Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Foolproof Way To End Bank Account Phishing?

Posted by kdawson on from the worth-a-try dept.

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

5 of 436 comments (clear)

  1. Re:We'll see about that. by karnal · · Score: 3, Informative

    chase.com does that on their front page. Browser gives the user NO indication that the form is secure, and to be honest - I usually place a bad account number and password combo to force the "https" page up. Try it. Put in 4/4 and hit log on, and it'll redirect you to the full secure page....

    Don't know who thought that up.

    --
    Karnal
  2. Re:We'll see about that. by zcat_NZ · · Score: 3, Informative

    You wish!!!

    A while back one of the New Zealand banks had their SSL certificate expire, so for an entire afternoon every customer who visited the login page would have got an 'invalid certificate' warning of some sort..

    300-odd customers logged in anyway. Only ONE was suspicious enough to contact the bank.

    --
    455fe10422ca29c4933f95052b792ab2
  3. Re:Suckers usually use IE or AOL, not Firefox... by Kalriath · · Score: 4, Informative

    Don't know about Opera, but IE simply wont connect to any URLs in the http://domain/ format. Returns "Invalid Syntax Error". Microsoft just got sick of all the phishers and disabled it within WinInet about 3 years ago.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  4. Re:URL checking - similar to adblock by mrcaseyj · · Score: 4, Informative

    How about this: the browser could highlight the domain in the URL. If you were browsing a page at www.amazon.com.evildomain.com, then evildomain.com would be highlighted. That would hopefully make it obvious that you're not at amazon.com.
    Great idea. It wouldn't solve all the problems but it would help a little and it seems like it would be easy to program.

    I was trying to tell my dad how to recognize what domain he was at, but I couldn't think of how to describe it while taking into account all the variations a phisher might use. Then I saw a regular expression designed to extract the domain name from a URL. It basically said to take the part just before the third slash. That seems pretty good to me and easy enough to explain to my dad. Can a scammer fake that? Another way in Firefox at least is that Firefox shows the domain on the status bar at the lower right.

    Another problem I've run into lately is that a couple of institutions that I deal with have stopped using SSL encryption for the entire login page. They use regular http for most of the page and just have the username and password form submitted with https. The problem is that you see no padlock and there is no way to know that the page is really from the domain you see in the address bar. A man in the middle could have intercepted the page between you and the bank and removed the encryption from the login form and redirected your password to a bad guy. The entire page and everything on it needs to be encrypted with https or the page is insecure. Even Microsoft's Internet Explorer programmers say this is bad and tell the banks not to do it but the banks do it anyway. Read more about it at Microsoft's website.

    http://blogs.msdn.com/ie/archive/2005/04/20/410240 .aspx

    This is not just a possibility but it seems to me like a realistic attack. On most wired networks you don't have to worry too much about ISP employees doing a man in the middle attack on you, but if you're using wireless at a coffee shop you'd better watch out for the https in your address bar. A hacker might use something like airpwn

    http://www.informit.com/guides/content.asp?g=secur ity&seqNum=158&rl=1

    to do a man in the middle attack and to intercept your password. It looks like it would be pretty easy.

    I read an easy way you can get an entirely encrypted login page even if they don't have one available. You start your login by giving a bogus username and password. The bank will usually come back with an entirely encrypted login page that says you entered the wrong password. Just check the domain and check for the s in https and then go ahead and enter the correct username and password.

  5. Re:How will this stop XSS by alienw · · Score: 4, Informative

    I don't think you get it. The problem is not the security of the .bank domain. The problem is getting people to recognize that the site they are visiting is not legitimate. Considering that it's already pretty obvious that a URL like http://wellsfargo.scammer.com/scam_me does not belong to a bank, I'd say the .bank extension won't help anything.