Slashdot Mirror
A Foolproof Way To End Bank Account Phishing?
tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."
An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.
Appended to the end of comments you post. 120 chars.
This idea is even stupidder than people who fall for phishing attacks. Another tld gold rush isn't going to solve anything because the problem is people's credulousness,
I'd expect to see a rush of tld registrations to Macedonia (citybank.ba.mk) and Saint Kitts and Nevis (citibank.ba.kn)
Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability.
There are shills on slashdot. Apparently, I'm one of them.
sperm.bank
"Foolproof systems do not take into account the ingenuity of fools."
Banks will love this. It makes it even harder for small competitors to enter the market. In the long run that means higher fees for all of us. I'd rather put up with the phishing risk.
"Build something that's idiot proof, and they'll build a better idiot..." Really, the same people who fall for attacks to begin with are the people who STILL would despite this .bank implementation. Call me pessimistic but I'm not entirely sure it would work...
Good idea though, makes it plainly obvious for the rest of us people with more than 10 IQ points anyways...
...in bed
I just made thedarkener.bank on my own computer, using /etc/hosts. It points to my computer.
I'm gonna go smoke a bowl and see if I can't remember if I spent $50,000 on it or just used basic computer knowledge to bypass the TLD.
It is pitch black. You are likely to be eaten by a grue.
This doesn't stop people to giving out account information over the phone, or link spoofing. How many people just click links and don't read them. "My email says its from a bank, and some Prince wants to give me a buttload of money. Yey!".
Its a step I guess, but education goes a bit further, I think. At least they could use the 50k to help victims of spoofing, or to come up with other (better) solutions.
lol: You see no door there!
But god would it be good to gouge banks for $50k. It would feel so sweet.
I already see URLs like this:
citibank.com.customers.update.spammer.com
It wouldn't take any more effort to make:
citibank.bank.customers.update.spammer.com
Most people don't know much about URLs. And that's assuming the mark even reads the URL at all.
what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
-- the cake is a lie
Phishing works because people don't pay attention to URLs. How would changing the URL help?
If you had super powers, would you use them for good, or for awesome?
The banks that do such high volume transactions also tend to be leeches on society, taking a lot and giving back very little. I say make it ten million dollars a year. Those of us with a clue will keep using our credit unions' .org domains while the .bank TLD bleeds the blood suckers dry.
Check out my sci-fi/humor trilogy at PatriotsBooks.
If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
What? The credit union I use is pretty big for a local "bank", but it has only $900,000 in total assets. (I don't think that includes ~$700K in outstanding loans.) Even $50K wouldn't be *that* a small a sum for them...
Even if we discount the problems we currently have with various DNS poisoning attacks, social engineering and just URL spam, it's basic premise is completely flawed. Why? Because the two assumptions it rests on are laughably easy to circumvent: spammers don't want to spend $50k on one domain, and registering as a financial institution anywhere is difficult.
If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank. Time to register for mypersonalcity.bank, bankofus.bank, continentwide.bank, and make a killing!
Those who can, do. Those who can't, sue.
Oh wait, I'm an idiot. I take that back.
Those graphs said "(in thousands)"...
This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.
First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans,
which are also not banks.
On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.
Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption
that the set "things crooks want to phish for" equals
the set "banks". Which is not reality.
A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".
There's already a foolproof solution. My bank never contacts me by e-mail! So I know that all e-mails claiming to be from my bank are fake.
Quite simple really.
To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.
To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.
To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.
To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.
Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?
Banks spend incredible amounts of effort getting people to use their online properties, since they're the most cost effective way to service retail customers (i.e. natural persons as opposed to businesses, institutions, etc). No bank is going to sink their brand investment in citi.com or bankofamerica.com just to head off a wee bit of fraud. The only thing fraud is to a bank is a cost of doing business, nothing more -- they'll make a dispassionate calculation that fraud is less expensive than launching a new nationwide advertising/customer education campaign and pass on this idea. Its the same way that they've decided that it is more important to be able to receive a credit card decision in 15 seconds than it is to verify the identity of the person submitting the request -- fraud stings, losing potential customers to your easy-to-apply competitors stings more.
Help poke pirates in the eyepatch, arr.
People don't look at domain names now, nor do they check for https. What makes you think this will change things?
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
There's no need for some dumb .bank tld for users to hope to verify authenticity of a bank site. All we need is something akin to an electronic ATM card.
The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:
authenticates the user to the bank (after you enter in a pin).
authenticates the bank to the user.
authenticates a secure connection to the bank has been established.
authenticates each transaction.
for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).
This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.
Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.
Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.
AccountKiller
Do you have an online checking or savings account? Both INGdirect.com and HSBCdirect.com persistently send out plain-text e-mails to confirm just about every transaction - with no option to turn these off. I've written various people at both banks explaining why this is a really, really bad idea. They are uncomprehending. The confirmation e-mails don't give full account details, but give plenty of information for someone who manages to intercept them (or crack someone's Hotmail account) to use social engineering to find out the rest.
Mind you, these are two otherwise fine enough banks that I do business with them. But if I didn't control my mail server - and know and trust the admins running my ISP's routers - I'd be taking on a level of risk that borders on idiotic.
"with their freedom lost all virtue lose" - Milton
And if they're using the one that came with their PC, they may very well have several extra toolbars to "help" them use the Internet, though that can be a problem for phishers because other crackers may get the bank account info before they do.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
How long until all browsers have a url checker built in with some simple basic rules applied?
Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.
Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.
I still wonder why people don't use the Firefix / Adblock / Filterset.G combination as a basic starting point.
It is good to see that there are some anti-phishing addons for Firefox now.
You have a sick, twisted mind. Please subscribe me to your newsletter.
Keep all your money hidden in your mattress! No phish there!
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
...None of us have ever seen alternate DNS-circumvention crapware layers like new.net running on Joe User's PC without their knowledge.
.bank will be nothing but a false sense of security.
For the vast majority of users, a new TLD like
There's one way to end phishing. IE's anti-phishing service is a laugh. This TLD crap won't work. Here is how to end it:
When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.
Same with the 419 scammers. I particularly enjoy messing with the 419 scammers for this very reason.
The only, and I mean only, reason these things proliferate is because its profitable. This type of scamming is VERY profitable. So, we should be focusing on how to make it a waste of time. That would attack the problem at its root: its profitability.
Obviously, this would take a large bite out of spam, another problem in itself. Sometimes you have to fight fire with fire.
It seems obvious to me, but clearly not so obvious to others. Instead of spending time making a decent browser that supports modern standards properly (though better than IE6), Microsoft spent (probably) millions of dollars developing this ridiculous phishing filter for IE7. That is NOT dealing with the problem at its root. Obviously, they don't get it. Am I alone here? Hello? Anyone?
blah blah blah
What's purple and commutes? An Abelian grape.
The title says it all. A new top level domain won't stop this. Yes, there are browser extensions and features that can help detect such things or stop them, but again, how does a new domain play into all of this?
Everyone here is trying too hard. You could send a mail out saying
"Please update your BankOfAmerica account at www.somerandomname.com"
and some people would do it.
Foolproof is a word only used by fools.
You're never going to get past the education issue whenever you add something that requires the user to notice that something is wrong. Your solution needs to completely invade the privacy of the user and double guess their intentions to 'protect' them and we all know how that will look. Even with this, some people would probably throw their password into a blank page with a text form on it that says "enter your information to update your account"
A researcher at SecureWorks has posted a detailed rebuttal to F-Secure's .bank proposal. Go check it out! .TLDs: Panacea for Security?
New
We need to move on from the current DNS system which basically maps character strings to IP addresses. There still is no validity to the Domain name or the IP address. For instance if I was going to hack a bank or do a stock fraud, I would buy an ISP and run it legitimately for a long time. Then on the day pollute the DNS record and redirect them to my fake phishing site. Where they would give me their bank statements or act on fake stock info.
The new DNS system would consist of the name + contact details + IP + a digital signature + a public key stored on a root DNS servers. When my computer sees a URL, www.bankofAmerica.com, it contacts the root server and downloads the sig, it also requests the same info from bankofAmerica.com. BOI, using local copys of the same info sends an encrypted msg using its private key. The client compares the two and if they match then bankofAmerica.com is legitimate and so is its IP address.
davecb5620@gmail.com
Speaking as the former IT manager of a small community bank, I can say conclusively that banks would not love to pay $50,000 to register a domain. Certainly, the cost wouldn't affect the huge money center institutions, but $50,000 is a huge expense for a de novo. Especially when you consider that financial institutions register multiple domain names to avoid confusion. First State Bank might register the domains firststatebank.bank, firststate.bank and maybe even 1ststate.bank.
And even after the bank has jumped through the hoops and paid the exorbitant registration fees, as others have pointed out, consumers who fall for phishing schemes tend to be less sophisticated Internet users and are probably not paying attention to the link they're clicking on anyways.