Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Foolproof Way To End Bank Account Phishing?

Posted by kdawson on from the worth-a-try dept.

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

14 of 436 comments (clear)

  1. Re:make it half a million a year and we're talking by EvanED · · Score: 2, Informative

    If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)

    What? The credit union I use is pretty big for a local "bank", but it has only $900,000 in total assets. (I don't think that includes ~$700K in outstanding loans.) Even $50K wouldn't be *that* a small a sum for them...

  2. Re:This idea is stupid (tld goldrush?) by tomhudson · · Score: 2, Informative

    "Neither of those would work, since your main domain name needs to be at least three characters."

    Nope. Look at gc.ca as a counter-example. I'm sure there are others ...

  3. Re:Foolproof system by ahg · · Score: 2, Informative
    Well... normally I don't split hairs, but the notable quote that I believe you are referring to was just posted today on Slashdot in its complete form:

    "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools".

    -- Douglas Adams (1952 - 2001), Mostly Harmless
    --

    --Aaron Greenberg

  4. Re:This idea is stupid (tld goldrush?) by sjf · · Score: 2, Informative

    ba.com
    aa.com
    ms.com
    hp.com
    id.com
    io.com
    ts.com

  5. Re:We'll see about that. by karnal · · Score: 3, Informative

    chase.com does that on their front page. Browser gives the user NO indication that the form is secure, and to be honest - I usually place a bad account number and password combo to force the "https" page up. Try it. Put in 4/4 and hit log on, and it'll redirect you to the full secure page....

    Don't know who thought that up.

    --
    Karnal
  6. Re:We'll see about that. by zcat_NZ · · Score: 3, Informative

    You wish!!!

    A while back one of the New Zealand banks had their SSL certificate expire, so for an entire afternoon every customer who visited the login page would have got an 'invalid certificate' warning of some sort..

    300-odd customers logged in anyway. Only ONE was suspicious enough to contact the bank.

    --
    455fe10422ca29c4933f95052b792ab2
  7. Re:We'll see about that. by Phisbut · · Score: 2, Informative

    chase.com does that on their front page. Browser gives the user NO indication that the form is secure, and to be honest - I usually place a bad account number and password combo to force the "https" page up. Try it. Put in 4/4 and hit log on, and it'll redirect you to the full secure page....

    American Express Canada is just as bad. They expect you to log on on an unencrypted connection (and they even put a little padlock icon next to the "login" button). I've mentionned it several times to their customer service, but they don't seem to care. There used to be a time when adding the "s" to "http" manually would trigger an expired certificate alert, but I think they fixed that now. I managed to find a login form that uses HTTPS and put a bookmark on that.

    --
    After 3 days without programming, life becomes meaningless
    - The Tao of Programming
  8. Re:Suckers usually use IE or AOL, not Firefox... by Kalriath · · Score: 4, Informative

    Don't know about Opera, but IE simply wont connect to any URLs in the http://domain/ format. Returns "Invalid Syntax Error". Microsoft just got sick of all the phishers and disabled it within WinInet about 3 years ago.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  9. Re:URL checking - similar to adblock by mrcaseyj · · Score: 4, Informative

    How about this: the browser could highlight the domain in the URL. If you were browsing a page at www.amazon.com.evildomain.com, then evildomain.com would be highlighted. That would hopefully make it obvious that you're not at amazon.com.
    Great idea. It wouldn't solve all the problems but it would help a little and it seems like it would be easy to program.

    I was trying to tell my dad how to recognize what domain he was at, but I couldn't think of how to describe it while taking into account all the variations a phisher might use. Then I saw a regular expression designed to extract the domain name from a URL. It basically said to take the part just before the third slash. That seems pretty good to me and easy enough to explain to my dad. Can a scammer fake that? Another way in Firefox at least is that Firefox shows the domain on the status bar at the lower right.

    Another problem I've run into lately is that a couple of institutions that I deal with have stopped using SSL encryption for the entire login page. They use regular http for most of the page and just have the username and password form submitted with https. The problem is that you see no padlock and there is no way to know that the page is really from the domain you see in the address bar. A man in the middle could have intercepted the page between you and the bank and removed the encryption from the login form and redirected your password to a bad guy. The entire page and everything on it needs to be encrypted with https or the page is insecure. Even Microsoft's Internet Explorer programmers say this is bad and tell the banks not to do it but the banks do it anyway. Read more about it at Microsoft's website.

    http://blogs.msdn.com/ie/archive/2005/04/20/410240 .aspx

    This is not just a possibility but it seems to me like a realistic attack. On most wired networks you don't have to worry too much about ISP employees doing a man in the middle attack on you, but if you're using wireless at a coffee shop you'd better watch out for the https in your address bar. A hacker might use something like airpwn

    http://www.informit.com/guides/content.asp?g=secur ity&seqNum=158&rl=1

    to do a man in the middle attack and to intercept your password. It looks like it would be pretty easy.

    I read an easy way you can get an entirely encrypted login page even if they don't have one available. You start your login by giving a bogus username and password. The bank will usually come back with an entirely encrypted login page that says you entered the wrong password. Just check the domain and check for the s in https and then go ahead and enter the correct username and password.

  10. Re:We'll see about that. by mrcaseyj · · Score: 2, Informative

    Actually, American Express Canada does log you in securely. When you click that login button, it executes a script, which then submits the form to an https address.
    That's great to prevent password sniffing, but it doesn't stop a man in the middle attack. The man in the middle can just rewrite the login page before sending it to you with the encryption disabled. You wouldn't know. Microsoft's Internet Explorer programmers have told the banks about this but they do it anyway. See the Microsoft Developer Network website.

    http://blogs.msdn.com/ie/archive/2005/04/20/410240 .aspx

    And for a method to do the man in the middle to a wireless user see airpwn

    http://www.informit.com/guides/content.asp?g=secur ity&seqNum=158&rl=1

    Better go with the bad username/password trick to get a full https page.

  11. Re:How will this stop XSS by alienw · · Score: 4, Informative

    I don't think you get it. The problem is not the security of the .bank domain. The problem is getting people to recognize that the site they are visiting is not legitimate. Considering that it's already pretty obvious that a URL like http://wellsfargo.scammer.com/scam_me does not belong to a bank, I'd say the .bank extension won't help anything.

  12. Re:This is already a solvable problem. by j_sp_r · · Score: 1, Informative

    ABN (dutch) has a system that you put your card in a reader, enter a number the site gives, you enter it in the machine, machine does some magic and gives number back. Put that back and you can do something. Do that every time you want to do something.

    My bank sends me a SMS (text) message with a code on every transaction I've to enter.

  13. Re:The simple way to end phishing. by Opportunist · · Score: 2, Informative

    Well, that only defeats the most moronic scammers.

    You'd be surprised to what lengths they go today. Behind that "insert data here" script (which more and more often actually looks like the bank site), is a forwarder to the real bank. Of course only for the login-information. If it works, you get a "many thanks for your cooperation" (and I do actually believe that they're really thankful for your coop...) and your information gets logged. If you enter bogus crap, the bank will return a "no good" message and the info gets discarded.

    In other words, you only increase the work on your side, but not for the scammer.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Detailed rebuttal to F-Secure's.bank proposal by c0uchw4rrior · · Score: 2, Informative

    A researcher at SecureWorks has posted a detailed rebuttal to F-Secure's .bank proposal. Go check it out!
    New .TLDs: Panacea for Security?