“The hijack occurred because a reseller of Melbourne IT failed to follow the process for seeking authorisation for a domain name transfer request,” Melbourne’s Bruce Tonkin wrote in response to an ICANN inquiry. “Melbourne IT has agreements with some of its resellers, where the reseller agrees to undertake authentication of a transfer request using the ICANN authorisation procedure. As a result of this incident, Melbourne IT is carrying out an immediate audit of all its resellers that authenticate transfers, and will implement improvements to its regular audit process.”

Many domain owners may be surprised to learn that the security of the transfer process is sometimes managed by resellers, rather than the registrars themselves. Melbourne IT’s resellers include well known Internet companies such as Yahoo and Verio, but also many smaller web hosting firms. It’s not clear how many of those resellers are allowed to verify transfers, or whether any other registrars besides Melbourne IT allow resellers to perform this task.

While ICANN’s Cole expressed surprise about Melbourne’s arrangement, the use of resellers to verify transfer requests was discussed when ICANN developed the current transfer rules. In 2003 ICANN’s Generic Names Supporting Organization (GNSO) recommended amending a draft of the policy, which stated that a registrar was “solely responsible” for verifying transfers. “Registrars that operate via resellers will often let the reseller carry out the validation process (particularly where language issues are involved),” the GNSO noted in its brief. “The removal of the word ‘solely’ will provide some flexibility in implementation, whilst ensuring that the gaining registrar is ultimately responsible.” The revised language was adopted in the new rules, leaving registrars the option of using third parties for verification.

Whatever ICANN decides, the practice offers another good reason why domain owners should lock their domains to guard against hijackings. Under the new ICANN procedures, domain transfers are verified by the “winning” registrar. Some registrars say this introduces greater potential for hijacking by eliminating a layer of confirmation.

ICANN concluded that the new policy was not at fault in the Panix incident. But Dotster, where panix.com was registered, cited the new policy in defending its actions. Dotster’s Ravi Puri said the registrar was informed of the transfer request on Jan. 8, but never contacted Panix. “In accordance with ICANN’s new policy, we relied on the approval given to the gaining registrar being valid,” Puri wrote. The previous policy would have required Dotster to also confirm the transfer with Panix. Puri said the panix.com domain was not locked at the time, and it was transferred on Jan. 14.