Slashdot Mirror
A Foolproof Way To End Bank Account Phishing?
tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."
An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.
Appended to the end of comments you post. 120 chars.
This idea is even stupidder than people who fall for phishing attacks. Another tld gold rush isn't going to solve anything because the problem is people's credulousness,
I'd expect to see a rush of tld registrations to Macedonia (citybank.ba.mk) and Saint Kitts and Nevis (citibank.ba.kn)
Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability.
There are shills on slashdot. Apparently, I'm one of them.
This doesn't stop people to giving out account information over the phone, or link spoofing. How many people just click links and don't read them. "My email says its from a bank, and some Prince wants to give me a buttload of money. Yey!".
Its a step I guess, but education goes a bit further, I think. At least they could use the 50k to help victims of spoofing, or to come up with other (better) solutions.
lol: You see no door there!
what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
-- the cake is a lie
Phishing works because people don't pay attention to URLs. How would changing the URL help?
If you had super powers, would you use them for good, or for awesome?
The banks that do such high volume transactions also tend to be leeches on society, taking a lot and giving back very little. I say make it ten million dollars a year. Those of us with a clue will keep using our credit unions' .org domains while the .bank TLD bleeds the blood suckers dry.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Even if we discount the problems we currently have with various DNS poisoning attacks, social engineering and just URL spam, it's basic premise is completely flawed. Why? Because the two assumptions it rests on are laughably easy to circumvent: spammers don't want to spend $50k on one domain, and registering as a financial institution anywhere is difficult.
If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank. Time to register for mypersonalcity.bank, bankofus.bank, continentwide.bank, and make a killing!
Those who can, do. Those who can't, sue.
Oh wait, I'm an idiot. I take that back.
Those graphs said "(in thousands)"...
This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.
First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans,
which are also not banks.
On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.
Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption
that the set "things crooks want to phish for" equals
the set "banks". Which is not reality.
A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".
There's already a foolproof solution. My bank never contacts me by e-mail! So I know that all e-mails claiming to be from my bank are fake.
Quite simple really.
Banks spend incredible amounts of effort getting people to use their online properties, since they're the most cost effective way to service retail customers (i.e. natural persons as opposed to businesses, institutions, etc). No bank is going to sink their brand investment in citi.com or bankofamerica.com just to head off a wee bit of fraud. The only thing fraud is to a bank is a cost of doing business, nothing more -- they'll make a dispassionate calculation that fraud is less expensive than launching a new nationwide advertising/customer education campaign and pass on this idea. Its the same way that they've decided that it is more important to be able to receive a credit card decision in 15 seconds than it is to verify the identity of the person submitting the request -- fraud stings, losing potential customers to your easy-to-apply competitors stings more.
Help poke pirates in the eyepatch, arr.
People don't look at domain names now, nor do they check for https. What makes you think this will change things?
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
There's no need for some dumb .bank tld for users to hope to verify authenticity of a bank site. All we need is something akin to an electronic ATM card.
The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:
authenticates the user to the bank (after you enter in a pin).
authenticates the bank to the user.
authenticates a secure connection to the bank has been established.
authenticates each transaction.
for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).
This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.
Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.
Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.
AccountKiller
And if they're using the one that came with their PC, they may very well have several extra toolbars to "help" them use the Internet, though that can be a problem for phishers because other crackers may get the bank account info before they do.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
How long until all browsers have a url checker built in with some simple basic rules applied?
Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.
Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.
I still wonder why people don't use the Firefix / Adblock / Filterset.G combination as a basic starting point.
It is good to see that there are some anti-phishing addons for Firefox now.
You have a sick, twisted mind. Please subscribe me to your newsletter.
Maybe browsers should start color-coding the tld in the URL input box...
Software patents delenda est.
...None of us have ever seen alternate DNS-circumvention crapware layers like new.net running on Joe User's PC without their knowledge.
.bank will be nothing but a false sense of security.
For the vast majority of users, a new TLD like
The title says it all. A new top level domain won't stop this. Yes, there are browser extensions and features that can help detect such things or stop them, but again, how does a new domain play into all of this?
Hydraulic pizza oven!! Guided missile! Herring sandwich! Styrofoam! Jayne Mansfield! Aluminum siding! Borax!
That doesn't at all address the class of phishing scams that put up a fake copy of the site in question. Banks are usually the subject of such phishing attacks; throw up a copy of their site on a plausible-sounding URL, send out an email saying their account may have been compromised and they need to check, and when they enter their username and password you try the username and password at the real bank site, and make whatever transactions you want. That's the class that this TLD is aimed at preventing. Ideally I imagine the banks as a collective introducing it with public advertising campaigns to ensure the user looks for a .bank when they do their banking.
Is it perfect? Foolproof? Not by any means. But it'd be a good step.
I see your point, but someone will come up with ways around this. Even if its just the classic user@domain spoof or if its something more legitimate looking. This is not a "root of the problem" solution.
You take away the profitability, then you've taken away the whole incentive for phishing. Schemes like this TLD thing are not cutting into the profits. It's just a more advanced "ignore them and they'll go away" strategy. That won't work here, since it only takes (SWAG alert) 1 in 1000 people to actually fall for it in order for it to be profitable. Crapflooding them will make sure they never find that 1 in 1000 who is credulous enough to give personal information to someone with a somewhat credible looking website.
This whole TLD thing is more of the same old thinking, that we'll just make up more rules to prevent crime. We'll legislate morality. We'll make up unenforceable laws. Look where that's gotten us: check your spam folder if you have a yahoo or gmail account, and marvel at the sheer volume of scam spam. I maintain that in this case, the only effective way to fight these crooks is with some of their own medicine. Fight fire with fire.
blah blah blah
Everyone here is trying too hard. You could send a mail out saying
"Please update your BankOfAmerica account at www.somerandomname.com"
and some people would do it.
Foolproof is a word only used by fools.
You're never going to get past the education issue whenever you add something that requires the user to notice that something is wrong. Your solution needs to completely invade the privacy of the user and double guess their intentions to 'protect' them and we all know how that will look. Even with this, some people would probably throw their password into a blank page with a text form on it that says "enter your information to update your account"
We need to move on from the current DNS system which basically maps character strings to IP addresses. There still is no validity to the Domain name or the IP address. For instance if I was going to hack a bank or do a stock fraud, I would buy an ISP and run it legitimately for a long time. Then on the day pollute the DNS record and redirect them to my fake phishing site. Where they would give me their bank statements or act on fake stock info.
The new DNS system would consist of the name + contact details + IP + a digital signature + a public key stored on a root DNS servers. When my computer sees a URL, www.bankofAmerica.com, it contacts the root server and downloads the sig, it also requests the same info from bankofAmerica.com. BOI, using local copys of the same info sends an encrypted msg using its private key. The client compares the two and if they match then bankofAmerica.com is legitimate and so is its IP address.
davecb5620@gmail.com