Registrars not verifying contact information on domains?



According to a GAO report one of the reasons that phishing and scam websites are because of a lack of enforcement and policing by registrars of accurate contact information. According to their study over 5% of sites had been registered with false data. ~2.5% had been registered with incomplete information. These findings come from a random sample of 300 domain names that they then did lookups on the domains.


Brian at the SecurityFix suggests that the estimates may be low, because many scam/phishing sites may use registration data of identity theft victims and those may not show up as incomplete or false data (in other words, the name/address/phone checks out as valid, not necessarily indicating that THEY were involved in registering the domain.) That’s a good point. I suspect that if the registrars don’t get serious about making sure information is correct, then we might see other approaches. It would be nice if the registrars could regulate themselves in this matter.

One thing they could do is for the first 30 days of a domains life have a probationary period, send a postal letter to the address of the person registering and require them to enter a pin number (much the way Google verifies adsense participants…. sign up, get a postcard, go to website and enter pin number.) You certainly have to go through the ringer to prove you are authorized to deal with a domain to move it to another registrar….. (At least in my experience that’s been the case, especially if the company has changed hands.)

   Send article as PDF   

Similar Posts