Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Foolproof Way To End Bank Account Phishing?

Posted by kdawson on from the worth-a-try dept.

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

6 of 436 comments (clear)

  1. We'll see about that. by brian.gunderson · · Score: 5, Insightful

    An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

    --
    Appended to the end of comments you post. 120 chars.
    1. Re:We'll see about that. by sporkmonger · · Score: 5, Insightful

      In retrospect, I should have previewed the previous comment. Didn't expect Slashdot to munge the url.

      The scheme would still fall victim to urls like this:

      http: //paypal.bank:d7b0425f-a9b5-4dee-8e5d-ae97680e9118 @somedomain .ru Sadly, there doesn't seem to be a way to turn off Slashdot's autolinking. Ignore the spaces.
    2. Re:We'll see about that. by grcumb · · Score: 5, Insightful

      An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

      True, but this time, we could actually use technical means to ensure the validity of the address. Browser plugins could quite easily be programmed to mitigate (if not solve) the issues you raise. A hypothetical 'MyBank' plugin could, among other things, use only trusted (or consensus) DNS to resolve the name, and it could absolutely, positively be guaranteed to check the domain spelling every time.

      Knowing the precise namespace would not solve every problem, but software developers could do a lot with that one extra datum for validation.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    3. Re:We'll see about that. by griffjon · · Score: 5, Insightful

      I can see it now:

      Dear Customer,

      We are in the process of moving to our new, more secure .bank domain, as you have read about in the news. Further, you no doubt have read about the various scams and "phishing" attacks preying on value bank customers such as yourself. To avoid these problems, OurBank (tm) has come up with an innovative and secure system to avoid the problems with the transfer of domain names. Attached to this email is a program which will install itself on your computer. It uses some of the very same techniques that many advanced attackers use, but to defend your privacy! It will ensure that when you want to see either OurBank.COM and/or OurBank.BANK, that you'll get to the right location by setting this at your computer, so no mistakes can be made along the way from your computer to ours.

      Please be aware that some "anti-ad-ware" programs currently detect our system as a "hijacker" - while we are, in effect, "hijacking" your connection, it is to improve your privacy and we are working with vendors to remove this warning for our program.

      Please open and install OurBank.exe - it will ask you to verify your customer information, bank branch, and then log you in (the first time only) to your account with us. Remember to disregard any security warnings and allow our program to communicate through your firewall until we are able to resolve this mis-identification by the anti-ad-ware vendors.

      Thanks again for your business,

      OurBank./

      --
      Returned Peace Corps IT Volunteer
    4. Re:We'll see about that. by glittalogik · · Score: 5, Insightful

      Whilst I agree with your appraisal of the admins, how is the problem not piss-poor end-users? If certificates 'worked', the bank should have been flooded with calls, and no one should have logged in without confirming the situation over the phone.

  2. URL checking - similar to adblock by Hyperhaplo · · Score: 5, Insightful

    How long until all browsers have a url checker built in with some simple basic rules applied?
    Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.

    Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.

    I still wonder why people don't use the Firefix / Adblock / Filterset.G combination as a basic starting point.

    It is good to see that there are some anti-phishing addons for Firefox now.

    --
    You have a sick, twisted mind. Please subscribe me to your newsletter.