[lac-discuss-en] Fwd: Derek Smythe and Vittorio Bertolo on Internet Fraud and the intersection with ICANN

Carlton Samuels carlton.samuels at uwimona.edu.jm
Wed Apr 8 19:24:07 CDT 2009


Here under a very interesting exchange on Internet security and the
perceptions of the discussants of  ICANN's role.  It at least makes for
interesting reading, in my opinion.

Carlton Samuels
========================================================================

  1. Re: [At-Large] Open letter to ICANN (Derek Smythe)


----------------------------------------------------------------------

Message: 1
Date: Tue, 07 Apr 2009 20:23:13 +0200
From: Derek Smythe <derek at aa419.org>
Subject: Re: [RAA-WG] [At-Large] Open letter to ICANN
To: raa-wg at atlarge-lists.icann.org
Cc: Vittorio Bertola <vb at bertola.eu>
Message-ID: <49DB9A11.1050303 at aa419.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Vittorio, I disagree and agree. Understanding what is happening here
depends on the depth of understanding.

Sorry, this reply is longer much, much longer than anticipated. I will
touch on some deeper realities not known to those who often work with
these same issues.

Vittorio Bertola wrote:
> Derek Smythe ha scritto:
>> Hi
....
> I think you are making a fundamental mistake here - you want a frauding
> website taken down by ICANN because it has incorrect Whois information.
> What you should want is rather that a frauding website is taken down by
> its country's police because it violates its country's laws.

Which country's police would that be? Where? This website has been
reported to the authorities more than once.

>
> I would be very, very, very concerned if ICANN staff started to take
> decisions on whether a website is "criminal" or not, possibly just by
> having a quick look at its home page or because of blanket assumptions
> like those made in the complaint, such as "Site gathers personal
> information on insecure form. Legitimate businesses do not gather this
> type of information without security precautions".

If you received a phishing email, would you make an assumption about
it if it asked you to log in to your account at some strange location?

In one of the examples given - safe-wayonline, no assumptions are
required. Reports are not based on "quick looks".

The official legal entities publish more than enough data to verify
that this website is not legitimate. The same resources can be used to
verify it is abusing another real company's registration number. A
third official one states that other websites has stolen the company
registration and abuses it on their sites, targeting jewelry auctions.

More than enough reports of attempted fraud and fraud are available
online.

Ask a bank or similar financial services provider or even a financial
regulator what would happen if they were to suddenly start doing
banking or similar without at least using some security protocol like
https.

I agree partly - no, it is not ICANN's task to take down scam
websites, but where evidence as per ICANN advisory dated 3 April 2003
is available, this an issue for prompt action. That responsibility
lies with the registrar. ICANN is to ensure this is done and is
covered under security and stability of the internet, also trust in
the internet.

As for the mentioned Godaddy domains, the true owner of the address
denies any knowledge of the registrant. ICANN was also made aware of
this.  Other domains by the same registrant still exist with a
fictitious addresses; example NATWSECMAIL.INFO.

How would you judge http://ubsflorida.homelandssecurities.com ?
The answer would be to judge it via the whois and circumstances. In
this case this is history repeating itself for the N-th time;
 http://db.aa419.org/fakebankslist.php?psearch=BHFINDONESIA.COM
...
using payment processor Graphcard.com in whois to register a domain
with 007names.com, despite Graphcard not accepting responsibility and
007Names being made aware of this.
http://forum.aa419.org/viewtopic.php?t=29427

Yet I have personally phoned Joyce at 007names a few months ago who
ignored my emails where I explained what was happening. She then asked
I send her another email. The result is there for all to see. We have
headless bank spoofs running around with the registered address owner
not accepting responsibility. I could probably write a ten page
"summary" on this - but I will spare you ;)

Sorry for the elaborate examples, but the bottom line is that
judgments are not made lightly. There are many tests a domain must
fail before it can be declared fraudulent.

In fact many domains are monitored for months before revealing their
true nature. Understanding the situation makes the situation extremely
predictable.

I wish to welcome to kdbuk.com which was monitored for over nine
months. If I was a betting man I would have been rich. Without ever
showing web content, I could tell you what it was. I note it
references NATWSECMAIL.INFO for email. It's a small world, but once
again I will spare you a ten page summary :)

However, the bottom line is these domains use fake whois details, or
abuse privacy mechanisms like the last example. This IS covered in the
RAA.


>
> I would also be very concerned if ICANN started to disable domain names
> on the grounds that "the postal code entered is incorrect".

As explained, the postal code is the smallest part of it. It should
have been verified before November 2008 if the system was working. But
it does raise a red flag - why was it not investigated? At least we
owe an answer to the later victims of this scam.

>
> However, I concur with the letter that the WDPRS is a useless service
> that appears to have been deployed more as a token effort than for real.
> I think it should just be dropped - if people suspect that a website is
> doing fraud, they should call the police, not ICANN. If there is the
> need for cross-national cooperation, the various polices should just do
> their job and get organized to cooperate quickly and effectively. If
> there are countries that do not cooperate, then this is definitely a
> matter for national diplomacies to sort out - the US was able to impose
> its flavour of intellectual property regulation to the whole world
> through TRIPs and bilateral agreements, don't tell me that it is not
> strong enough to get cooperation on cybercrime.

The sad fact is the world currently does not have enough trained
police resources to look at each and every domain trying to scam
internet users. Jurisdiction is also a problem. Anonymous proxies etc
do not help. The same facilities legitimate internet users provide to
protect their privacy are the same ones internet criminals use. Right
now pre-paid American debit/gift cards are being sold in Africa (in a
country nobody wants to deal with) complete with fake American address
and used extensively for registering domains.

I am not saying law enforcement do not do the best, in fact the
opposite! Given the bad registration info, the are doing brilliantly
udner the circumstances despite ICANN and the registrars. We find
doors being kicked down in the early hours of the morning half way
around the world to the victims. A small example: Netherlands, Romania
etc, but this is only the tip of the iceberg.

Sadly some countries try and improve their image without resolving
real issues that affects the rest of the world. This is a reality we
have to accept and build upon.

However, the golden rule of internet fraud from a victim perspective:
When the money is lost, it is lost forever.

Personally I believe more money is stolen through fraud on the
internet, than made by registrars and ICANN. Nobody knows the true
extent of it and costs.


>
> ICANN, in any case, should care more about Internet fraud and be more
> cooperative - but possibly by referring these (very valid and important)
> complaints to the appropriate law enforcement agencies depending on the
> countries involved. It could act as an information clearinghouse that
> could be very useful.

Agreed. Same for registrars. Some might be in for a massive surprise
though.

>
> Finally - about the "general internet user perception of ICANN":
>
> The "general internet user perception of ICANN" is non-existing - users
> don't know that ICANN exists.

The people that know about ICANN and try and use the systems. Do you
think Brenda who originally reported safe-wayonline.com will give
ICANN another chance? From her perspective she wasted her time.
>
> If you refer to "active users" and user groups, however, the perception
> is then much different according to the part of the world. For example,
> in Europe ICANN is usually perceived as an instrument to further the
> U.S. control over the Internet, for example by removing from the
> Internet the privacy that is guaranteed to European citizens by their
> national laws. And please don't be upset about this - it is not
> advocacy, it is just a fact that derives from cultural differences.
>
> Ciao,

However, if WDPRS reports were taken seriously by "all" registrars and
processed by them, a lot of these issues can be avoided.

Also it begs the question; why should any specific registrar comply
with the RAA and examine bogus whois information if other registrars
do not?

Regards

Derek


More information about the lac-discuss-en mailing list