- Joined
- Apr 5, 2002
- Messages
- 351
- Reaction score
- 0
Having done a couple of hundred thousand dollars worth of business with escrow.com, I thought I would let all of you newbies know just how you can get screwed if you don't know what you're doing. There are definitely people who take advantage of the loopholes in their system. I debated posting this, in the event that there will be people who will learn about the scams and use them...however, I hope this will lead to loopholes being closed and people being better off. Escrow.com has gotten better in their domain category escrow, but there are massive holes that will only be filled if people scream enough. I get excellent custom service because I'm a big fish, but I'm afraid to think of what would happen if you were just a regular guy and doing a $5k sale and got screwed. Escrow.com would be running for the exits.
I personally have never being screwed, because a) I'm paranoid and think through every angle and b) I've done so many transactions I can basically smell trouble coming...but this doesn't mean people haven't tried! Be vigilant.
The scams:
1. The escrow.com whois disclaimer:
Many of you don't know this. The minute the seller changes the whois to your name as per the escrow.com agreement, REGARDLESS OF WHETHER S/HE HAS GIVEN YOU THE LOGIN AND PASSWORD FOR THE DOMAIN, technically, the domain has been transferred. This means that legally escrow.com is absolved of any liability and the seller has technically performed his/her duty. There are complicated legal reasons why escrow.com has taken this position, and they just don't wash with any reasonable person, so I and others have forced escrow.com to, in practice, informally force a confirmation from the buyer and they don't usually release funds until you confirm the transfer...BUT legally you are unprotected.
Now there IS recourse at the registry level, in that opensrs (for example) does keep logs of every login, and with an escrow.com transaction in hand you can reclaim the domain, but of course it may take months and lots of hassle. If you simply gently warn a seller in advance that you will require login and password for the domain AND tell them that all logins of the domain are logged, you can avoid 90% of problems.
The other thing is to let seller and escrow.com know early on (perhaps written into the agreement) that you will not confirm the transfer or consider the domain transferred until the master log and pass have been passed over and confirmed. I tell people WHILE we're agreeing to escrow early on so THERE'S NO CONFUSION. This tells scammers: "I'm wise to that one, go elsewhere."
2. The old "sub-user trick"
Many of you know this one, some don't. opensrs domains have software which allows sub-users to the master password--in effect creating a login and password that is always controlled by the MASTER password. This means that a seller could give you a login and password, could have already changed the whois to your info, and you login, get access, and then confirm the transfer thinking everything is fine. Then the seller logs back in under the master pass, deletes you as a sub-user, and then you are screwed. Please note that the smart one will not change the whois immediately, so as to not arouse suspician. Perhaps a few weeks later, when the escrow.com money has been wired, they change the whois and start the whole process over again before authorities catch up.
Bottom line is: when you are given access to an opensrs domain (or similar registrars that offers sub-users) immediately go in and delete any sub-users, THEN change the password. You know at that point that only your password will work.
3. The advanced whois scam:
This one's a doozy, and most will fall prey to this. Someone tried this on me last week on a $50k transaction. Big mistake. What happens is the seller (scammer in this case) will change the whois to everything you specified EXCEPT the admin contact email, which they will change to [email protected]. They will say it is to prevent spam (puleaze!) but what they actually do is once you've logged into the domain, they immediately do what's called a opensrs log/pass "flush" in which you can ask your opensrs reseller to "flush" the log and pass down to the admin contact. So, you've logged in, changed the password, and they then push the NEW password down to the still active hostmaster@ email address which of course they control. Then they can properly say that you had logged in and taken control of the domain, you agree and then next time you log in, you can't, at which point it's too late. Escrow's released funds and the hassles start.
When you log in, after you delete subusers, you want to immediately change that hostmaster@ email to your email. The reason people fall prey to this is because they figure "Hey, I've got the log/pass, it doesn't matter the email addy, I can change it anytime because *I'm* in control." Wrong in this case. Pretty frightening huh?
Now once again, all logins are logged at opensrs, and the president of opensrs (unlike Veri-slime!!) takes thefts really seriously, but you're still looking at time and perhaps legal stuff to get your domain back.
There are two important pieces of trivia here are critical for people to know:
1. Whenever a password is "flushed", it deletes all sub-users, according to opensrs. This means that technically, a scammer could, using the above scam, flush the login and password that you've changed your master to, and then create a sub-user mimicking your master login, and once again, you're not in control of the domain. Gets complicated here, huh?
2. This one's a bit of mind-blower. When you ask a registrar to flush your opensrs log/pass, you would assume your registrar wouldn't be able to see it, sort of like the bank not seeing your PIN anywhere. Well, you'd be WRONG! There are some registrars that actually do have access to all their opensrs logs and passwords at some point in their system!!! Is this outrageous or what?
Recently, I did a very large transaction with a guy who was also an opensrs reseller and we had some problems communicating properly. I could not log into my domain after having done so once and changing the password, but not the admin contact. It was all within 2 minutes. I freaked when I found out that he could possibly have access to my login and pass. Turns out I got my password wrong, something I NEVER do, but as friend pointed out, do you really think you have 100% accuracy on logins.
Anyway, I phoned a few expert friends and they confirmed that a small % of opensrs resellers do have access to the log/passes. Incredible really. So be extra aware when dealing with sellers who also are involved with registries.
4. The Verisign transfer to another registrar scam.
This one's not complicated but amazingly scary, especially if you're frustrated with NSI's long wait period to transfer a domain.
Buyer and you agree to escrow on the name, keeping in mind that all you need to launch a transaction on escrow.com is an email address, not even a real one. Buyer says "Hey, now that we've agreed to the transaction, you could speed things up if instead of waiting for me to wire the money and for NSI to transfer the name--which could take weeks--you could just agree to an outbound transfer to opensrs *right now*, and then once the money's in escrow.com, the domain will be transferred to a new registrar and ready to immediately transfer to you."
Sounds good, right, because the person's already agreed to the escrow, they must be on the up and up. Bingo, you've agreed to an outbound transfer, Verisign and opensrs comply, there's no money in escrow to backstop the transaction and you're screwed. Of course, you *can* get it back, but one never knows if it's guaranteed, especially since you DID agree to the transfer, and imagine the hassles. First rule is wait 'till the money's in escrow before agreeing to any transfer.
There are many other ways that you can screwed, but here are some ways to avoid most conflicts:
1. Force the person you're doing the escrow with to provide a verified phone, email, etc etc. If they don't, screw them. Any reliable person will provide that. If you really want the name, and they won't provide the info, do everything you can to bring them to the table in some way. Let them know that you did a little research, and you found out an alternate email, a posting in a newsgroup, anything. Pick up the phone and actually call them. The goal is to let them know you're on the ball.
2. If they don't start the escrow transaction under the whois email for the domain, ask them to send a piece of mail from that name. If they don't and can't plausibly explain, send 'em packing.
3. Write a custom agreement with escrow.com. Probably 99% of people don't know that escrow.com will write a custom escrow transaction for you. You can have CONDITIONS written into the transaction which make it less likely for you to be screwed. You can have multiple transactions, back-to-back transactions. They take time, and they're often annoying to the other party, but they can be done to great effect.
4. Take your time in confirming the transfer. This is tricky, because if you're on the other side, you're chewing your nails waiting for someone to confirm after they've logged in, and this can be a very stressful time for both sides, but it's your right to leisurely check that the log/pass is kosher and there's no scams waiting to pop. I personally am fast, usually confirming within seconds of logging in, but I'm an EXPERT. If I *do* take some time, I'll email the person and say "I'm checking some things, don't worry."
That's it for now. Stay tuned for a follow-up once I've had some dinner and got my energy back.
I personally have never being screwed, because a) I'm paranoid and think through every angle and b) I've done so many transactions I can basically smell trouble coming...but this doesn't mean people haven't tried! Be vigilant.
The scams:
1. The escrow.com whois disclaimer:
Many of you don't know this. The minute the seller changes the whois to your name as per the escrow.com agreement, REGARDLESS OF WHETHER S/HE HAS GIVEN YOU THE LOGIN AND PASSWORD FOR THE DOMAIN, technically, the domain has been transferred. This means that legally escrow.com is absolved of any liability and the seller has technically performed his/her duty. There are complicated legal reasons why escrow.com has taken this position, and they just don't wash with any reasonable person, so I and others have forced escrow.com to, in practice, informally force a confirmation from the buyer and they don't usually release funds until you confirm the transfer...BUT legally you are unprotected.
Now there IS recourse at the registry level, in that opensrs (for example) does keep logs of every login, and with an escrow.com transaction in hand you can reclaim the domain, but of course it may take months and lots of hassle. If you simply gently warn a seller in advance that you will require login and password for the domain AND tell them that all logins of the domain are logged, you can avoid 90% of problems.
The other thing is to let seller and escrow.com know early on (perhaps written into the agreement) that you will not confirm the transfer or consider the domain transferred until the master log and pass have been passed over and confirmed. I tell people WHILE we're agreeing to escrow early on so THERE'S NO CONFUSION. This tells scammers: "I'm wise to that one, go elsewhere."
2. The old "sub-user trick"
Many of you know this one, some don't. opensrs domains have software which allows sub-users to the master password--in effect creating a login and password that is always controlled by the MASTER password. This means that a seller could give you a login and password, could have already changed the whois to your info, and you login, get access, and then confirm the transfer thinking everything is fine. Then the seller logs back in under the master pass, deletes you as a sub-user, and then you are screwed. Please note that the smart one will not change the whois immediately, so as to not arouse suspician. Perhaps a few weeks later, when the escrow.com money has been wired, they change the whois and start the whole process over again before authorities catch up.
Bottom line is: when you are given access to an opensrs domain (or similar registrars that offers sub-users) immediately go in and delete any sub-users, THEN change the password. You know at that point that only your password will work.
3. The advanced whois scam:
This one's a doozy, and most will fall prey to this. Someone tried this on me last week on a $50k transaction. Big mistake. What happens is the seller (scammer in this case) will change the whois to everything you specified EXCEPT the admin contact email, which they will change to [email protected]. They will say it is to prevent spam (puleaze!) but what they actually do is once you've logged into the domain, they immediately do what's called a opensrs log/pass "flush" in which you can ask your opensrs reseller to "flush" the log and pass down to the admin contact. So, you've logged in, changed the password, and they then push the NEW password down to the still active hostmaster@ email address which of course they control. Then they can properly say that you had logged in and taken control of the domain, you agree and then next time you log in, you can't, at which point it's too late. Escrow's released funds and the hassles start.
When you log in, after you delete subusers, you want to immediately change that hostmaster@ email to your email. The reason people fall prey to this is because they figure "Hey, I've got the log/pass, it doesn't matter the email addy, I can change it anytime because *I'm* in control." Wrong in this case. Pretty frightening huh?
Now once again, all logins are logged at opensrs, and the president of opensrs (unlike Veri-slime!!) takes thefts really seriously, but you're still looking at time and perhaps legal stuff to get your domain back.
There are two important pieces of trivia here are critical for people to know:
1. Whenever a password is "flushed", it deletes all sub-users, according to opensrs. This means that technically, a scammer could, using the above scam, flush the login and password that you've changed your master to, and then create a sub-user mimicking your master login, and once again, you're not in control of the domain. Gets complicated here, huh?
2. This one's a bit of mind-blower. When you ask a registrar to flush your opensrs log/pass, you would assume your registrar wouldn't be able to see it, sort of like the bank not seeing your PIN anywhere. Well, you'd be WRONG! There are some registrars that actually do have access to all their opensrs logs and passwords at some point in their system!!! Is this outrageous or what?
Recently, I did a very large transaction with a guy who was also an opensrs reseller and we had some problems communicating properly. I could not log into my domain after having done so once and changing the password, but not the admin contact. It was all within 2 minutes. I freaked when I found out that he could possibly have access to my login and pass. Turns out I got my password wrong, something I NEVER do, but as friend pointed out, do you really think you have 100% accuracy on logins.
Anyway, I phoned a few expert friends and they confirmed that a small % of opensrs resellers do have access to the log/passes. Incredible really. So be extra aware when dealing with sellers who also are involved with registries.
4. The Verisign transfer to another registrar scam.
This one's not complicated but amazingly scary, especially if you're frustrated with NSI's long wait period to transfer a domain.
Buyer and you agree to escrow on the name, keeping in mind that all you need to launch a transaction on escrow.com is an email address, not even a real one. Buyer says "Hey, now that we've agreed to the transaction, you could speed things up if instead of waiting for me to wire the money and for NSI to transfer the name--which could take weeks--you could just agree to an outbound transfer to opensrs *right now*, and then once the money's in escrow.com, the domain will be transferred to a new registrar and ready to immediately transfer to you."
Sounds good, right, because the person's already agreed to the escrow, they must be on the up and up. Bingo, you've agreed to an outbound transfer, Verisign and opensrs comply, there's no money in escrow to backstop the transaction and you're screwed. Of course, you *can* get it back, but one never knows if it's guaranteed, especially since you DID agree to the transfer, and imagine the hassles. First rule is wait 'till the money's in escrow before agreeing to any transfer.
There are many other ways that you can screwed, but here are some ways to avoid most conflicts:
1. Force the person you're doing the escrow with to provide a verified phone, email, etc etc. If they don't, screw them. Any reliable person will provide that. If you really want the name, and they won't provide the info, do everything you can to bring them to the table in some way. Let them know that you did a little research, and you found out an alternate email, a posting in a newsgroup, anything. Pick up the phone and actually call them. The goal is to let them know you're on the ball.
2. If they don't start the escrow transaction under the whois email for the domain, ask them to send a piece of mail from that name. If they don't and can't plausibly explain, send 'em packing.
3. Write a custom agreement with escrow.com. Probably 99% of people don't know that escrow.com will write a custom escrow transaction for you. You can have CONDITIONS written into the transaction which make it less likely for you to be screwed. You can have multiple transactions, back-to-back transactions. They take time, and they're often annoying to the other party, but they can be done to great effect.
4. Take your time in confirming the transfer. This is tricky, because if you're on the other side, you're chewing your nails waiting for someone to confirm after they've logged in, and this can be a very stressful time for both sides, but it's your right to leisurely check that the log/pass is kosher and there's no scams waiting to pop. I personally am fast, usually confirming within seconds of logging in, but I'm an EXPERT. If I *do* take some time, I'll email the person and say "I'm checking some things, don't worry."
That's it for now. Stay tuned for a follow-up once I've had some dinner and got my energy back.