Many of you would remember that as of November 12th, ICANN made a change on its domain ownership rules. Under the new policy, if a the registrar of record fails to respond within five calendar days to a notification by the Registry regarding a transfer, this will result in a default approval [emphasis added].

It appears that the recent case of Panix.com, an ISP whose domain name was hijacked was caused exactly by this change of ICANN policies. The domain name panix.com thus was reassigned to somebody else who, in turn, repointed the domain to a Canadian server. As a result, all incoming mail for Panix’s customers, including sensitive emails, passwords, etc, went into the Canadian unauthorized server. Imagine what they can do with this.

This incident comes at a time of increased criticism of ICANN’s change of policies. The policy change was intended to allow companies looking to move their domains from one registrar to another. Ease of transfer, appears to be balanced by ease of hijacking. Domain name owners can and should "lock" their domains. Locking  a domain against transfer requires a formal authorization before a transfer takes place, but not all registrars lock the domains automatically after the new policy went into effect.  [Thanks IPTAblog and InternetNews]

"Anyone that doesn’t have their domain locked down at the registrar is at risk to a registrar that has a loophole in their system or doesn’t follow the appropriate guidelines," he said. "They’re basically at risk to more than 200 accredited ICANN registrars that have the ability to submit a command to request transfer of the domain and we have no way to know whether that command was authorized or wasn’t authorized."

As a reslt of the Panix.com incident many registrars are locking their domains by default, but there are and will be more who do not do so. Moral of the story - if you are a domain name owner - make sure it is locked at the registrar level, or risk public embarassment, information leak, or lawsuits by angry customers.