Slashdot Mirror
A Foolproof Way To End Bank Account Phishing?
tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."
An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.
Appended to the end of comments you post. 120 chars.
This idea is even stupidder than people who fall for phishing attacks. Another tld gold rush isn't going to solve anything because the problem is people's credulousness,
I'd expect to see a rush of tld registrations to Macedonia (citybank.ba.mk) and Saint Kitts and Nevis (citibank.ba.kn)
Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability.
There are shills on slashdot. Apparently, I'm one of them.
sperm.bank
Most users don't actually check where their links go.
.bank, after it did it's job of redirecting your account.
The top domain could even point to
All it needs is your login and password.
-- Tigger warning: This post may contain tiggers! --
Can't phishers spoof the domain name anyways? Besides, I doubt the average phishing victim
even looks twice at the address if it's at least a semi-official looking page.
"Foolproof systems do not take into account the ingenuity of fools."
Banks will love this. It makes it even harder for small competitors to enter the market. In the long run that means higher fees for all of us. I'd rather put up with the phishing risk.
"Build something that's idiot proof, and they'll build a better idiot..." Really, the same people who fall for attacks to begin with are the people who STILL would despite this .bank implementation. Call me pessimistic but I'm not entirely sure it would work...
Good idea though, makes it plainly obvious for the rest of us people with more than 10 IQ points anyways...
...in bed
A Foolproof Way To End Bank Account Phishing?
Anyone who thinks this is underestimating the ingenuity of fools.
I just made thedarkener.bank on my own computer, using /etc/hosts. It points to my computer.
I'm gonna go smoke a bowl and see if I can't remember if I spent $50,000 on it or just used basic computer knowledge to bypass the TLD.
It is pitch black. You are likely to be eaten by a grue.
This doesn't stop people to giving out account information over the phone, or link spoofing. How many people just click links and don't read them. "My email says its from a bank, and some Prince wants to give me a buttload of money. Yey!".
Its a step I guess, but education goes a bit further, I think. At least they could use the 50k to help victims of spoofing, or to come up with other (better) solutions.
lol: You see no door there!
But god would it be good to gouge banks for $50k. It would feel so sweet.
That's a spurious complaint. All you have to do to fix it is only allow HTML forms to post to .bank URLs.
Nothing for 6-digit uids?
I already see URLs like this:
citibank.com.customers.update.spammer.com
It wouldn't take any more effort to make:
citibank.bank.customers.update.spammer.com
Most people don't know much about URLs. And that's assuming the mark even reads the URL at all.
what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
-- the cake is a lie
Yes, I think it's a great idea. It is very akin to how you go to a
2) Not 100% Fool-proof!
Why? Well it's not 100% fool-proof because people are morons. Some people will fall for anything. They'll see citibank.bank.bank-info.info and still fall for it. DNS poisoining will also do the trick. Modified hosts files will also do the trick. People are dumb, but this will still help!
3) Repost!!
Sort of.. we just had this mentioned on Slashdot the other day. See this article link http://it.slashdot.org/article.pl?sid=07/04/10/12
If ICANN introduced a
Great, this could help phishing attacks ... against banks.
Phishers will just move on to easier prey, such as all other institutions that handle lots of money or transactions (eBay, PayPal, etc).
Ironically, the word ironically is often used incorrectly.
Phishing works because people don't pay attention to URLs. How would changing the URL help?
If you had super powers, would you use them for good, or for awesome?
It's the same as those image captchas BofA uses. It's a nice touch, but if one day you went to the site and it just asked you for a username/password, would you really think something was amiss?
Beyond that, many credit unions would have a hard time swallowing/using the "bank" tld.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
50K is too pricey for lot of legitimate foreign banks...It will only work for banks operating in countries like US, Japan, France and a few more...:(
The banks that do such high volume transactions also tend to be leeches on society, taking a lot and giving back very little. I say make it ten million dollars a year. Those of us with a clue will keep using our credit unions' .org domains while the .bank TLD bleeds the blood suckers dry.
Check out my sci-fi/humor trilogy at PatriotsBooks.
If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
What? The credit union I use is pretty big for a local "bank", but it has only $900,000 in total assets. (I don't think that includes ~$700K in outstanding loans.) Even $50K wouldn't be *that* a small a sum for them...
Dear Sir,
Good day and compliments. This letter will definitely come to you as a huge surprise, but I implore you to take the time to go through it carefully as the decision you make will go off a long way to determine the future and continued existence of the entire members of my family.
Please allow me to introduce myself. My name is Dr. (Mrs.) Mariam Abacha, the wife of the late head of state and commander in chief of the armed forces of the federal republic of Nigeria who died on the 8th of June 1998.
My ordeal started immediately after my husband's death on the morning of 8th June 1998, and the subsequent take over of government by the last administration. The present democratic government is determined to portray all the good work of my late husband in a bad light and have gone as far as confiscating all my late husband's assets, properties, freezing our accounts both within and outside Nigeria. As I am writing this letter to you, my son Mohammed Abacha is undergoing questioning with the government. All these measures taken by past/present government is just to gain international recognition.
I and the entire members of my family have been held incommunicado since the death of my husband, hence I seek your indulgence to assist us in securing these funds. We are not allowed to see or discuss with anybody. Few occasions I have tired traveling abroad through alternative means all failed.
It is in view of this I have mandated DR GALADIMA HASSAN, who has been assisting the family to run around on so many issues to act on behalf of the family concerning the substance of this letter. He has the full power of attorney to execute this transaction with you.
My late husband had/has Eighty Million USD ($80,000,000.00) specially preserved and well packed in trunk boxes of which only my husband and I knew about. It is packed in such a way to forestall just anybody having access to it. It is this sum that I seek your assistance to get out of Nigeria as soon as possible before the present civilian government finds out about it and confiscate it just like they have done to all our assets.
I implore you to please give consideration to my predicament and help a widow in need.
May Allah show you mercy as you do so?
Your faithfully,
Dr (Mrs.) Mariam Abacha (M.O.N)
N/B: Please contact Dr Galadima Hassan on this e-mail address for further briefing and modalities.
Making you think you're crazy is a billion dollar industry.
Even if we discount the problems we currently have with various DNS poisoning attacks, social engineering and just URL spam, it's basic premise is completely flawed. Why? Because the two assumptions it rests on are laughably easy to circumvent: spammers don't want to spend $50k on one domain, and registering as a financial institution anywhere is difficult.
If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank. Time to register for mypersonalcity.bank, bankofus.bank, continentwide.bank, and make a killing!
Those who can, do. Those who can't, sue.
Oh wait, I'm an idiot. I take that back.
Those graphs said "(in thousands)"...
Sure, let me know when you figure out how to force people to pay attention and educate themselves.
Seriously, though, as I'm sure everyone here knows (but I enjoy preaching to the choir) this is useless. The problem isn't that people can't tell they're not at the actual bank website because it's hard, they can't tell because they don't fucking look and/or don't understand. If after clicking the link (which they shouldn't have clicked to start with) they are incapable of looking at the address bar and thinking to themselves "hey, that doesn't say http://www.wachovia.com/ like the e-mail said" then why would they look at it and think "hey, that doesn't say http://www.wachovia.bank/ like the e-mail said"?
"I reckon I've solved the whole travelling at the speed of light problem! We just need to paint it blue." ..and thats about how much thought went into this.
Phishing works because people see a link for their bank that looks legit, they click
on it and end up on a login page for their bank that looks legit. It doesn't matter
where the real site is, nor does it matter where the dodgy site is.
The only thing that matters is that:
1. the email looks legit (forged header and some stolen corporate logos)
2. the link looks legit (just an image of the real link with a dodgy href)
3. the login page looks legit (ie. cut and paste job from the real login page - including the ads)
username & password please!
How the f!@# is a new top level domain going to address any of these points ?
m@tt
Well, I could have said we should move to IPv6 and new HTML and other forms, but that wasn't the root topic.
Regardless, even with forwarding such bank hijack attempts to the Secret Service at 419.fcd@usss.treas.gov - these are attempts to play on people's lack of technical knowledge and lack of forethought in replying to emails.
You can close as many doors as you want, but if you left the coal shoot door open and the basement door unlocked, your house is not secure. Or in 22nd century terms, domain restrictions will only make it more obvious who are the sloppy coders amongst the bank fraudsters, but won't stop gullible consumers from being fleeced.
-- Tigger warning: This post may contain tiggers! --
50 thousand is a drop in the bucket for some crimes. Better to make it much higher and use the income to draft a process & org to regulate and oversee all of the applicants on a yearly or monthly basis from application to use. That way even address harvesters who score names from invalidated accounts can't sneak by. There's no way to automate such a system - you have to have some form of regulatory eyeballs - and that takes money.
But if you're charging enough for those eyeballs, that shouldn't be a problem. Getting all this approved by every financial regulatory system on the planet might be tricky though.
This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.
First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans,
which are also not banks.
On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.
Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption
that the set "things crooks want to phish for" equals
the set "banks". Which is not reality.
A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".
There's already a foolproof solution. My bank never contacts me by e-mail! So I know that all e-mails claiming to be from my bank are fake.
Quite simple really.
Imagine that someone saw the domain bank.barclays-bank.offshore.com? Devoted slashdot readers may be able to parse it and recognize that it is only a subdomain of offshore.com but what about the fools? I would suggest that it's impossible for something like this to be foolproof by definition. Why? Anyone who could be fooled would be labeled a fool and thus easily fooled. And nothing can stop them from being separated from their money by phishing schemes like this.
Why not label it something like, " A nice plan to help smart people save some time thinking."
I don't see how this would provide any improvement at all. The problem has nothing to do with the URL of the phishing site, because most of the people who fall for these scams don't know what to look for, and aren't savvy enough to spot a fake domain name. The phisher can still copy the bank's page source and re-create an identical page at some other domain (.ru, or whatever), and the customer will still type in their account details without so much as glancing at the address bar.
.bank domain is, and would use that to protect themselves from phishing scams, would already know better than to click on a link inside an email to "verify their details".
Anyone who knows what a
A more effective solution would be for banks to phone every single one of their customers as soon as they register an account (just out of courtesy) and make it perfectly clear to them that under NO circumstances will the bank ever send them an email asking for their account details. Just one phone call whenever someone creates an account, and the problem would probably be reduced significantly. It's an education thing, and no security technology can ever prevent someone from throwing their money away if they aren't educated in how to spot a scam.
What about SQL injections? Those just use the EXISTING domain, whatever it is, and append their bad code on it. Instant phish without even needing much sheep's clothing.
To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.
To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.
To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.
To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.
Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?
This is one of the best posts in the story, thank you.
what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
500 grand? Hell, make it 5 billion/year. Apparently since banks hold money, people think this is their money to spend on bullshit. Or maybe reputable banks are reputable because they invest their money wisely, and not because they bought something that normally costs $10 for $500000. Tough call.
I bet the first thing you'll do if you had a million dollars, would be sign up for a millionaires email, wouldn't you, smart spender?
Check their features as well. They offer global access. Amazing.
BTW, to all slashdotters who are also taking the time to belt
the stoopid user for falling for a phishing attack... wise up!
Why the f!#@ SHOULD my lovable grandma have to learn all about
URLs, forged emails and the arseholes (more than likely with
a technical bent) that prey on the vulnerable - just because
her bank has forced her into the 21st century where you can
get carjacked online ?
The system is busted... not the user. If the internet is for
everyone, then you cannot expect "everyone" to have an IT degree
or care about one...
m@t
Banks spend incredible amounts of effort getting people to use their online properties, since they're the most cost effective way to service retail customers (i.e. natural persons as opposed to businesses, institutions, etc). No bank is going to sink their brand investment in citi.com or bankofamerica.com just to head off a wee bit of fraud. The only thing fraud is to a bank is a cost of doing business, nothing more -- they'll make a dispassionate calculation that fraud is less expensive than launching a new nationwide advertising/customer education campaign and pass on this idea. Its the same way that they've decided that it is more important to be able to receive a credit card decision in 15 seconds than it is to verify the identity of the person submitting the request -- fraud stings, losing potential customers to your easy-to-apply competitors stings more.
Help poke pirates in the eyepatch, arr.
So you're saying it is 100% fool-proof but not 100% moron-proof? Which one are you?
And they can pass the savings on to you!
.nosig
Just hack the host file to point bankofamerica.bank to your IP Address. Phishing scheme done.
.com for sites on the web. So Grandma will still type bankofamerika.com by accident and get the false site even without hacking the host file.
Also people are used to using
Its not a foolproof solution at all.
http://saveie6.com/
what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it?
.com more than .bank (hey, we know .com!), and many attacks will simply change vector so the domain doesn't even get into the picture.
The one that doesn't have retards controlling it?
(institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
Right, but they get advertising with their advertising budgets. In your case they get basically their name on some made up elitist tld.
If you think a tld would stop phishing you've got a lot to read about the behavior of a typical phishing scam victim. Some of them won't even look at the domain and verify it, some will trust the
That's great but to quote Spinal Tap, "...but this one goes to eleven..." Making consumers aware of a .bank TLD is just about the same amount of education required as letting them know that their bank will never contact them via email; especially for passwords and private information.
Nothing is foolproof because fools are so ingenious.
People don't look at domain names now, nor do they check for https. What makes you think this will change things?
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
Spend $50K to get $500,000? Sure!
.bank sites?
.bank sites so everyone is used to those sites being unavailable and going to .com sites instead.
And if they time it right (end of month, beginning of month) they could easily make that much before it was shut down.
And how would it be shut down? Who would you complain to? Is there a potential for a DDoS attack against other
Come on people, don't just think how great your idea is. Spend some time thinking about how the bad guys would attack it.
#1. Just buy in. Who's going to validate you?
#2. Fake url's. Exploit old browsers.
#3. DDoS against the other
#4. DNS compromises.
#5. Host file attacks. As long as you can get some crapware installed on their computers.
And I'm sure there are more ways out there. If you REALLY want to solve this, use two channel authorization. If you make any transactions online, the bank will call your phone and ask you to punch 1 for "okay" or 2 for "not okay" or 3 to report a fraudulent transaction.
And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 -- making it prohibitively expensive to most copycats. Banks would love this
We here at the Commmerce Bank of Beverly Hills will not pay $50,000... Milburn Drysdale, President
There's no need for some dumb .bank tld for users to hope to verify authenticity of a bank site. All we need is something akin to an electronic ATM card.
The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:
authenticates the user to the bank (after you enter in a pin).
authenticates the bank to the user.
authenticates a secure connection to the bank has been established.
authenticates each transaction.
for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).
This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.
Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.
Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.
AccountKiller
OT - But thank you for bringing some happiness to my currently stressed out life, that post made me laugh. a lot.
Karma police, arrest this man. He talks in math. He buzzes like a fridge. He's like a detuned radio.
"I demand a sum of... ONE MILLION DOLLARS!"
-- Dr. Evil
"Why must I be surrounded by frickin' idiots?"
-- Dr. Evil
If you mod me down, I shall become more powerful than you could possibly imagine.
Do you have an online checking or savings account? Both INGdirect.com and HSBCdirect.com persistently send out plain-text e-mails to confirm just about every transaction - with no option to turn these off. I've written various people at both banks explaining why this is a really, really bad idea. They are uncomprehending. The confirmation e-mails don't give full account details, but give plenty of information for someone who manages to intercept them (or crack someone's Hotmail account) to use social engineering to find out the rest.
Mind you, these are two otherwise fine enough banks that I do business with them. But if I didn't control my mail server - and know and trust the admins running my ISP's routers - I'd be taking on a level of risk that borders on idiotic.
"with their freedom lost all virtue lose" - Milton
No. The first think I'd do if I had a million dollars, . . .
is two chicks at the same time, man. That's what I'd do. And I bet, if I had a million dollars, I could probably hook that up. 'Cause chicks dig a dude with money. ;-)
It would be better to make phishers register under a .phish TLD, then they could all be blocked off with nanny software. The only people this would upset would be some progressive dead-head types.
And what population of web users actually know how to verify the information? Besides, and fakedbankofsomewhere.spoof can be verified as being "that" site, but only one is the bank.
"Common sense will be the death of us all"
This really goes to show that ICANN is really desperate to try and make it look like it's actually useful. First, they give us completely useless domains like .museum, .aero, and .biz. Then, the debate .xxx until it's dead. Then, they debate it some more, and still can't decide whether it's a good idea. Now, they want to extort $50,000 from every bank in the world every year in the name of security ?!?! What kind of drugs does ICANN use, anyways?!?!
There's a much better and more secure solution than that (and let's not kid ourselves; the best phishers *would* find a way around the .bank TLD problem; heck, even now they routinely send people to sites that aren't their bank and fleece them. It's foolish to think a .bank TLD will change anything).
This simple solution is used by at least some local Board of Realtors affiliates, such as Pacific West in Orange County, California. They give you a one-time password generator, a userid, and a PIN. This takes password/userid theft attacks almost totally out of the game, since each password from the generator is only good once and also requires the PIN. Even if someone had your userid and PIN, they'd also need physical possession of the device.
Even if someone used a sophisticate man-in-the-middle attack to intercept the data and pass it on to the real site, then hijacked the session to steal money from a bank account, it would only work once. This would raise the bar far more than anything else they could do.
How badly do I want this for my bank account? I would move all of my deposits to the first bank to implement this, and I'd even be willing to pay for the one-time password device myself.
They can keep using siteid and anything else that floats their boats, but give me that one-time password generator and I'll be happy.
...and if it *was* that small, it isn't juicy enough to make a phishing campaign worthwhile.
FATMOUSE + YOU = FATMOUSE
And if they're using the one that came with their PC, they may very well have several extra toolbars to "help" them use the Internet, though that can be a problem for phishers because other crackers may get the bank account info before they do.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Just deleted a phishing email yesterday that copied Paypal's site -- Including Paypal's warning that no Paypal employee will EVER ask you for your password. But please do click on Paypal Security and give it to us there. The URL wasn't even a "domain name" -- it was an IP address :-)
How many of the non-computer savvy know what an IP address is? what a URL is?
Bah! People are too illiterate in computer/web mechanics to be trainable against this blatant fraud. Sorry if I offend, but truth trumps "feels good" any day.
Higher Logics: where programming meets science.
some of this $50k will be spent doing a background check to make sure that the bank is legit. Heck, for that kind of money you can even afford to fly someone to the main branch address to make sure there is a bank there.
1. Phish the old fashioned way
2. Set aside $50,000 to register phishing.bank
3. Phish the new way
4. Profit!!!
or
1. Propose new TLD and charge $50,000 per registration
2. Wait for banks to fall for it
3. Profit!!!
Laws don't make criminals go away. Ever.
All this proposed law would do, is shut out the small-time criminals, and ensure that only large operations with (say) $50,000 to spend and a front organization can do the phishing.
The hard fact is, the free market is the only long-term way to ensure that criminals are outed efficiently.
This is old news to 'net heads, anarcocapitalists, and Free Talk Live listeners.
Part of the Second American Revolution!
Every once in a while, I read about scientists getting really dismissive about a "major new discovery" coming out in some popular press outlet, rather than Science or Nature.
I finally understand why.
Foreign Policy is a fantastic magazine, when I'm looking for geopolitical data. It's not where security research happens. Publishing this concept in Foreign Policy is done to make an end run around fellow engineers, and try to go straight towards people who would happily pay $50K for this "phishing garbage" to go away.
I'm not even going to comment on the technology itself. Everyone else seems to have that covered just fine. (Props to the guy who recognized that Banks != S&L's != Credit Unions, though.)
What's sad is, there are actually major geopolitical issues with computer security that *would* be totally appropriate for Foreign Policy, and aren't quite the thinly masked grab for cash that this represents. Ouch. The worst part is that to the rest of FP's audience, he represents *us*.
All those things you speak of this hypothetical MyBank plugin doing could be done just as well with the existing TLDs.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Well, as anything security related nothing's foolproof... BUT, a new idea and a HEAPING BIT OF SECURITY AWARENESS may go a bit further than we have right now. Yes, on the surface this appears (in part) as another way to extort money out of banks, but it might push the number of "Fooled" a bit lower especially if the banks attempt to train their users. (Which I believe is the only way to attack the problem.) My $0.02...
How long until all browsers have a url checker built in with some simple basic rules applied?
Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.
Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.
I still wonder why people don't use the Firefix / Adblock / Filterset.G combination as a basic starting point.
It is good to see that there are some anti-phishing addons for Firefox now.
You have a sick, twisted mind. Please subscribe me to your newsletter.
I have internet banking with a Norwegian bank.
I have a keypad, a little keyring-type mini calculator lookalike with a small screen at the top and numbers 0-9 and an arrow key on it.
After entering my equivalent-of-SSN into the banking site, I then type my personally chosen four-digit code into the keypad. It spits out an eight-digit number. I enter the first six digits into the internet bank, and it responds to me two digits which should match the last two of my keypad.
Is this susceptible to theft? Not really, typing in the wrong code three times locks the pad, and you need to call the bank. To phishing? They wouldn't have the keypad. To man-in-the-middle? They wouldn't respond with the last two digits (which I would suspect the majority of users actually do read, since they are forced to read the first six).
Possibly to a browser hijacking, whereby after entering the online bank your session is hijacked, but that would take dedicated individual effort or a custom-written trojan and is complex by a factor of ten above most URL-imitation-phishing attempts.
Mail aliases. Or use the dot extension that MTAs like sendmail allow. If you get an email to your normal address from the 'bank', you know it's bogus. Likewise, you can also tell if your bank sold your mail information, or if they were breached if you get email to your bank alias that is NOT from your bank.
If I were an ISP, I'd make an easy interface for this for my end users, and maybe even drop obvious phishing scams (cases where we know where the mail for an alias SHOULD be coming from).
I suppose the next thing he'll do is solve the spam problem by a new TLD, and having all _reliable_ e-mail switch over to it overnight. Or perhaps a centralized system for micropayments, without which you couldn't send e-mail! Whee!
All the world's problems solved, long as we don't have to actually run the risk of putting them into practice. Being as clever people debunk them right off the bat. Anyway, it's good for a bit of publicity on the side, especially when F-Secure's real cash cow is their Frankensteinian "virus security" one tenth solution, nine tenths snake oil garbage. Kinda like when Kaspersky Labs puts out utterly bizarre press releases on the Threat Of The Day.
No. The first think I'd do if I had a million dollars, . . .
;-)
is two chicks at the same time, man. That's what I'd do. And I bet, if I had a million dollars, I could probably hook that up. 'Cause chicks dig a dude with money.
Well, you got it. That'll be a million dollars, thank ye!
Keep all your money hidden in your mattress! No phish there!
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
A new top-level domain wouldn't prevent cross-site scripting. This is just a money grab just like every other new TLD.
Working for a community bank, I can tell you that sum is improbable. We are a good sized community bank for our respective market ($650MM in assets for Savannah, GA). We had a net profit of right at $6.6MM last year. Asking us to fork over $500M for a domain registration does NOT make sense. We would have to increase our fees, and we would lose customers, and then competition would be squashed. I know, I know, innovate or die; but there are still people out there that prefer the level of service a community bank can offer versus that of a regional, national, global bank. There are some great people at the larger banks, but also plenty of people who are looking to maximize fees (case in point, check out BB&T's annual report for 2006 and check out their fees on deposit accounts versus, say, Regions Bank).
To shreds you say...
>>> How does that help you stop them again?
Well the bank sees the same proxy being used for more than one fraudulent attempt (ie the poisoned account numbers) and blocks access from that proxy IP.
Banks could also prevent access from IP blocks based on a number of hits from those blocks.
This would apply pressure to the ISP market to ensure that systems security is maintained. For example ISPs might prevent use of older operating systems (eg by pricing them out). ISPs would certainly be less attractive if they were on a bank blacklist.
This is just off-the-top-of-my-head so don't bite if it's got big holes in it.
Delete all unknown emails....
F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine.
Right.
That's about as elegant as this guy.
Danging.
On a thin ice frozen lake.
In the summer.
With sanded boots.
One Time Passwords...
Instead of giving me a stupid toaster or some jumper cables in a plastic box or a crappy lawn chair... give me a damn fob from RSA that rotates a six digit code that only the bank knows.
How freakin' hard is it?
ING in canada allows you to pick a picture and a word/phrase that you have to validate when you enter your info. You set it up when you first make your account online. I like that solution. I don't know why banks don't just have a securID in your bank card anyways...
K Man
How do you think that can even be done? It's only marginally more difficult to generate a POST request than a GET, so I hope that isn't what you mean.
Nerd rage is the funniest rage.
...it would go great on a ham sandwich!
All pass beyond reach of medicine. None pass beyond the reach of love.
Your post advocates a
( x ) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting Phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( x ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( x ) It will stop phishing for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( x ) Requires too much cooperation from phishers
( x ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( x ) Asshats
( x ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( x ) Huge existing investment in anti-phishing methods
( x ) Susceptibility of DNS to attack
( x ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of phishing
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( x ) Extreme stupidity on the part of people who do business with phishers
( x ) Dishonesty on the part of phishers themselves
( ) Bandwidth costs that are unaffected by client filtering
( x ) Outlook
and the following philosophical objections may also apply:
( x ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( x ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( x ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( x ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( x ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
( x ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
There is already an easy fix against phishing, it's called human contact! With my bank, I have to call in and authorize certain types of bills/transfers the first time. Yeah, it's a pain but how often does the average person add payees to their account ? That way if someone gets a hold of my account numbers and security code, they can still only send money to recipients that are already registered. If they want to add their offshore account as a payee, they would have to call the bank, successfully impersonate me using all my personal info (dob, mother's name, etc.) and leave crumbs all over the telephone network. It doesn't make it 100% foolproof, but it certainly raises the bar to a level many scammers won't want to beat.
Technological solutions won't solve this human problem. People get fooled, people don't know any better. Making the system more complicated will only make the problem worse.
-Billco, Fnarg.com
First, let me say I find the attitude of Slashdotters who don't care about the problem of phishing because they are savvy enough to avoid the problem unenlightened. Allowing an avenue for criminals to profit leads to more criminals who may branch out to other types of fraud. There's almost zero you can do to fully prevent identity theft if some institution comprises your social security number.
.bank if the notification to user was unmissable.
.bank or any other system to legitimate entities. $50,000 is one deterrent. Ensuring the the institution is properly registered with government regulators would be another. Restricting the domain to institutions that have been around for at least would be another.
.bank may not be the best solution but I give Mikko Hypponen credit for thinking about the problem. I haven't seem the naysayers here come up with better ideas.
The browser would have to do something really noticeable like change the color of all the chrome to make it obvious you are on a bank site. Extended validation certs may be good enough in place of
If adequate checking was done, it would certainly be possible to restrict
I don't buy the citi.com argument either. citi.com could be redirected to citi.bank
As many people have mentioned, phishing works because people don't pay attention to the URL, and making a specific URL just for banks won't change that.
. png
But what I would add to that is that Phishing was successful because most people didn't know what it was. And it seems that for most people, their naivety might have decreased. I have gotten far fewer phishing e-Mails in the past year or so, and according to this chart:
http://en.wikipedia.org/wiki/Image:Phishing_chart
Phishing seemed to have gone up quickly but then leveled off: after all, after the 20th e-Mail from a bank you don't belong to, telling you that your account needs to be updated, even the worst AOLer must have realized it was a scam.
However, this is just what I've noticed. There may be people with contrasting experience.
Hopefully I didn't put any [] around my words.
http :// www.my.bank@127.0.0.1/steal/my/info.html
'nuff said.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
The bank could give you a CD (or a link to a website) when you open your account and you could install some bank created desktop software to access your accounts. I can imagine the nightmares caused by insane UI's, and highly doubt we'd see a lot of linux support, but it'd stop the phishing aspect of it. You're getting it from one place, an app on your desktop, not the wild wild web and some link you got from some random person that 'looked' like the actual bank.
Unfortunately, people are stupid, and all it'd take is someone saying "hey, the desktop software is broken, go here and input your password and social security # etc etc, then it'll work again, thanks, evil guy." or " the software is updated, download this NEW version and login immediately". Its the ole make it idiot proof, and someone will make a better idiot quandry.
...None of us have ever seen alternate DNS-circumvention crapware layers like new.net running on Joe User's PC without their knowledge.
.bank will be nothing but a false sense of security.
For the vast majority of users, a new TLD like
I don't know much about the rest of the world but here in Australia we get slammed with account fees. A fee for this and a fee for that. I'm getting really fuck9ng sick and tired of it. The banks would only pass this cost off to us and manage to roll it into their quarterly profits. For an example, a major bank here (not stupid enough to name names) will charge you 60 cents for logging onto your account via Internet to check your balance - WTF??!!!
.
Recommended .safe a few weeks ago.
3 9216
*rummage* oh, here's the link:
http://it.slashdot.org/article.pl?sid=07/04/10/12
Regards.
Combine a hefty price tag with a full-fledged process investigating all aspects of the organization wishing to register .bank, supporting documentation from relevant government departments (or whatever it is you need to operate as a bank), possibly a visit to the physical premises of claimed branches.
Proposing simply a new TLD with no thorough authentication/verification requirements is stupid.
But I'd like to see a scammer pass all of the above tests.
*Whoosh*
This would not end phishing. Most people that get phished are the typical aol user type. They won't know the difference between BOFA.bank.cn and BOFA.com.
Most phishing emails I receive look like legit links: http://www.wellsfargo.com/blah/blah/blah however that is just the URL "text" which is a legit looking URL. If you hover over it the link really goes to somthing like http://wellsfargo.583332.de/ or somthing like that.
This would not stop phishing.
What's a bank? In the US, banks are normally regulated by the 50 states, each with different rules and regulations. In addition, there are credit unions, savings and loans, insurance firms and a number of other brick and mortar institutions that have many of the normal functions of banks. Could they register .bank domains?
.bank domain to non-US institutions? This would seem reasonable if we are talking about Barclays, Deutsche Bank, etc. But do do we draw lines? Do we include little institutions incorporated in tiny little corrupt nations? How do we ensure that firms in these countries don't register names that sort-of look like large, reputable institutions?
.com domains because that's what people are used to?
Do we open the top-level
Whose laws do we use to take action against violations? In the US alone, you could be talking about 51 distinct court systems, each operating under different laws.
And would banks -really- flock to this? Isn't it just as likely that they would insist on using the
From the original: "The creation of a new domain for a specific industry is not unprecedented: We've already done it for museums, with their restricted ".museum" top-level domain. If we can manage to protect storehouses of precious works of art from the Internet's most shameless thieves, surely we can find a way to protect our money."
And millions upon millions of working men and women use that restricted ".museum" domain for their many daily museum transactions, right? There is a distinct difference between getting a fairly small group of people in a rather specialized field to validate transactions in this fashion and teaching millions of busy, technically challenged people to do the same.
A large percentage of attorneys can use LexisNexis; that doesn't mean it's suitable as a replacement for Google and Wikipedia.
I think that Nikko is onto something here but I would like to expand on his idea a bit. What about creating a domain called .stupid? It would be a domain that could only contains sites where people would post stupid ideas and other people could laugh at them. It would cost $10,000 a year for a .stupid site, and all the proceeds would go to me.
Vanguard uses a really simple but fairly foolproof way of preventing phishing. A couple of months ago account holders were asked to pick a photo from a variety of stock pictures (or provide their own). Users were then asked to also provide a caption for the photo. Where you login to your account, you provide the username which then brings you to a new screen with your photo and caption. No photo and appropriate caption, it's a fake. They also don't provide a convenient link in any official e-mail. They suggest that you navigate to their site and then bookmark the page.
A really determined phisher could mount a dictionary attack and collect a bunch of photos and captions but they still wouldn't be able to link the accounts to an e-mail address. Alternatively, a trojan could provide that information along with an e-mail address but if you've already got a trojan, you're dead meat anyway.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
Payment Card Industry Data Security Standards. This is a whole new set of rules designed by the banks, to protect the banks, footed by their customers (the ones who take cards and data), which will ultimately be passed on to the actual user (consumers). But hey, what isn't. I'm just on the technical end of the implementation, and it sucks. http://www.computerworld.com/blogs/node/5026
Some of the phishing methods are purely technical, but most are a combination of technology and social engineering. Changing the TLD makes the technology part a bit harder, but provides a nice big hook to hang the social engineering part on.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Just a rough estimate of course, but I suspect that no more than about 5% of the people who would fall for a phishing attack in the first place have the basic wit and knowledge required to check the URL. To say that this will help is only true in the "technically-yes-but" sense that finding a dollar on the street will help you buy that new Ferrari you've always wanted.
As long as we're dreaming, why not a .phish TLD for all the phishing sites?! That way we would know for sure which sites are trying to pull a fast one on us!
I, for one, am looking forward to the inevitable
Is it possible to structure a banking-specific top-level domain that would be immune to this sort of domainer horseplay? Even if you could, how do you force banks and their customers to use a domain that's obscure? The customers will simply continue to type "mybank.com."
There's one big problem here: The reason why phishing banks works is because people don't look at the address line of their browser. Having a joesbank.bank address means nothing if people are currently entering their information for joesbank.com on a page with address like //user-login.secure.scam-duh.ru/ripUoff/jajaja/www .joesbank.com/form.php ... Never say something is foolproof because fools are an ingenious lot. .bank is a nice idea but only in the same way .xxx is a good idea -- makes it easier to find what you're looking for, but protects no one.
... and I wonder how many people bit a second time.
Hell, the other day I saw a 419 email scam that targets people who have been victims of 419 scams -- the hook is that the UN will pay back past scam victims $100,000
Laughter is the Spackle of the Soul.
Considering the amount of money lost, and the recent 1 billion dollar loss this week, the government (secret service or the Fed?) ought to allocate some REAL money to hire some well-known, trusted master programmers to take another look at home computing environment (and perhaps something like Firefox, or perhaps something running at a trusted level) and see what can be done. A pnwed pc could presumably display most kinds of certification seals but something that involves interaction between a trusted third party and you, plus a physical device i.e. a secureid key or even a memory scanning hardware dongle, could provide much higher levels of security. If you realize that only the unsuccessful worms get caught, this might open up ways not only to prevent phishing but also to guarantee system integrity in general.
There's one way to end phishing. IE's anti-phishing service is a laugh. This TLD crap won't work. Here is how to end it:
When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.
Same with the 419 scammers. I particularly enjoy messing with the 419 scammers for this very reason.
The only, and I mean only, reason these things proliferate is because its profitable. This type of scamming is VERY profitable. So, we should be focusing on how to make it a waste of time. That would attack the problem at its root: its profitability.
Obviously, this would take a large bite out of spam, another problem in itself. Sometimes you have to fight fire with fire.
It seems obvious to me, but clearly not so obvious to others. Instead of spending time making a decent browser that supports modern standards properly (though better than IE6), Microsoft spent (probably) millions of dollars developing this ridiculous phishing filter for IE7. That is NOT dealing with the problem at its root. Obviously, they don't get it. Am I alone here? Hello? Anyone?
blah blah blah
...if someone did manage to get one of these domains, it makes their scam all that much more believable. It would maybe allow them to pull off a better scam with a higher yield.
Phishing sites that mimic Bank of America are not hosted on bankofamerica.com, they are hosted on bankofamerica.com.idiot.com or something, yet people still punch in their private information. More germane to the conversation is the fact that a recent evaluation of the effectiveness of BofA's SiteKey system was less that ideal, since many people did not even bother looking at the image to verify if it was correct. In light of that, why exactly would I look at the URL if I can't even be bothered to look at a particular image right next to the box asking for my password?
Not only is the summary accurate, it is complete - there's nothing important in the article that wasn't in the summary.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
Newsflash boys and girl. Lots of stupid ideas get implemented and work. A site that lets you upload all the video you want? Hah! An auction site for Pez dispensers? It is to laugh. One of those online payment things? It'll never catch on. Government control of the top level domain space, nah, not as long as Jon Postel is alive.
Oh oops.
Need Mercedes parts ?
And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 -- making it prohibitively expensive to most copycats. Banks would love this.
Not every bank is Bank of America. Most banks are actually small, local banks. I support these banks and trust me, some of these guys are the biggest tight-asses I've met! Besides, just because you have a bank, doesn't mean you are rolling in cash... well, OK, it does, but the money isn't yours to piss away.
So, rather than making it out of reach for smaller banks and credit unions, how about set it up so that only the FDIC can register your domain name. That way, when you get your FDIC Insurance certification, you get your domain name as well.
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Let's see. The credit union I've been with for nearly 20 years - UECU - runs a really tight overhead budget. They don't even have pre-printed deposit slips - you just send in the check with a handwritten note saying "please deposit etc..." They look like a rinky-dink outfit, but guess what - they offer interest rates on straight share accounts that top every other CD, money market account, or other interest bearing instrument short of a mortgage. Oh yeah - and when I call, I get a real, live person, in the US (Reading, PA to be exact) who is invariably nice to me on the phone.
One of the ways they do it is by using online banking. Even there they watch the pennies - they won't pay Intuit's extortion for their OFX specification. And you want them to pay $500k so that they can continue giving me excellent service?
So that $500k is coming directly out of my interest payments, just so that they can be a "reputable" institution.
Feh.
"As God is my witness, I thought turkeys could fly." A. Carlson
The title says it all. A new top level domain won't stop this. Yes, there are browser extensions and features that can help detect such things or stop them, but again, how does a new domain play into all of this?
Small credit unions will absolutely love the $50k price tag....
When I saw the title, I immediate though of Phoolproof.
So who gets to say what is a bank? Do I get to start a bank for my wooden nickel collection? What about the Albanians, or the Panamanians? What about Linden Labs, do they get to have a bank? What about a sperm bank? What about Liberty Dollars backed with Silver - do people who trade in them get to start a bank? Do the Americans, who basically control the Internet now get to say who can be a bank or not? Beyond the obvious, socially accepted, current definitions of a major "bank" you quickly fall into a grey quagmire of people fighting over what different people are allowed to do with a "bank", and what people are allowed to do in general with resources and money. That fight is not the place for TLDs.
Top-level domains should either be very open (any 3 or 4 letter character might be nice), or they should be generic, as they are now. Tying TLD to the function or responsibility of a domain that owns it will inevitable lead to systematic thought control.
this is nothing but money making for TLD's and a false sense of security for the consumer. phishers make millions, $50,000 is a small price for them to pay if it means they will be able to fool more people.
If you mod me down, I will become more powerful than you can imagine....
Glad I could help.
In my defense, why was the scale in thousands? Who says "yes, I have 900,000 thousand dollars"? If it was like 5,000 thousand I could see that, but why not either make it 900,000,000 or 900 million?
the latest exploite for Internet Exploder will let the phishers make it *look* like you are at a .bank site but you will really be at their site.
The best idea for incresing online banking security is to ban the use of IE on such sites.
I read as far as the word "foolproof" because quite frankly there is no such thing, no matter your interpretation. Once you have seen someone staple a post-it note to a floppy disk you realize just how futile designing a "foolproof" system really is.
The best idea so far in this direction was a scheme where, when you used a credit card number on line, your bank automatically called your cell phone, and you got a voice or text message saying "XYZ.com wants to charge your credit card $221.45. If you're making that purchase on line right now, and this is OK, press 1. If this is not OK with you, press 2."
Merchants hated the idea. But that's the right way to go.
..annother greedy cashgrab by the corrupt. My local credit union is supposed to pay $50k for a .. name? FUCK YOU. That's my money that you want to con some moronic PHB out of of.
There's already a solution. Put the key signature on the signs at the bank. Put it on the paper statements. And if you're too infiltrated to switch to a PGP/GNUTLS solution, you can accomplish pretty much the same thing with antiquated SSL.
Authentication is a solved problem, dammit! Just deploy it, and tell people to pay attention. And after that, if some fuckwit gets phished, make him pay for it, not me. And certainly not $50k.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Thank You.
Another tech solution to a social problem.
I sense a get rich quick scam in there somewhere, otherwise why make up BS like that?
.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Well, certainly foolproof! You just tell people to watch out for the URL and not enter their info if it's not a ".bank".
I mean, they check the URL so carefully now.
And hell, if "morganchase.bank" is the proper domain, then surely "morganchase.bank.cx" is just their server on Christmas Island. Isn't it?! What you say!!
Everyone here is trying too hard. You could send a mail out saying
"Please update your BankOfAmerica account at www.somerandomname.com"
and some people would do it.
Foolproof is a word only used by fools.
You're never going to get past the education issue whenever you add something that requires the user to notice that something is wrong. Your solution needs to completely invade the privacy of the user and double guess their intentions to 'protect' them and we all know how that will look. Even with this, some people would probably throw their password into a blank page with a text form on it that says "enter your information to update your account"
Banks stop sending email! The reason people respond to phishing is because they are used to getting emails from their bank. Why does a bank need to send you email? If it's important they can call you or send a paper letter. If it's more advertising for their crap services they can spend the money to print it out and mail it or advertise on TV or something.
I agree, the way firefox does it with two different input boxes is lame, seamonkey only uses one box with two buttons, clearly marked go or search. You get to physically see a lot more of the url with one larger box=better for security and for user clarity.
These guys just want to be named the Registrar (is that the term?) basically they'd get to sell these new domains and make a quick buck.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Yeah,
It hardly makes communicating data in a graphical form simple if you use random or unclear scales, I still remember a university sandwich year student who produced a graph displaying 12's of people per 144 minutes... (supposed to show user activity peaks) - apparently it made sense (144 minutes being 1/10th of a day and in this case 12 people being approx 1/10th of the sample. Would have done better to represent them as percentages, or 10's people per hour.. it makes interpreting the data easier... Its a nightmare when you are trying to figure out what 32.7 x 12 people at 576 minutes actually means. Well at least you can still see the trends.
Even if the russkies managed to get her username and passwords they will only be able to swipe a minimal amount of her cash.
Example needed?
/.. Or do you really think people look at the URL line of their browser?
"Dear $Bank customer!
We noticed a problem with your account. Please log in immediately to http://banking.yourbank.bank. Failure to do so within a day will result in your account being closed."
Of course, with the difference that you won't see where you're actually going, this service is only available on
Not to mention that fewer and fewer people are SO dumb. The main problem lies still in trojans.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I have html disabled in my mail reader, so I see the source of phishing spam. Often the disguise is no deeper than putting a valid URL in the descriptive text. Non-technical readers will assume that when the blue underlined text looks like a URL, the browser sends them to that URL. Non-technical readers simply will not realise that the browser actually follows the href and feel that they have made the appropriate check.
Certificate.
.com and .org generally don't have domain certificates. However it could easily be made compulsory for things like .bank so the browser and all other apps could rely on the certificate being there and could say with authority, this is a valid name and domain.
.com is frankly, shite.
Most browsers don't bother at the moment because most domains domains like 99% of
This is long overdue, the flat nature of
Deleted
I work for a bank in the Internet Banking department, and the *some* people you talk about are all of the people who fall for phishing scams.
Of the 5-10 phishing scams that target our bank each week, only 1 in the last 12 months had registered domain used to spoof the bank, ie www.acme-bank.com instead of www.acme.com. These scams don't need to be sophisticated or complex to work because there are simply enough stupid people out there for these scams to work. It's the same principal as spam.
Very rarely do we have people compromised via trojans either, with straight out phishing emails leading to bogus websites making up ~90% of phishing emails. This is despite big, bold, coloured messages on the logon screen alternating between different warnings and tips regarding scams.
The only way to solve the problem is for the banks to pool together and put their money into the one thing that morons pay attention to, TV advertising. Well at least IMHO.
That has to be the most foolhardy advice I've seen in a long time.
DONT go to the phishing site as advised. It *may* just contain a form to accept information, but its *just* as likely to contain an exploit that might auto install (if you're not patched).
The best way to avoid these kindof problems is:
1. Dont follow links in emails. Most reputable institutions dont provide links, they tell you to type their URL into your browser.
2. Make sure you're running an anti-phishing toolbar (i.e. Netcraft), or a browser with anti-phishing (i.e. Firefox 2) or a decent OS (i.e. Linux)
James
http://www.reeb.freeserve.co.uk
As some other posters said, this scheme might not work.
But how about another trick: just like the user submits a password to authenticate himself/herself to the bank, the bank could submit a password to the user. If the password is wrong, the site is clearly a phishing site.
The client would request such a password from the bank at registration time: not only the user registers with the bank, but the bank registers with the user as well.
The whole procedure could be automated by the browsers: when the browser sends a page with a password field, the browser requests to receive a password back. When it is received, the returned password is compared to what the user has locally, and if not the same, an error page is shown.
How does a new domain TLD solve the problem exactly?
.bank? The only way to solve the phishing problem is to use some hardware solution such as a USB authentication key or something. A phishing site will not be able to make use of the key and as such, won't be able to log in as you anyway even if they get the rest of your login credentials.
All the phishing sites I've seen don't use names that even vaguely resemble the original name. The whole reason phishing sites work is that they rely on people not looking at the address bar. If you don't look at the address bar then why would you notice that it does or doesn't end in
The ONLY phishing scam I've ever fallen for (eBay) used a domain name that didn't even vaguely resemble the site (something like www.authorizationsuccess.com). I fell for it because the e-mail they sent was very clever. It related to an auction I had just won and even included the thumbnail photo of that item! If you're expecting the e-mail, why would you NOT follow the links inside it? Pretty much anybody can fall for a phishing scam if the e-mail is clever enough. Thankfully I noticed the domain name at the last minute and changed my login details straight away.
"that's the dumbest fucking idea I've heard since I've been on Slashdot."
Worst. Signature. Ever.
We need one of those checklists that show up everytime someone proposes an anti-spam "revelation"...
...
... complete... checklist...)
Your post advocates a
( ) Technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting phishers. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(Ugh... coffee underrun error... can't
For us carnivores, "Sucking the marrow out of life" isn't a transcendentalist philosophy but a practical instruction.
Surely, banks should supply their own client side standalone apps for accessing accounts instead of using the web. This would render most phishing attacks completely pointless if you're not using a web browser. Sure theres a few cases of convenience but given the prevalence of laptops these days its not a biggie.
~Pev
Customer "You said this software was foolproof" Dogbert (on support line) "you bought it, that is proof you are a fool" I think this is just as foolproof J
Foolproof - only fools will use it.
But I am going to say it anyway... http://finest.and.best.bank/login will expose allyourbasebelong.to.us] only at slashdot.org and may be at few other places, but most of the average Joes will just see the shiny blue link to the doom, because most e-mail clients do not have (very simple) mechanisms to expose links of that nature (test which is http address) if the text does not match the actual href address.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Mikko Hypponens naive idea doesn't cast a good light on the company F-Secure. Do they also have people there which have a glue?
A piece of malware that alters DNS servers is trivial.
.bank is a whole heap lower...
Suddenly the barrier-for-entry for
because no user would be fooled by the following links in a medium (such as mail) where the link text may be displayed without the domain printed (i.e. just about anywhere not /.)
NOTE: I do not think that these links (not the text, the destination) are real, I just typed out the urls for example
NOTE: AGAIN, just to cover my ass in case one of the links is actually a real site, and malicious, and someone is dumb enough to click: THESE LINKS ARE NOT REAL BANK URLS! THESE LINKS, IF THEY LEAD TO ANYTHING, PROBABLY LEAD TO DANGEROUS SITES BEST NOT VISITED.
http://www.bankofamerica.bank
http://www.chase.bank
http://www.53.bank
http://intelligent.conversation.bank
etc.
etc.
etc.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
There are around 8000 Credit Unions in the US and 80 percent of them are small financial institutions. The average credit union has less than 5000 members and rarely makes 50 grand a year.
A special domain name isn't going to help, people are careless and blind to things of this nature, people will still get phished.
What I think is needed is an actual "Trusted Client" issued by the customer's bank which can only interact with that bank, in fact only with that customer's account.
It needn't be difficult either, infact it could be very simple, picture a small VMWare virtual machine, the VM would contain a linux kernel, basic X server with no WM, and a browser which has been totally locked down, it could be supplied on a write-locked USB thumbdrive.
Stick in the thumbdrive, and you will be prompted to install the VMWare player if it's not already installed, once installed you can run the VM (described to the user as "Connect to Your Bank"). The VM loads up, the X server comes up, browser loads and opens on the bank site.
The browser has been modified so that it can ONLY access stuff from the bank's domain over SSL, ONLY, nothing else. There is no email client in this VM, many banks offer web-based email communication with the bank to thier customers and that's all that's needed there.
But here is the real clincher, each VM given to a customer contains an access code (signature, hash, whatever you want to call it), this code is transmitted to the bank when logging in along with the usual username/password combination - the key forms the "something you have" part of a 3 factor authentication.
And then once this system is available, the bank shuts off all outside access for "internet banking", only connections through this client will be accepted, all three authentication factors must be present and correct. The client VM could also be signed in some manner to ensure that it is legitimate and hasn't been modified in any way.
It would render phishing and viral attacks extremely hard to accomplish.
If somebody got your typical phising email, first they could see that a bank is sending them an email instead of using the "Bank Program". Second the phisher can only provide a link which will open in a real web browser on a copy of the bank's site so even if they provided the 2 factors of authentication that critical third is still safely in the "Bank Program". Third, even if they convinced the user somehow to open the "Bank Program" they can't get them to thier site because the VM's browser doesn't permit any other domain than the Bank's. If a virus got in and managed to steal the VM, all they've got is the 3rd factor, no u/p.
About the only way it would be possible to be broken is if a virus got in and managed to steal the VM with 3rd factor, and used a keylogger or some such to try and catch the user entering the u/p. And I expect some engineer's who have put far more thought into this than I could find a way to make that even more difficult.
NZ Electronics Enthusiasts: Check out my Trade Me Listings
Sometimes I wonder if Slashdot OPs purposely give crap solutions so they can leech better ones off the replies...
Have you ever seen the hosts file of a virus infected Windows machine?
No?
I thought so.
IANAL but write like a drunk one.
about 419eater. How To Trick an Online Scammer Into Carving a Computer Out of Wood
Best Slashdot Co
It should be more like 500,000$ which would be kept in escrow for the period of time that the institution would have the .bank name....this would really make sure it is an unreachable amount for the little sceamers... and for the escrow, would make sure they knew the money was coming back to them later...so they would not even flinch at the amount.
username + password + time based id card (www.cryptocard.com or equivalent) and ask them to confirm every transaction or transaction batch with this always changing code.
ADDITIONALLY combine with a paper posted - setup login - permanent cookie / permanent session - to lock a specific browser/user as authorised to connect to the bank. For this you cannot access from anywhere on an adhoc basis - as you have to go through the setup process.
How many people that are pished would even know or understand this? I bet few.
How many pishing links have *text* that look nice in the html but actually refer to an IP, and the poor sap clicks on it thinking hes ok?
This only would work to prevent mildy technically competent people from getting stung, which would be a *small* percentage ( truly technical people dont fall for it now so they arent even part of the target market for these scams ). Most people would never understand and the crime would go on.
---- Booth was a patriot ----
Thinking from the bank's point of view...
.com TLD? How would they recoup their investment to just move to the .bank TLD?
Let us say that the registrar charges $50,000 for registering the domain. Would they charge a similar amount to renew the domain? If so, then why would banks even shift from a
Now, let's say that the registrar requires the $50,000 upfront, but returns $49,000 at the end of the year. Now, this sounds more like a financially viable option.
Corrupt ICANN and the authorities have always known the answer for authenticating registered trademarks e.g. barclays.bank.uk.reg
;)
So user could enter this URL directly or barclays.co.uk could be redirected to this as certificate of authentication.
Obviously, this would work for all other trademarks in other goods or service (called classification) e.g. apple.computer.us.reg
Please visit http://wipo.org.uk/ - not connected with the crooks at UN's WIPO.org
Or there's Internet Mail 2000, which is unfortunately-named but does what you're talking about. As for DNS, well, it's a mess.
Laws do not persuade just because they threaten. --Seneca
I'm pretty sure I've seen this exact suggestion, and even on /.
I distinctly remember someone making the point of "who gets to decide what a bank is. And what about things like paypal, who specifically say they aren't a bank, but we still use them like a bank".
:(){
Phishing works on the consept that for the most part people are tecnologicaly retarded. All the locked doores and keypads iun the world dont stop some dumb ass from leaveing the doors open and the nubers sribled on peices of paper.
What's the process to become a registrar, again?
A researcher at SecureWorks has posted a detailed rebuttal to F-Secure's .bank proposal. Go check it out! .TLDs: Panacea for Security?
New
Coincidentally I connected to something using that format five minutes ago, with IE7 and not having touched *any* settings. Maybe they MEANT to deactivate it and somehow... forgot? ;)
No really, it works perfectly, from both IE and the regular Explorer address bar, under XP Professional SP2, with all patches (auto-update activated). Am I missing something?
Who is General Failure and why is he reading my hard disk?
This is probably a good thing to do; I'd vote for it. But it hardly seems like a solution.
DNS is one of the least secure systems we use... have I missed a technological revolution or something? last I checked it was trivial to compromise name lookups.
unauthenticated UDP... chains of blind trust... corruption magnets operating the registrars...
come on now.. with a straight face; try and tell me that none of the root servers or registrars have been compromised by one or more intelligence agencies.
We need to move on from the current DNS system which basically maps character strings to IP addresses. There still is no validity to the Domain name or the IP address. For instance if I was going to hack a bank or do a stock fraud, I would buy an ISP and run it legitimately for a long time. Then on the day pollute the DNS record and redirect them to my fake phishing site. Where they would give me their bank statements or act on fake stock info.
The new DNS system would consist of the name + contact details + IP + a digital signature + a public key stored on a root DNS servers. When my computer sees a URL, www.bankofAmerica.com, it contacts the root server and downloads the sig, it also requests the same info from bankofAmerica.com. BOI, using local copys of the same info sends an encrypted msg using its private key. The client compares the two and if they match then bankofAmerica.com is legitimate and so is its IP address.
davecb5620@gmail.com
"Accountability and money" will never let this happen. Banking online is a convenience and inherently has risks that you and the bank are accepting to take. The organization responsible for handing out domain names will never take on the HUGE risk of being the perceived cause of any future problems. Even if the domain name had nothing to do with a security issue, the banks will quickly involve everyone. Enter everyones blood sucking lawyers, and now its a money issue. If there is no money to be made in fixing the problem, this will remain between the banks and the users.
It would be nice of banks/PayPal/eBay would provide "poisoned" logins which would be used to trace users and tip off law enforcement. Of course, the 419 laws aren't very strenuously enforced, and this would be defeatable by a sufficiently anonymous proxy, so I suppose it's not a very good idea.
You'd think Interpol would work with stores: respond to these things, drop fifty bucks into a bank account and arrest the people who receive the goods--maybe that would help.
Laws do not persuade just because they threaten. --Seneca
As long as the banks make all members pay for successful phishing, rather than the individual careless customer, it will be a problem.
Individual customers are much less well equipped to stop fraud than banks.
Thankfully many governments realize this. For instance, if your credit card is stolen in the US, your liability is limited by law.
Because of this, banks have come up with fairly effective systems for handling stolen credit cards. If the liability was the customers', these systems would not exist.
"Individual responsibility" sounds good in conservative elections, but it doesn't usually yield the best solutions.
Big banks would also like this because it would screw over little banks who don't have 50 grand to blow on a domain name.
Speaking as the former IT manager of a small community bank, I can say conclusively that banks would not love to pay $50,000 to register a domain. Certainly, the cost wouldn't affect the huge money center institutions, but $50,000 is a huge expense for a de novo. Especially when you consider that financial institutions register multiple domain names to avoid confusion. First State Bank might register the domains firststatebank.bank, firststate.bank and maybe even 1ststate.bank.
And even after the bank has jumped through the hoops and paid the exorbitant registration fees, as others have pointed out, consumers who fall for phishing schemes tend to be less sophisticated Internet users and are probably not paying attention to the link they're clicking on anyways.
The thing about security is that anyone can come up with a solution so ingenious that they themselves can't find any way of circumventing it.
Bugger that. Charge $10 but levy a $50,000,000 deposit against security breaches. Or, if that's discouraging to smaller financial institutions, a deposit of 33% of net profits during the year of the breach.
.bank TLD (the banks would have a great incentive not to be hacked!)
That would provide the consumer with real confidence in the
You'd still have to protect against MITM attacks etc. - surely banks should be pushing for rapid adoption of IPv6, with end-to-end encrypted connections...
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
There's a registry file you can use to re-enable this feature. Unfortuantely, I'm browsing from my work computer and I'm filtered from giving you a working link to it but seek, and ye shall find. Just think of what websites might have a list of user:pass formed URLs and check there.
Any fool can criticise, condemn, and complain, and most fools do. - Benjamin Franklin
surely this means a key logger only has to wait for .bank to be entered and the account details can be stolen from what the user enters soon afterwards
Don't panic
The simple way to avoid phishing is to use the authentication that is built into SMTP.
SMTP has only one form of built in authentication: the email is sent to the recepient specified, and to no one else (that is to the envelope-recipient, aka RCPT, not the the address in the "To" or "Cc" header field).
So the way to authenticate email that claims to be from your bank is not to use the same email address with your bank as with anyone else. Then email that comes to the address you provided to your bank is from your bank, and any other email that claims to come from your bank and was not sent to the address you provided to your bank is not from your bank.
Personally I gave my bank a sneakemail.com address. I gabve another financial institution a unique address in my own domain. Both are good ways to authenticate the sender as long as no one else knows about the address.
See http://blog.foreignpolicy.com/node/4834
is if they create a way to verify in the first place. If you have a domain that closely resembles any of the banking institutions, or paypal, etc already on record, then you have to walk the paperwork into the Domain registrar. You just can't be permitted to even create a Domain with any of the Banking institutions Domain names already on record online. Or else it will fail because anyone will still be able to create a domain like citibank.bank.myscam.com Perhaps they need to change where and how a banking institution signs up in the first place? Like the regular everyday domain signs up at the popular places online to get their new domains, but the banking industry, and the ones found to be heavey with phishing attacks like paypal are switched to the new system to verify, and pay for theirs. They simply are not handled online anymore. This will cut back on the amount of phishers too, if the bad guy has to show up with ID, and 50 grand, and fill out paperwork, and show proof they have a valid Banking institutions FDIC paperwork, or what ever is needed in their country.
I also have questions about the Host of such phishing websites, if they allow a person to register a website that is phishing another website, is there any clear way for the Host of such websites to watch their own customers? I believe this should be a joint effort. Not just left up to the domain registrar to deal with.
I don't understand why no one has created new software that a Host can use to scan their customers for the nasty's Like phishing, viruses, worms, Trojans etc. A user has this type software but a Host doesn't?