Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.
Aged Backlinks

Top 4 ways to get SCREWED through escrow.com

Status
Not open for further replies.

DnPowerful

Level 5
Legacy Platinum Member
Joined
Apr 5, 2002
Messages
351
Reaction score
0
Feedback: 0 / 0 / 0
Having done a couple of hundred thousand dollars worth of business with escrow.com, I thought I would let all of you newbies know just how you can get screwed if you don't know what you're doing. There are definitely people who take advantage of the loopholes in their system. I debated posting this, in the event that there will be people who will learn about the scams and use them...however, I hope this will lead to loopholes being closed and people being better off. Escrow.com has gotten better in their domain category escrow, but there are massive holes that will only be filled if people scream enough. I get excellent custom service because I'm a big fish, but I'm afraid to think of what would happen if you were just a regular guy and doing a $5k sale and got screwed. Escrow.com would be running for the exits.

I personally have never being screwed, because a) I'm paranoid and think through every angle and b) I've done so many transactions I can basically smell trouble coming...but this doesn't mean people haven't tried! Be vigilant.

The scams:

1. The escrow.com whois disclaimer:

Many of you don't know this. The minute the seller changes the whois to your name as per the escrow.com agreement, REGARDLESS OF WHETHER S/HE HAS GIVEN YOU THE LOGIN AND PASSWORD FOR THE DOMAIN, technically, the domain has been transferred. This means that legally escrow.com is absolved of any liability and the seller has technically performed his/her duty. There are complicated legal reasons why escrow.com has taken this position, and they just don't wash with any reasonable person, so I and others have forced escrow.com to, in practice, informally force a confirmation from the buyer and they don't usually release funds until you confirm the transfer...BUT legally you are unprotected.

Now there IS recourse at the registry level, in that opensrs (for example) does keep logs of every login, and with an escrow.com transaction in hand you can reclaim the domain, but of course it may take months and lots of hassle. If you simply gently warn a seller in advance that you will require login and password for the domain AND tell them that all logins of the domain are logged, you can avoid 90% of problems.

The other thing is to let seller and escrow.com know early on (perhaps written into the agreement) that you will not confirm the transfer or consider the domain transferred until the master log and pass have been passed over and confirmed. I tell people WHILE we're agreeing to escrow early on so THERE'S NO CONFUSION. This tells scammers: "I'm wise to that one, go elsewhere."

2. The old "sub-user trick"

Many of you know this one, some don't. opensrs domains have software which allows sub-users to the master password--in effect creating a login and password that is always controlled by the MASTER password. This means that a seller could give you a login and password, could have already changed the whois to your info, and you login, get access, and then confirm the transfer thinking everything is fine. Then the seller logs back in under the master pass, deletes you as a sub-user, and then you are screwed. Please note that the smart one will not change the whois immediately, so as to not arouse suspician. Perhaps a few weeks later, when the escrow.com money has been wired, they change the whois and start the whole process over again before authorities catch up.

Bottom line is: when you are given access to an opensrs domain (or similar registrars that offers sub-users) immediately go in and delete any sub-users, THEN change the password. You know at that point that only your password will work.

3. The advanced whois scam:

This one's a doozy, and most will fall prey to this. Someone tried this on me last week on a $50k transaction. Big mistake. What happens is the seller (scammer in this case) will change the whois to everything you specified EXCEPT the admin contact email, which they will change to hostmaster@whateverthedomainis.com. They will say it is to prevent spam (puleaze!) but what they actually do is once you've logged into the domain, they immediately do what's called a opensrs log/pass "flush" in which you can ask your opensrs reseller to "flush" the log and pass down to the admin contact. So, you've logged in, changed the password, and they then push the NEW password down to the still active hostmaster@ email address which of course they control. Then they can properly say that you had logged in and taken control of the domain, you agree and then next time you log in, you can't, at which point it's too late. Escrow's released funds and the hassles start.

When you log in, after you delete subusers, you want to immediately change that hostmaster@ email to your email. The reason people fall prey to this is because they figure "Hey, I've got the log/pass, it doesn't matter the email addy, I can change it anytime because *I'm* in control." Wrong in this case. Pretty frightening huh?

Now once again, all logins are logged at opensrs, and the president of opensrs (unlike Veri-slime!!) takes thefts really seriously, but you're still looking at time and perhaps legal stuff to get your domain back.

There are two important pieces of trivia here are critical for people to know:

1. Whenever a password is "flushed", it deletes all sub-users, according to opensrs. This means that technically, a scammer could, using the above scam, flush the login and password that you've changed your master to, and then create a sub-user mimicking your master login, and once again, you're not in control of the domain. Gets complicated here, huh?

2. This one's a bit of mind-blower. When you ask a registrar to flush your opensrs log/pass, you would assume your registrar wouldn't be able to see it, sort of like the bank not seeing your PIN anywhere. Well, you'd be WRONG! There are some registrars that actually do have access to all their opensrs logs and passwords at some point in their system!!! Is this outrageous or what?

Recently, I did a very large transaction with a guy who was also an opensrs reseller and we had some problems communicating properly. I could not log into my domain after having done so once and changing the password, but not the admin contact. It was all within 2 minutes. I freaked when I found out that he could possibly have access to my login and pass. Turns out I got my password wrong, something I NEVER do, but as friend pointed out, do you really think you have 100% accuracy on logins.

Anyway, I phoned a few expert friends and they confirmed that a small % of opensrs resellers do have access to the log/passes. Incredible really. So be extra aware when dealing with sellers who also are involved with registries.

4. The Verisign transfer to another registrar scam.

This one's not complicated but amazingly scary, especially if you're frustrated with NSI's long wait period to transfer a domain.

Buyer and you agree to escrow on the name, keeping in mind that all you need to launch a transaction on escrow.com is an email address, not even a real one. Buyer says "Hey, now that we've agreed to the transaction, you could speed things up if instead of waiting for me to wire the money and for NSI to transfer the name--which could take weeks--you could just agree to an outbound transfer to opensrs *right now*, and then once the money's in escrow.com, the domain will be transferred to a new registrar and ready to immediately transfer to you."

Sounds good, right, because the person's already agreed to the escrow, they must be on the up and up. Bingo, you've agreed to an outbound transfer, Verisign and opensrs comply, there's no money in escrow to backstop the transaction and you're screwed. Of course, you *can* get it back, but one never knows if it's guaranteed, especially since you DID agree to the transfer, and imagine the hassles. First rule is wait 'till the money's in escrow before agreeing to any transfer.

There are many other ways that you can screwed, but here are some ways to avoid most conflicts:

1. Force the person you're doing the escrow with to provide a verified phone, email, etc etc. If they don't, screw them. Any reliable person will provide that. If you really want the name, and they won't provide the info, do everything you can to bring them to the table in some way. Let them know that you did a little research, and you found out an alternate email, a posting in a newsgroup, anything. Pick up the phone and actually call them. The goal is to let them know you're on the ball.

2. If they don't start the escrow transaction under the whois email for the domain, ask them to send a piece of mail from that name. If they don't and can't plausibly explain, send 'em packing.

3. Write a custom agreement with escrow.com. Probably 99% of people don't know that escrow.com will write a custom escrow transaction for you. You can have CONDITIONS written into the transaction which make it less likely for you to be screwed. You can have multiple transactions, back-to-back transactions. They take time, and they're often annoying to the other party, but they can be done to great effect.

4. Take your time in confirming the transfer. This is tricky, because if you're on the other side, you're chewing your nails waiting for someone to confirm after they've logged in, and this can be a very stressful time for both sides, but it's your right to leisurely check that the log/pass is kosher and there's no scams waiting to pop. I personally am fast, usually confirming within seconds of logging in, but I'm an EXPERT. If I *do* take some time, I'll email the person and say "I'm checking some things, don't worry."


That's it for now. Stay tuned for a follow-up once I've had some dinner and got my energy back.

:D
 
IWA Meetup

DnPowerful

Level 5
Legacy Platinum Member
Joined
Apr 5, 2002
Messages
351
Reaction score
0
Feedback: 0 / 0 / 0
Before I step away for dinner, and lots of people get the wrong idea, I want to heartily endorse escrow.com within the framework of their liability. I have had excellent success with them, and while lots of people have tried to screw me, their response has been very good. Lisa Tyler, who is the VP of Escrow for the company, is incredible. I've had many differences with her over some issues and company policy, but I can get her on the phone at a moment's notice, and that's unheard of in the online world. They really care about your business.
 

davidthornton

Exclusive Lifetime Member
Legacy Exclusive Member
Joined
Apr 1, 2002
Messages
354
Reaction score
0
Feedback: 0 / 0 / 0
I echo these comments in full. I found them very pleasant to deal with and easy to get hold of on the telephone. I intend to use them for all my escrow where possible.
 

Zoobar

DNF Addict
Legacy Exclusive Member
Joined
Jul 2, 2002
Messages
2,884
Reaction score
9
Feedback: 70 / 0 / 0
Much Appreciated.
 

buddy

DNF Regular
Legacy Exclusive Member
Joined
Jun 22, 2002
Messages
921
Reaction score
0
Feedback: 3 / 0 / 0
Great post DN Powerful. I bet a lot of us find that info very helpful. Thanks for taking your time in writing that loooong post :)
 

Lats

Level 5
Legacy Platinum Member
Joined
Jun 6, 2002
Messages
299
Reaction score
0
Feedback: 0 / 0 / 0
Yes, very helpful and informative. Opened my eyes up.


Lats...
 

DnPowerful

Level 5
Legacy Platinum Member
Joined
Apr 5, 2002
Messages
351
Reaction score
0
Feedback: 0 / 0 / 0
Yea, sorry it's so long, it just turns out there are so many angles to this thing and I wanted people to be prepared for all possible consequences....

:eek:
 

fizz

Level 8
Legacy Platinum Member
Joined
Jun 28, 2002
Messages
1,315
Reaction score
1
Feedback: 0 / 0 / 0
Excellent post DnP - you did the right thing to bring it to everyone's notice.

I've only used escrow.com once - at your 'regular guy' amount - when I purchased a domain from a guy in China.

The seller was very honorable and escrow.com worked extremely well, but your post has made we aware of what could happen if you're dealing with a sleazebag seller.
 

Nic

Level 6
Legacy Platinum Member
Joined
Apr 23, 2002
Messages
628
Reaction score
0
Feedback: 0 / 0 / 0
great too long though i fell aspleep reading it... uh what time is it ?
 

Guest
Very useful post DnP, its all too easy to forget that there are people out there that will abuse any loophole.

One thing I find with escrow.com as a seller, is that you really need the email address of the buyers account to match the email address of the admin contact. That way if the buyer fails to update the transaction at any stage, you can phone escrow and they will progress it for you.

Its just a pity they ramped their charges recently.
 

namedancer

Level 4
Legacy Platinum Member
Joined
Apr 21, 2002
Messages
136
Reaction score
1
Feedback: 0 / 0 / 0
I'm new to selling so thanx DnP for the valuable advice :)
 

domaindirk

Level 7
Legacy Platinum Member
Joined
May 10, 2002
Messages
884
Reaction score
0
Feedback: 1 / 1 / 0
Thanks for the valuable info DnP. You just can't put a money amout on good advice.
 

Bob

Jedi Master
Joined
Apr 8, 2002
Messages
3,102
Reaction score
29
Feedback: 116 / 1 / 0
I have used Escrow.com on about 30 domain name transactions. I have only ever had one snag, and that was no fault of Escrow.com.

It was good to know the loopholes so I know what to watch for in any upcoming Escrow.com transactions.

-Bob
 

DnPowerful

Level 5
Legacy Platinum Member
Joined
Apr 5, 2002
Messages
351
Reaction score
0
Feedback: 0 / 0 / 0
Because I buy lots of adult, I of course attract the type of person out to scam (sorry all honest adult-ers out there ;), and given that I also do very high dollar transactions, everyone's very anxious until the very last thing is done (ie money wired).

What I meant to post yesterday is that it all comes down to the prep work you do BEFORE the crucial pass over of the name. I google everyone, and know pretty well what the story is on someone before we get to the finish line. In fact, I wired blind our very own 'safesys' a good size chunk of change based solely on our correspondance and checking out his particulars of business--which all looked legit.



:D
 

domingo

Level 2
Legacy Platinum Member
Joined
Jul 11, 2002
Messages
32
Reaction score
0
Feedback: 0 / 0 / 0
Thats a very useful post, and I will keep these points in my mind, when I make my FIRST sale ;)
 

dnjon

Level 2
Legacy Platinum Member
Joined
May 12, 2002
Messages
43
Reaction score
2
Feedback: 1 / 0 / 0
Escrow.com does not have a secure system for transferring domains. After the buyer has sent the money to Escrow.com, the seller can change the WHOIS to the buyer's name and address and change the email address to one that he got at a Website where he didn't have to supply any indentifying information. He could then tell Escrow.com that he gave the buyer the Username and Password and the buyer changed the email address. Naturally the buyer would deny that and Escrow.com would have no way of determining who held the Username and Password at that point, and thus whether or not they should release the funds to the seller.

And similarly the buyer, if the seller did provide the Username and Password, could do the very same thing and claim the seller is pulling the above scam when he in fact he is. The bottom line is that Escrow.com has no way of verifying who holds the Username and Password to the domain at any point - and unless they can guarantee that in such an instance where each party claims the other has control that the registrar will step in and issue a new Username and Password that will be sent to the buyer before they will pay the seller, their system is simply not secure. I understand there are some registrars who will work with them but I imagine others would say, "We're not getting involved."

I pressed them on this point recently where I was buying a domain for $6K from someone I had good reason to suspect was not trustworthy and they gave me their assurance that they would not release the funds until I confirmed via email that the domain was under my control. That satisfied me. But if my intention had been to perform that scam on the seller, he would have had big problems.

They would not agree to have the seller transfer the domain to them first before they would transfer it to me. One thing they mentioned is that I might pull that trick on them and claim they never provided me with the Username and Password. It was an OpenSRS domain.

I'm not sure there's a solution this problem other than ICANN requiring all registrars to cooperate in such instances. And by the way I understand Escrow.com is now being employed for all Afternic transactions (excuse if that's old news around here).
 

jingle

Level 3
Legacy Gold Member
Joined
Jul 15, 2002
Messages
62
Reaction score
0
Feedback: 0 / 0 / 0
...and you've had the domain for at least 60 days, just move the domain away from opensrs to a registrar like enom before you transfer ownership.
You can word your escrow.com description as follows:
Transfer ownership of domain.com to John Smith's ENOM account "xxxx"
If you are still worried, just before you transfer the domain, transfer a worthless test domain to the buyer, check the whois, make a copy of the whois report, and have the buyer transfer the test domain back to you. Only takes a minute. Have the buyer email you after the test domain is back in your account, to say that everything went ok. Then put the "real" domain in the buyer's account.
Or, after you put the test domain in the buyer's account, if the whois is correct, then immediately put the "real" domain in the buyer's account and copy the whois report for it.
Now you will just have to trust that the buyer will give you back the test domain, but if not, no big loss.
The money is in escrow.com and you now have more than enough proof that you transferred the domain to the buyer.
 

DnPowerful

Level 5
Legacy Platinum Member
Joined
Apr 5, 2002
Messages
351
Reaction score
0
Feedback: 0 / 0 / 0
Originally posted by dnjon
Escrow.com does not have a secure system for transferring domains. After the buyer has sent the money to Escrow.com, the seller can change the WHOIS to the buyer's name and address and change the email address to one that he got at a Website where he didn't have to supply any indentifying information. He could then tell Escrow.com that he gave the buyer the Username and Password and the buyer changed the email address. Naturally the buyer would deny that and Escrow.com would have no way of determining who held the Username and Password at that point, and thus whether or not they should release the funds to the seller.

And similarly the buyer, if the seller did provide the Username and Password, could do the very same thing and claim the seller is pulling the above scam when he in fact he is. The bottom line is that Escrow.com has no way of verifying who holds the Username and Password to the domain at any point - and unless they can guarantee that in such an instance where each party claims the other has control that the registrar will step in and issue a new Username and Password that will be sent to the buyer before they will pay the seller, their system is simply not secure. I understand there are some registrars who will work with them but I imagine others would say, "We're not getting involved."

I pressed them on this point recently where I was buying a domain for $6K from someone I had good reason to suspect was not trustworthy and they gave me their assurance that they would not release the funds until I confirmed via email that the domain was under my control. That satisfied me. But if my intention had been to perform that scam on the seller, he would have had big problems.

They would not agree to have the seller transfer the domain to them first before they would transfer it to me. One thing they mentioned is that I might pull that trick on them and claim they never provided me with the Username and Password. It was an OpenSRS domain.

Yes, Escrow.com is definitely not secure. It has long been a sticking point with me that they refuse to take possession of the log and pass before passing it on to the seller. Obviously, it's a liability issue, and just as importantly, they really don't know that much. Even my VP friend knows very little about how it all works.

All of us who know domains know it's pretty damn simple to have a "surrender log and password step" where escrow gets delivery of said info and then checks it all (no sub-users etc) and then moves to the next step. Naturally, they won't do it for liability reasons, and this won't change until a few domains get stolen and people put pressure on them. Now, with their new, hyper-expensive fees, this might happen.

I think 'jingle's solution is interesting, though obviously incomplete.

I would encourage all of you to reread my original post in which I noted custom phrasing is available to all transactions: ie: "the name will not be considered transferred until I confirm to my satisfaction that the domain has been transferred." You probably won't have a problem with escrow.com, but with convincing the seller to agree to such an onerous burden.

Another gaping hole in escrow.com's system is feedback ratings. They should have 'em, plain and simple.
 
Status
Not open for further replies.

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Sedo - it.com Premiums

IT.com

Premium Members

AucDom
UKBackorder
Be a Squirrel
MariaBuy

New Threads

Our Mods' Businesses

MerchArts
UrlPick.com

*the exceptional businesses of our esteemed moderators

Top Bottom