Andrew Allemann reported about changes that are coming to domain name transfers, and it is a bit concerning to me. You can read about the new, hopefully temporary transfer authorization process on Domain Name Wire, but this is the part that concerns me:
“In many cases, domain name registrars will not be able to get the registrant email address from Whois that is necessary to send a Form of Authorization when someone transfers a domain name to them. As a result, gaining registrars will be allowed to skip the Form of Authorization requirement.” (emphasis added by me).
From what I understand, domain registrars are responsible for generating EPP authorization codes. Each registrar may have its own process for creating them and for updating them regularly or periodically. With the new transfer process coming into play, I think it is very important for domain registrars to reset all EPP authorization codes. If that would be a major inconvenience for customers who are in the middle of a domain transfer, perhaps the EPP codes could be reset for those that were requested more than 30 days ago.
It would appear that someone could possibly use an old EPP code that wasn’t regenerated by the registrar in order to initiate a domain transfer. If the current registrant does not cancel the transfer in the allotted period of time, the transfer will proceed. I am sure many people ignore emails from their registrar. Some probably go to spam and others are probably ignored because the registrant thinks it is a marketing solicitation. Perhaps more savvy registrants will understand that it is a transfer request and simply assume that not confirming the transfer will be enough to stop it. This would be a mistake. Obviously transferring a domain name without permission is illegal, but there are unsavory people who might try to take advantage of this.
I urge all registrars to refresh their EPP codes, perhaps excluding those that were requested in the last 2 weeks or maybe 30 days. This might be an inconvenience for some registrants who are in the middle of a domain transfer, but if that inconvenience can help prevent domain theft, I think it is probably worthwhile.
I also urge registrants to ensure their transfer lock is enabled as this could also prevent an unauthorized transfer.