The NSI user agreement controls here, and it gives NSI the discretion to do whatever it wants in the event they believe that the name was stolen. Sex.com is irrelevant, as that was many revisions of the user agreement back in history. Obviously, their user agreement has been amended in view of what happened in that case, among other things.
NSI is not unique in that regard, though.
Your domain names are only as secure as your email. If your email is compromised or hacked then, yes, your domain names can be stolen. Neither NSI nor any other registrar can secure your email for you, and their systems will act in accordance with messages confirmed by the admin contact email.
Many people make claims of "stolen" domain names to registrars, when the names are not actually stolen. How many people do you expect a registrar is required to employ as investigators of these claims, when the margin on a domain name registration is a couple of dollars?
So, let's recap a common scenario.
Able has a domain name able.com. He uses
able@yahoo.com as his contact address for his domain registration account. One day, Able is sitting in an airport using a T-mobile connection to access his email. Also in the airport is a hacker with packet sniffing software. The hacker obtains Able's yahoo password.
Next, the hacker uses the password recovery feature of NSI to get the password sent to
able@yahoo.com, and the hacker now has access to Able's NSI account. The hacker carefully deletes traces of this activity from the yahoo inbox on Able's account.
Using the NSI account, the hacker pushes the domain name to another NSI account, and sells the domain name to Baker for $10,000.
Able discovers his account has been hacked, and he contacts NSI and shows that the domain name was stolen.
Okay, now, explain to me the following:
1. What is it that NSI did wrong?
2. What should NSI do?
3. How is any other registrar immune from this problem?
Discuss.
(MJ is the brains of the operation here.)