A Foolproof Way To End Bank Account Phishing?

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

Cutting out the competition

[Harmonious+Botch]

Banks will love this. It makes it even harder for small competitors to enter the market. In the long run that means higher fees for all of us. I'd rather put up with the phishing risk.

Re:We'll see about that.

[uberzip]

My thoughts exactly. Currently, most phishing attacks my users have asked about have been for domains such as www.amazon.com.evildomain.com

In the rare event that a user does look at the url they see that first .com and don't bother with the rest of address. I don't see how a .bank would help at all.

Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the .com and try to make any sense of the rest. Like I said, this is a simple example, some of my banksites have long strings of numbers after the .com, change the alias in the address from www to something else, etc.

it's not like they use their own domains now...

[jfruhlinger]

To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.

To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.

To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.

To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.

Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?

Re:Foolproof system

[bhmit1]

Foolproof systems do not take into account the ingenuity of fools.

You're funny and exactly right at the same time. Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I'll suggest (again) that every financial organization make a "catch a phisher" link on their page that provides a unique (so that phishers can't build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who's account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It's something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.

Re:We'll see about that.

[Mr.+Underbridge]

But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp will cause their eyes to glaze over when all they typed in was www.wamu.com.

Yup. And worse yet, that sort of thing allows the baddies to do something like www.blah blah/wamu.bank. So the ambiguousness of the period in the URL - used for both file and domain delimiters - will further obfuscate things.

The simple way to end phishing.

[hobo+sapiens]

There's one way to end phishing. IE's anti-phishing service is a laugh. This TLD crap won't work. Here is how to end it:

When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.

Same with the 419 scammers. I particularly enjoy messing with the 419 scammers for this very reason.

The only, and I mean only, reason these things proliferate is because its profitable. This type of scamming is VERY profitable. So, we should be focusing on how to make it a waste of time. That would attack the problem at its root: its profitability.

Obviously, this would take a large bite out of spam, another problem in itself. Sometimes you have to fight fire with fire.

It seems obvious to me, but clearly not so obvious to others. Instead of spending time making a decent browser that supports modern standards properly (though better than IE6), Microsoft spent (probably) millions of dollars developing this ridiculous phishing filter for IE7. That is NOT dealing with the problem at its root. Obviously, they don't get it. Am I alone here? Hello? Anyone?

Re:The simple way to end phishing.

[hobo+sapiens]

Have you ever tried messing with 419 scammers or phishing sites? It's quite fun. Try checking out 419eater.com or whatsthebloodypoint.com if you want to see for yourselves (didn't check those URLs before pressing submit, but that'll get you there).

When you mess with 419 scammers, you get the added bonus of being creative. You get to play whatever role you want, you get to mess with someone's head, and you are on the moral higher ground because they are, after all, trying to steal your money!

No way would I let a program do that for me!

I guess the only concern I can think of with going to phishing sites is that they then have your IP. So don't do that if you don't have a firewall. Then again, rip your network cable out of the wall if you don't have a firewall.

Re:The simple way to end phishing.

[MikeyVB]

I used to think that was a good idea, until I under realized the true power of stupid people.

As a system admin at my company, we got a call from a user who said she was a victim of a phishing scam, and wanted to see if we could get a copy of the phising e-mail she was sent so she could forward it to her bank and the police, but since she had already deleted it.

We managed to recover the phising e-mail. It was a standard phishing e-mail, however, it was not sent to her form the phisher him/herself, but from a friend of hers!

The subject had the FWD: tag at the begining, and the first line of the e-mail said, "Hey look! A banking scam! Why don't we all put in bogus information and screw them up! hehe!", but this user clicked on the link and entered her *real* information, as she thought it really was from her bank after she read the "security warning" below her friends comment.

Don't under estimate the power of the stupid.

Re:Not a problem

[SEMW]

Just hack the host file to point bankofamerica.bank to your IP Address. Phishing scheme done. If I've somehow obtained deep enough access to your box to edit your HOSTS file (i.e. admin/root privileges), why bother with phishing emails? I could just install a keylogger, wait for you to visit your bank in the normal course of business, and snag your details. Or just grab them from \My_Documents\misc\unimportantstuff\really_nothing here\FINANCIAL_PASSWORDS.txt. Much more reliable than mucking about with making mockup login pages.

Re:Suckers usually use IE or AOL, not Firefox...

[Kalriath]

I meant http://user:password@domain/ format. Damn you SlashCode.

Re:How will this stop XSS

[Bazar]

I think its a good idea, well worth investigating, but its not just another domain that they need, they'd need support of the browsers, as well as greater security and administration of the domain itself.

In browers that supported the .bank domain, they could do a series of checks for example

• Checking the security certificates for the .bank domain, ensuring that the cert is authenticated by the .bank domain. Self created certs would be unacceptable.
• Creating a border or some other distinguishable feature to the rendering of the site, when in a .bank extension. For example, a half inch security border around the screen (Yes, thats a bad idea since it could be mimicked by javascript, but you get the idea)
• Enforcing strict security on owners of the sites, as well as extenstive registration processes. Thus preventing cyber-squatters and phishing
• Email clients that supported it, could be designed to do a security checks from emails claiming to come from .bank domains, and flag them as phishing attempts if they fail

The results wouldn't make sites on that domain entirely secure, but with just a LITTLE community backing from mozilla, microsoft, and the others, it would help GREATLY, its a step in the right direction at the very least.

Re:We'll see about that.

How about browsers like FF, IE, Opera, et al highlighting the domain in bold and in a different color in the address bar?

http//www.wamu.com/personal/default.asp

That calls more attention to the part of the URL which deserves the most attention, no? And how about upping the point size on the address bar too? I look at the top of my browser and I see a sea of similar black type.

Re:We'll see about that.

[Twylite]

Nice idea. See also the petname extension for Firefox.

It provides a coloured bar (yellow/green) for HTTPS connections in which a user-provided identifier is displayed. So you type in the secure site's URL the first time (https://my.bank.com/), then enter an identifier in the petname bar ("Online banking (Twylite)"). Every time you connect to the site in future the extension will pick up an exact match on the domain name and change the bar to green. Other untrusted SSL sites get yellow. Non-SSL sites are white.