We have seen a lot of domain theft cases lately. Let me say that again. We have seen a LOT of domain theft cases lately. In the typical scenario, a hacker will often identify, by performing a reverse WHOIS search, an individual or company with a large and valuable domain name portfolio. The hacker will then identify the email address associated with that portfolio, either brute force or social engineer the password for the registrant’s email address account through a variety of nefarious means, and then obtain control over the registrant’s email account and use that account to transfer the domain names away to a foreign, and often uncooperative, registrar.
Often, the domain names within the registrant’s portfolio represent millions of dollars. In those cases, where it makes financial sense to file a lawsuit, we will get a call and, often six to twelve months later and after numerous arguments with the registrar and/or the registry, the registrant will re-obtain control over the domain names. But there is a very simple step that registrars could take, and many find too costly to take, to prevent against this scenario, which is not going away.
Two factor authentication requires a registrant to provide two forms of authentication before allowing the registrant (or the thief) to transfer domain names away from the registrant’s account or take any other action that could potentially be detrimental to the registrant’s rights. It requires confirmation of identity through two means, which typically consist of something that the user possesses, such as a USB encryption key dongle or a phone number, something that the user knows, such as a password, or something that is inseparable from the user, such as a fingerprint. Many registrars have been reluctant to implement two factor authentication and cite cost as a factor; additional authentication methods may require the purchase of additional software or the hiring of additional personnel.
But registrars that do not implement two factor authentication may risk subjecting themselves to a negligence lawsuit under case law that every American law student reads in law school. In The T.J. Hooper, esteemed jurist Learned Hand examined whether a tugboat company should be held liable for negligence for failing to implement a radio as a safety mechanism. During a large storm, the T.J. Hooper, a cargo vessel, sunk, destroying cargo owned by the plaintiff. The plaintiff sued, alleging that the owner of the barge should be held liable for negligence for failing to equip the tugboat with a radio, which would have warned the captain of bad weather. Judge Learned Hand found the T.J. Hooper’s owner liable because he failed to act with due care in failing to install a radio, despite the fact that “everybody’s doing it.” In so ruling, Learned Hand noted, “There are precautions so imperative that even their universal disregard will not excuse their omission.” In re Eastern Transportation Co. (The T.J. Hooper), 60 F.2d 737 (2nd Cir. 1932).
And the same may be true for registrars. Even though many registrars have failed to implement two factor authentication, and though many have only done so for their high net worth clients, there are some precautions that are so imperative to the protection of their consumer’s property rights that even universal disregard will not excuse their omission.
Don’t become the next T.J. Hooper.