Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Foolproof Way To End Bank Account Phishing?

Posted by kdawson on from the worth-a-try dept.

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

6 of 436 comments (clear)

  1. Re:We'll see about that. by uberzip · · Score: 5, Interesting

    My thoughts exactly. Currently, most phishing attacks my users have asked about have been for domains such as www.amazon.com.evildomain.com

    In the rare event that a user does look at the url they see that first .com and don't bother with the rest of address. I don't see how a .bank would help at all.

    Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the .com and try to make any sense of the rest. Like I said, this is a simple example, some of my banksites have long strings of numbers after the .com, change the alias in the address from www to something else, etc.

  2. it's not like they use their own domains now... by jfruhlinger · · Score: 5, Interesting

    To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.

    To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.

    To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.

    To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.

    Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?

  3. Re:Foolproof system by bhmit1 · · Score: 5, Interesting

    Foolproof systems do not take into account the ingenuity of fools.

    You're funny and exactly right at the same time. Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I'll suggest (again) that every financial organization make a "catch a phisher" link on their page that provides a unique (so that phishers can't build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who's account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It's something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.
  4. Re:How will this stop XSS by Bazar · · Score: 5, Interesting
    I think its a good idea, well worth investigating, but its not just another domain that they need, they'd need support of the browsers, as well as greater security and administration of the domain itself.

    In browers that supported the .bank domain, they could do a series of checks for example
    • Checking the security certificates for the .bank domain, ensuring that the cert is authenticated by the .bank domain. Self created certs would be unacceptable.
    • Creating a border or some other distinguishable feature to the rendering of the site, when in a .bank extension. For example, a half inch security border around the screen (Yes, thats a bad idea since it could be mimicked by javascript, but you get the idea)
    • Enforcing strict security on owners of the sites, as well as extenstive registration processes. Thus preventing cyber-squatters and phishing
    • Email clients that supported it, could be designed to do a security checks from emails claiming to come from .bank domains, and flag them as phishing attempts if they fail


    The results wouldn't make sites on that domain entirely secure, but with just a LITTLE community backing from mozilla, microsoft, and the others, it would help GREATLY, its a step in the right direction at the very least.
    --
    To avoid criticism; Say nothing, Do nothing, Be nothing.
  5. Re:We'll see about that. by Anonymous Coward · · Score: 5, Interesting

    How about browsers like FF, IE, Opera, et al highlighting the domain in bold and in a different color in the address bar?

    http//www.wamu.com/personal/default.asp

    That calls more attention to the part of the URL which deserves the most attention, no? And how about upping the point size on the address bar too? I look at the top of my browser and I see a sea of similar black type.

  6. Re:The simple way to end phishing. by MikeyVB · · Score: 5, Interesting

    I used to think that was a good idea, until I under realized the true power of stupid people.

    As a system admin at my company, we got a call from a user who said she was a victim of a phishing scam, and wanted to see if we could get a copy of the phising e-mail she was sent so she could forward it to her bank and the police, but since she had already deleted it.

    We managed to recover the phising e-mail. It was a standard phishing e-mail, however, it was not sent to her form the phisher him/herself, but from a friend of hers!

    The subject had the FWD: tag at the begining, and the first line of the e-mail said, "Hey look! A banking scam! Why don't we all put in bogus information and screw them up! hehe!", but this user clicked on the link and entered her *real* information, as she thought it really was from her bank after she read the "security warning" below her friends comment.

    Don't under estimate the power of the stupid.