Biz & IT —

Domain registrar auto-enrolls customers into $1,850 security service (updated)

"Your credit card will be billed $1,850" for this service you don't want.

Domain registrar auto-enrolls customers into $1,850 security service (updated)
Thinkstock / Aurich Lawson

A software developer who willingly pays about $80 a year for the registration of two domains was unwillingly "opted in" to another charge of $1,850, and it seems he's not alone.

Brent Simmons received an e-mail from Network Solutions Chief Security Officer Geof Birchall stating that he was being automatically enrolled in a new security program called WebLock.

"To help recapture the costs of maintaining this extra level of security for your account, your credit card will be billed $1,850 for the first year of service on the date your program goes live," according to the e-mail, which Simmons posted on his blog. "After that you will be billed $1,350 on every subsequent year from that date. If you wish to opt out of this program you may do so by calling us at 1-888-642-0265."

(UPDATE: Web.com now says the program will be opt-in rather than opt-out. According to Domain Name Wire, which said the e-mail went to Simmons and 48 other customers, Web.com COO Jason Teichman said, “Every one of those customers is getting a call. It’s not our intention to enroll anyone in a program they don’t want.” Web.com planned to roll the program out to 30,000 customers overall but started by notifying just a few dozen "so we can crawl our way into it," Teichman said.)

Simmons says he's been a Network Solutions customer since 1997 and pays about $40 a year, per domain, for two domains. He pays them only for domain registration, and not website hosting, he said.

"I couldn’t believe that I’d been opted-in, without my permission, to any new product—and I was stunned when I saw how much it cost," he wrote. "And further surprised when I saw that I would have to make a phone call to deal with all this."

It wasn't just a typo or a mistake. When Simmons asked if the e-mail was actually a slick phishing attempt, Network Solutions' verified Twitter account confirmed that it was real:

We contacted Network Solutions' owner, Web.com, and were told we'd get a response this afternoon. The company has already confirmed that it's rolling out WebLock to its "top 1 percent" of customers, according to a statement published by Domain Name Wire. The Web.com statement reads:

Web.com is rolling out enhanced security features for its high traffic, high visibility website customers (approximately 1 percent of Web.com’s customers). The company began communicating this service today to these customers. WebLock employs a multi-level authentication process which is designed to significantly decrease malicious domain hijacking. The security of our customers is a top priority and the reason we developed and are deploying this provisional program for these select customers. Again, WebLock is intended for the top 1 percent of Web.com’s customers who own some of the world’s most highly visible and valuable web properties. In today’s increasingly sophisticated and dangerous cyber environment, Web.com is taking proactive steps to get ahead of the game and protect its customers’ security as thoroughly, as possible.

Verisign’s RegistryLock is a component of the WebLock Security Program.

The e-mail to Simmons said WebLock's extra security is necessary "given the level of traffic to your website." Simmons told Ars that his blog got 2.3 million page requests in December, a typical amount. The e-mail to Simmons further reads:

Starting at 9:00 AM EST on 2/4/2014 all of your domains will be protected via our WebLock Program. Here is how the program works:

  • In order to make changes to your Domain Name's configuration settings you must be pre-registered as a Certified User.
  • All requests for Domain Name configuration changes must be confirmed by an outbound call we make to a pre-registered authorized phone number you establish. A unique 9 digit PIN will be required when we call.
  • A message alert will be sent to all Certified Users notifying the team which Certified User has made the request.
  • In addition WebLock enrolled customers will have access to a 24/7 NOC and rapid response team in the event of any security issues.

After Simmons complained on Twitter, the company told him it was "working to get you opted out." To that, one Twitter user responded, "And what about all the others like @brentsimmons presumably receiving the same message? This 'program' needs to go away, now."

In any case, the $1,850 charge likely won't ever hit Simmons' credit card. He informed Network Solutions that "I’m just going to transfer my domains."

UPDATE #2: We spoke with Web.com COO Jason Teichman and he gave us very much the same message the company had given to Domain Name Wire—that the e-mail was just a mistake and that the company never intended to automatically charge customers. Despite the fact that the e-mail specifically described the program as opt-out, Teichman said, "the program was never designed to be an opt-out program. That e-mail was poorly worded, but does not and has never reflected the intention of this program."

Web.com has called most of the 49 people who received the e-mail today, and hopes to connect with all of them by tomorrow, he said. "No one has been billed for this product, and no one will be billed for this product unless they expressly consent to want the product," he said.

Teichman said the security service was developed in response to customer concerns about high-profile domain name hijackings. So far, a "handful" of customers have said they are interesting in buying the service. "We are in very early days of this program," he said.

Channel Ars Technica