Visualizing the Security Benefits of the Losing FOA for Domain Name Transfers

I’ve written extensively about the security implications of the “Losing FOA” step of domain name transfers. It’s the opportunity for registrants to “ACK” or “NACK” a pending transfer, before it completes. I wrote about this again yesterday,  and that post linked to all prior writings.

I wanted to give readers direct visual evidence of why the Losing FOA is so important as a security mechanism, so I intiated a transfer of a domain name from my company’s portfolio at Tucows/OpenSRS to GoDaddy. After I input the transfer code (currently called the “AuthInfo Code”, but it will be renamed the “Transfer Authorization Code” or “TAC”) at GoDaddy, Tucows/OpenSRS sent me (as registrant) an email, with a link to a page that would allow me to immediately approve the transfer (i.e. “ACK” it), or to reject the transfer (“NAK” it). Here’s a screenshot:

Example of OpenSRS Losing FOA page, allowing registrants to accept or reject an outgoing transfer request
Example of OpenSRS Losing FOA page, allowing registrants to accept or reject an outgoing transfer request

As you can clearly see, the page contains text saying:

The domain name listed above will be transferred to:

New Registrar, Inc.

and gives me the opportunity to accept the transfer, or decline it (I’ve just left things in a pending state for now; I’ll perhaps “ACK” the transfer in a few days).

Had the transfer code been compromised, with an attacker using it at a different registrar, I’d have been able to immediately detect the unauthorized transfer request and stop it before it completed, as I’d be able to see that it wasn’t transferring to GoDaddy.

In conclusion, this is an important security mechanism, given that there is otherwise no protection for misuse of the transfer code once it’s generated. Without this important safety mechanism, the registrant is “on their own”.

[P.S. In case you were wondering about the domain I used for the test transfer, “Big Swinging Dick” is a Wall Street term mentioned in the book “Liar’s Poker” — “If he could make millions of dollars come out of those phones, he became that most revered of all species: a Big Swinging Dick.” And of course, I own the dot-com (through my company).

P.P.S. What if an attacker had used a compromised transfer code at GoDaddy before I did, and I mistakenly approved an incorrect transfer into their account, rather that my own account at GoDaddy? That’s a vulnerability that I’ve advocated be addressed, by showing the full WHOIS “before” and “after” the proposed transfer (while it’s still in a pending state, to allow the current registrant full transparency of how the WHOIS would change, should they accept the transfer). See section G (pp. 23-25) of my full submission to ICANN. Although, even under the status quo, at least the domain name would be at a “friendly” registrar (i.e. a legal jurisdiction that I had specifically wanted to transfer the domain), where presumably the force of law could be used to correct things.]