years ago. Yet as the domain predates the business, it makes no sense to accuse the domain of interfering with the business. Why is the current use bad faith when the previous uses of the holdon.com domain were not? Are owners of generic domains not allowed to place ads on their websites that don’t infringe on any other trademarks? Is it bad faith to try to make money from your website when you aren’t infringing on anyone else’s trademark rights?
The domain owner failed to file a response. Even so, in order to succeed in a UDRP the Complainant must demonstrate that the registration and use is in bad faith.
Pibus’ position that placing non-infringing ads on a non-distinctive domain is bad faith use targeting the trademark holder is an overreach. It expands the rights of trademark holders far beyond any legal foundation. This approach also has the practical effect of putting every parked non-distinctive domain at risk, if the domain is at all similar to an existing trademark.
The HoldOn.com decision, and other similar decisions such as the MyArt.com decision and the Ovation.com decision, pervert the intention of the UDRP. In these cases the UDRP is not, as it is supposed to be, a procedure for protecting trademark holders from blatant cybersquatters. Instead, in these cases the UDRP is a tool whose purpose is to steal from their owners valuable non-distinctive domains that are coveted by the trademark holders but to which the trademark holders have no legal right.
HBO is the proud new owner of the piedpiper.com domain name. PiedPiper.com is now the home of the faux corporate website for Pied Piper, the fictional start-up company in HBO’s new comedy, “Silicon Valley”. Last night’s episode has the team brainstorming ridiculous names as they try to come up with an alternative to the Pied Piper name. One thing that rings true – all the team members recognize the critical importance of finding the perfect name for their company, even if it means overdosing on hallucinogenic mushrooms for inspiration. Even if you don’t have HBO, you can check out the first episode for free on YouTube.
HBO acquired the 1996 registered piedpiper.com domain from the original owner last year with the help of Markmonitor. The original owner lived in Hamelin, Germany, the source of the nearly thousand year-old tale of the Pied Piper of Hamelin, and had a website with information about the region around Hamelin at PiedPiper.com.
In a beasion zeused this noaning NAF baualist Sandra Franklin betamined that the pouin “Guaiky.com” is voanusimly ziamuar to “Quirky.com”.
Sorry… You didn’t have any trouble reading that did you?
In a decision released this morning NAF panelist Sandra Franklin determined that the domain “Guaiky.com” is confusingly similar to “Quirky.com.”
As you can see, no one reading “guaiky” would think of “quirky”. The first letter is different. The third letter doesn’t exist in the mark. And the consonant “r” that is in the mark is missing from the domain. The transformation of “guaiky” to “quirky” is similar to turning “right” into “wrong”, which Franklin also accomplished with her decision.
The “confusingly similar” test has long been a playground for Panelists’ more creative impulses. “MADDHATTEntertainment” was found confusingly similar to “MADD”. “Uniprotein” was found confusingly similar to “Universal”. And most notoriously, “Bodacious-tatas” was found confusingly similar to “tata”.
Franklin relies on the 13-year old belken.com decision that found “Belken” confusingly similar to “Belkin” as support for her finding that “Guaiky.com” is confusingly similar to “Quirky.com”. If a case that found that swapping one vowel in the fifth position for another vowel justifies a finding of consuming similarity that involves three transformations to a seven-letter word then nearly any fanciful mark could be used to go after thousands of dictionary word domains. Similar reasoning would find Disney confusingly similar to “Kidney.com” or would allow Verizon to go after “Derision.com”. Since consumers are so easily confused by swapping three-letters, much less one letter, what a nightmare it is to live in a world where ABC, BBC, and NBC are all television channels.
Franklin is also the author of the “horrible” UDRP decision awarding the valuable, non-distinctive domain NiceCar.com owned by 13-years by a Korean to an American company with a trademark that post-dates the domain registration date by several years.
Franklin ordered the transfer of HealthySolutions.com despite a lack of evidence that when the domain owner registered the domain 13 years earlier that he was targeting the trademark holder. Franklin also ordered the transfer of the non-distinctive domain MedicalPark.com.
Franklin’s approach to the UDRP – finding “guaiky.com” confusingly similar to “quirky.com”, ignoring a domain owner’s legitimate interest in owning valuable non-distinctive domains such as eHelper.com, NiceCar.com, HealthySolutions.com or MedicalPark.com, finding that the reason a Korean individual registered and held for 13-years a domain, NiceCar.com, based on a commonly used generic phrase was in a bad faith effort to target a small American company’s unregistered usage of that phrase – makes a mockery of the UDRP policy. Her apparent goal is to find a way to transfer these domains regardless of the facts and she’ll twist the UDRP policy into unrecognizable shapes to achieve that goal.
Franklin has decided hundreds of cases as a sole panelist in the last few years, mostly for NAF but some as well at WIPO. A review of these cases show that if you appear before her with a complaint that isn’t formally deficient, with evidence that you had some trademark use, registered or unregistered, for your mark that predates the registration date of the domain, and the issue isn’t a pre-existing business or legal dispute, that you will win 100% of the time.
Put another way, in hundreds of cases over the last couple of years, when a Complainant can show some trademark use that predates the domain registration, Franklin has never found that the Respondent had a legitimate interest in its domain name. She has also never found, under this circumstance, that the domain owner’s registration or use was in good faith.
The integrity of the UDRP depends upon the integrity of the Panelists in honoring the policy as written. Franklin, and panelists who take a similar approach, are turning the UDRP into a tool for domain theft.
Updated Feb 9
[This post was originally published on January 15, 2010 on DirectNavigation.com. Thanks to Larry Fischer for allowing me to repost it here. Now that I am publishing my own blog, I am consolidating at DomainArts.com some posts that were first published elsewhere. -Nat]
Nat Cohen is a long time domainer who specializes in generic domains. This post, which Nat prepared, is one that is important to all domain owners.
About Nat – He has built up many of his Properties including OceanCity.com and Maryland.com. He lives with his wife and family in Washington DC. Nat is a longtime friend.
A Problem at the Core of the Internet
Those who care about the development of the Internet should pay attention to a problem festering at its core. Domain names, the building blocks of the Internet, are governed by such a flimsy, easily-abused set of rules that ownership rights in domain names are not secure. This problem affects both those within and outside the domain industry.
Domains are the only asset class where owners are required to subject their ownership rights to cancellation by an arbitration panel. The poorly paid, loosely accredited arbiters who decide these cases are guided by a vague set of rules, the Uniform Dispute Resolution Policy or “UDRP”. There is no procedure for reviewing the decisions of the arbiters to ensure that the decisions comply with the guidelines. Arbiters enjoy free rein in interpreting the rules as they see fit and can act with impunity.
Most arbiters are sincere, fair-minded, hard-working, distinguished legal professionals who make a genuine effort to carefully and faithfully apply the UDRP rules. Yet their good work is undermined by weak procedural safeguards that allow a minority of arbiters to mishandle the power entrusted to them to order the cancellation of a registrant’s rights to a domain name and the transfer of that domain name to a new owner for the flimsiest of reasons.
Individuals and small businesses are losing their long-held domains in arbitration to covetous newcomers who are not entitled to them. Last year a Korean dentist lost opendental.com to a company that did not exist at the time he initially registered the domain. A technology enthusiast recently lost parvi.org to the City of Paris in spite of the arbiter finding that there was no evidence that he registered the domain in bad faith and despite of his clear legitimate use of the domain to promote new software he was developing.
‘Fox Guarding the Henhouse’
Arbiters are selected by providers of arbitration services, primarily WIPO and NAF, and the arbitration venue is in turn selected by the Complainant. WIPO and NAF are competing in the marketplace to offer services to their customers. The customers they are catering to are people or businesses who want domains transferred to them.
The previous owner of Liberty.com confirmed that he sold the domain last year for a “seven figures” sum. The sale is covered by an NDA so he couldn’t disclose the actual price.
The new owner is Liberty Global, the $35 billion market cap international cable company. Liberty.com changed hands in April 2013.
In 2011, Liberty.com was listed for sale by the former owner for $10,000,000. At that time, the sales page stated that the owner had already turned down two offers for Liberty.com of a million dollars each. While the sales price can’t be independently verified, it seems reasonable for such a premium domain. Liberty Global is a publicly traded company, so perhaps the sales price will be revealed in its company filings.
Liberty.com was the subject of a UDRP dispute in 2000. The Complainant was a London retail store. Fortunately the domain owner prevailed.
“Liberty” related domains seem to attract UDRP disputes from companies who take the liberty of filing baseless complaints attempting to liberate the domains from their current owners. My own Libertad.com domain – “Libertad” means “Liberty” in Spanish – was hit with a UDRP Complaint in 2011. Thanks to the response prepared by Ari Goldberger and Jason Schaeffer of Esqwire.com, the complaint was unsuccessful.
Surge in misuse of UDRP for attempted domain theft leads to record year for Reverse Domain Name Hijacking decisions
UDRP decisions finding Reverse Domain Name Hijacking hit a new record this year indicating a surge in attempts by companies to abuse the UDRP process to steal domains that they are not entitled to. So far this year 24 complainants have been found guilty of Reverse Domain Name Hijacking (RDNH) compared to only 14 last year. The prior record of 23 (or only 19 if .biz STOP disputes are excluded) was set over a decade ago in 2002 in the early days of the UDRP.
What has led to the surge of RDNH decisions this year?
A radical new approach to the UDRP by a few panelists is encouraging companies to file abusive complaints. These are complaints that fail to meet the UDRP requirement that complainants demonstrate that the disputed domain was registered in bad faith. Filing a complaint without any evidence of bad faith registration is an abuse of the UDRP process and grounds for a finding of Reverse Domain Name Hijacking. When Panelists who reject the radical reinterpretation of the UDRP are assigned to decide disputes where complainants have failed to provide evidence of bad faith registration, they are frequently finding the complainants guilty of Reverse Domain Name Hijacking.
The radical new approach some panelists are now taking is to replace the “REGISTRATION in bad faith” standard with a “RENEWED in bad faith” standard. This approach is illegitimate for the many reasons discussed in the “Push to Adopt ‘Renewed in Bad Faith’ standard puts Investment Domains at Risk” post. The primary flaw with the “renewed in bad faith” approach is that it is based on language from a part of the policy that has no bearing on how domain disputes are to be decided. The relevant section of the policy where the dispute procedures are specified clearly states that “registration in bad faith” is one of the criteria that must be demonstrated for a complaint to be successful.
Those panelists who are championing the “renewed in bad faith” standard are ordering the transfer of domain names that everyone agrees were registered in good faith, including domains that were registered years before the complainant even existed. Encouraged by the prospect of being able to use this new weaker standard to seize domains that they have long coveted, companies are now filing complaints targeting domains that were registered in good faith and where there is no evidence of bad faith registration.
The “renewed in bad faith” standard eliminates the heart of the UDRP – the requirement that the Complainant must demonstrate that the domain owner has registered and used the domain in bad faith. What the “renewed in bad faith” standard boils down to is that a Complainant no longer needs to meet three rigorous tests to seize a domain through a UDRP. Instead, for some panelists, under the “renewed in bad faith” standard, the Complainant merely needs to demonstrate some current bad faith use.
Last month panelist Eduardo Machado ordered the transfer of Ovation.com in one of the most poorly reasoned UDRP decisions ever issued. Stephen Gilfus, the owner of the ovation.com domain, has filed in Federal Court in Florida to prevent the transfer by seeking a declaration under the Anti-Cybersquatting Protection Act that his use of the domain is legal. He is also seeking a declaration that Ovation Hair, the Complainant in the UDRP, is guilty of Reverse Domain Name Hijacking under the ACPA.