A Foolproof Way To End Bank Account Phishing?

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

We'll see about that.

[brian.gunderson]

An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

Re:We'll see about that.

[sporkmonger]

In retrospect, I should have previewed the previous comment. Didn't expect Slashdot to munge the url.

The scheme would still fall victim to urls like this:

http: //paypal.bank:d7b0425f-a9b5-4dee-8e5d-ae97680e9118 @somedomain .ru Sadly, there doesn't seem to be a way to turn off Slashdot's autolinking. Ignore the spaces.

Re:We'll see about that.

[grcumb]

An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

True, but this time, we could actually use technical means to ensure the validity of the address. Browser plugins could quite easily be programmed to mitigate (if not solve) the issues you raise. A hypothetical 'MyBank' plugin could, among other things, use only trusted (or consensus) DNS to resolve the name, and it could absolutely, positively be guaranteed to check the domain spelling every time.

Knowing the precise namespace would not solve every problem, but software developers could do a lot with that one extra datum for validation.

Re:We'll see about that.

[griffjon]

I can see it now:

Dear Customer,

We are in the process of moving to our new, more secure .bank domain, as you have read about in the news. Further, you no doubt have read about the various scams and "phishing" attacks preying on value bank customers such as yourself. To avoid these problems, OurBank (tm) has come up with an innovative and secure system to avoid the problems with the transfer of domain names. Attached to this email is a program which will install itself on your computer. It uses some of the very same techniques that many advanced attackers use, but to defend your privacy! It will ensure that when you want to see either OurBank.COM and/or OurBank.BANK, that you'll get to the right location by setting this at your computer, so no mistakes can be made along the way from your computer to ours.

Please be aware that some "anti-ad-ware" programs currently detect our system as a "hijacker" - while we are, in effect, "hijacking" your connection, it is to improve your privacy and we are working with vendors to remove this warning for our program.

Please open and install OurBank.exe - it will ask you to verify your customer information, bank branch, and then log you in (the first time only) to your account with us. Remember to disregard any security warnings and allow our program to communicate through your firewall until we are able to resolve this mis-identification by the anti-ad-ware vendors.

Thanks again for your business,

OurBank./

Re:We'll see about that.

[glittalogik]

Whilst I agree with your appraisal of the admins, how is the problem not piss-poor end-users? If certificates 'worked', the bank should have been flooded with calls, and no one should have logged in without confirming the situation over the phone.

This idea is stupid (tld goldrush?)

[Whiney+Mac+Fanboy]

This idea is even stupidder than people who fall for phishing attacks. Another tld gold rush isn't going to solve anything because the problem is people's credulousness,

I'd expect to see a rush of tld registrations to Macedonia (citybank.ba.mk) and Saint Kitts and Nevis (citibank.ba.kn)

Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability.

This wouldn't work

[j0nb0y]

Phishing works because people don't pay attention to URLs. How would changing the URL help?

.bank is the wrong name

[adrianmonk]

This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.

First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans, which are also not banks.

On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.

Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption that the set "things crooks want to phish for" equals the set "banks". Which is not reality.

A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".

No additional security, added cost

[patio11]

Banks spend incredible amounts of effort getting people to use their online properties, since they're the most cost effective way to service retail customers (i.e. natural persons as opposed to businesses, institutions, etc). No bank is going to sink their brand investment in citi.com or bankofamerica.com just to head off a wee bit of fraud. The only thing fraud is to a bank is a cost of doing business, nothing more -- they'll make a dispassionate calculation that fraud is less expensive than launching a new nationwide advertising/customer education campaign and pass on this idea. Its the same way that they've decided that it is more important to be able to receive a credit card decision in 15 seconds than it is to verify the identity of the person submitting the request -- fraud stings, losing potential customers to your easy-to-apply competitors stings more.

This is already a solvable problem.

[Vellmont]

There's no need for some dumb .bank tld for users to hope to verify authenticity of a bank site. All we need is something akin to an electronic ATM card.

The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:

authenticates the user to the bank (after you enter in a pin).
authenticates the bank to the user.
authenticates a secure connection to the bank has been established.
authenticates each transaction.

for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).

This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.

Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.

Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.

Suckers usually use IE or AOL, not Firefox...

[billstewart]

Unfortunately, the best customers for phishers usually aren't using Firefox - they're either using the browser that came with their PC, or else the one that came with their AOL account.

And if they're using the one that came with their PC, they may very well have several extra toolbars to "help" them use the Internet, though that can be a problem for phishers because other crackers may get the bank account info before they do.

URL checking - similar to adblock

[Hyperhaplo]

How long until all browsers have a url checker built in with some simple basic rules applied?
Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.

Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.

I still wonder why people don't use the Firefix / Adblock / Filterset.G combination as a basic starting point.

It is good to see that there are some anti-phishing addons for Firefox now.