Partner
We have seen a lot of domain theft cases lately. In the typical scenario, a hacker will often identify, by performing a reverse WHOIS search, an individual or company with a large and valuable domain name portfolio. The hacker will then identify the email address associated with that portfolio, either brute force or social engineer the password for the registrant’s email address account through a variety of nefarious means, and then obtain control over the registrant’s email account and use that account to transfer the domain names away to a foreign, and often uncooperative, registrar.
Often, the domain names within the registrant’s portfolio represent millions of dollars. In those cases, where it makes financial sense to file a lawsuit, we will get a call and, often six to twelve months later and after numerous arguments with the registrar and/or the registry, the registrant will re-obtain control over the domain names. But there is a very simple step that registrars could take, and many find too costly to take, to prevent against this scenario, which is not going away.
Two factor authentication requires a registrant to provide two forms of authentication before allowing the registrant (or the thief) to transfer domain names away from the registrant’s account or take any other action that could potentially be detrimental to the registrant’s rights. It requires confirmation of identity through two means, which typically consist of something that the user possesses (such as a USB encryption key dongle or a phone number), something that the user knows (such as a password), or something that is inseparable from the user (such as a fingerprint). Many registrars have been reluctant to implement two factor authentication and cite cost as the primary barrier.
The reluctance of registrars to implement two-factor authentication raises a serious legal question: when a registrar’s failure to implement readily available security measures directly enables a domain theft, should the registrar bear legal responsibility for the resulting harm?
The case for registrar liability rests on basic negligence principles. A negligence claim requires a plaintiff to establish: (1) that the defendant owed a duty of care; (2) that the defendant breached that duty; (3) that the breach caused harm; and (4) that the plaintiff suffered damages as a result. Each of these elements is potentially satisfied in the domain theft context.
A registrar that agrees to maintain and manage a customer’s domain portfolio enters into a contractual relationship with the registrant that creates duties beyond the written terms of the service agreement. Where a registrar holds assets of significant value on behalf of its customers — domain names worth thousands or millions of dollars — the argument that the registrar owes its customers a duty to implement reasonable security measures is compelling. The fact that the domain name is transferred through the registrar’s own systems using the registrar’s own authentication mechanisms makes the registrar a direct participant in the transaction that effectuates the theft.
Two-factor authentication is not a novel or experimental security technology. Banks, email providers, and social media platforms have offered 2FA for years. The marginal cost of implementing 2FA for domain transfers is low — significantly lower than the cost borne by registrants and the legal system in litigating domain theft cases that 2FA would have prevented. A registrar that has been made aware of domain theft patterns facilitated by the absence of 2FA and nonetheless declines to implement it has a difficult argument that its failure to act meets the applicable standard of care.
Causation in domain theft cases where 2FA would have prevented the theft is relatively straightforward: but for the registrar’s failure to require 2FA, the hacker would not have been able to authenticate the transfer using only the registrant’s compromised email account. And damages — the market value of the stolen domains, lost revenue during the period of theft, and litigation costs to recover the domains — are concrete and quantifiable.
ICANN, the governing body of the domain name system, has moved toward requiring stronger authentication for domain transfers. ICANN’s Transfer Policy requires registrars to implement specific authentication procedures for outbound transfers, including confirmation to the registrant’s verified contact information. But ICANN’s requirements set a floor, not a ceiling — and the floor has historically been set at a level that sophisticated hackers can bypass through email account compromise.
The industry trend is clearly toward mandatory 2FA for domain transfers. Registrars that have implemented 2FA — including major providers like Google Domains, Cloudflare Registrar, and others — have seen dramatically lower rates of domain theft among their customers. As 2FA becomes the industry standard rather than a premium feature, its absence at a registrar that processes the theft of valuable domains becomes increasingly difficult to defend as meeting the applicable standard of care.
For domain portfolio owners, the choice of registrar is a critical security decision. When evaluating registrars, the following security features should be non-negotiable:
The price difference between registrars is often trivial. The security difference is not. For valuable domain portfolios, the marginal cost of a premium, security-focused registrar is one of the best investments a domain portfolio owner can make.
Revision Legal represents domain portfolio owners in theft recovery litigation and advises on best practices for domain security. If your domains have been stolen or you want to assess your portfolio’s security posture, contact our internet attorneys today. We have the experience and registrar relationships to move quickly when time matters most.
If you manage a domain portfolio and have not recently audited your registrar account security, you should do so immediately. The steps are straightforward but the follow-through requires discipline. Start with the authentication settings on your registrar account: enable the strongest 2FA option available (prefer an authenticator app over SMS), and review the email address associated with the account. If that email address is publicly listed in WHOIS records or is your primary business email, consider creating a dedicated, private address used solely for registrar communications.
Next, review your domain transfer lock settings. Every domain that you do not intend to transfer in the near future should have transfer lock enabled. The lock costs nothing and prevents unauthorized transfers even if an attacker gains access to your account credentials. For your most valuable domains, contact your registrar about registry-level locking options that provide an additional layer of security beyond what the registrar itself controls.
Finally, consider whether your current registrar meets the security standard you need. If your registrar does not offer 2FA for domain transfers specifically — not just for account login — that is a meaningful security gap. The domain theft cases we handle regularly involve registrars that authenticate account login with 2FA but process domain transfers based solely on email confirmation, which an attacker who has compromised the registrant’s email account can provide. True protection requires 2FA at the transfer level, not just the login level.
Facebook agreed to pay $550 million to settle a class action lawsuit under Illinois’ Biometric Information Privacy Act. Here’s what the case means for biometric data law.
Read more about Facebook’s $550M Illinois Biometric Settlement
Seizing an infringer’s domain name is one of the most effective ways to stop IP theft online. Here’s how courts order domain transfers and what rights holders need to show.
Read more about Seizing an Infringer’s Domain to Stop Infringement
Recent court decisions on what counts as an ‘autodialer’ under the TCPA suggest restrictions may be loosening. Here’s what businesses using automated texts need to know.
Read more about TCPA Autodialer Decisions: Are Restrictions Easing?