A Foolproof Way To End Bank Account Phishing?

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

We'll see about that.

[brian.gunderson]

An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

Re:We'll see about that.

[sporkmonger]

In retrospect, I should have previewed the previous comment. Didn't expect Slashdot to munge the url.

The scheme would still fall victim to urls like this:

http: //paypal.bank:d7b0425f-a9b5-4dee-8e5d-ae97680e9118 @somedomain .ru Sadly, there doesn't seem to be a way to turn off Slashdot's autolinking. Ignore the spaces.

Re:We'll see about that.

[uberzip]

My thoughts exactly. Currently, most phishing attacks my users have asked about have been for domains such as www.amazon.com.evildomain.com

In the rare event that a user does look at the url they see that first .com and don't bother with the rest of address. I don't see how a .bank would help at all.

Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the .com and try to make any sense of the rest. Like I said, this is a simple example, some of my banksites have long strings of numbers after the .com, change the alias in the address from www to something else, etc.

Re:We'll see about that.

[grcumb]

An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

True, but this time, we could actually use technical means to ensure the validity of the address. Browser plugins could quite easily be programmed to mitigate (if not solve) the issues you raise. A hypothetical 'MyBank' plugin could, among other things, use only trusted (or consensus) DNS to resolve the name, and it could absolutely, positively be guaranteed to check the domain spelling every time.

Knowing the precise namespace would not solve every problem, but software developers could do a lot with that one extra datum for validation.

Re:We'll see about that.

[griffjon]

I can see it now:

Dear Customer,

We are in the process of moving to our new, more secure .bank domain, as you have read about in the news. Further, you no doubt have read about the various scams and "phishing" attacks preying on value bank customers such as yourself. To avoid these problems, OurBank (tm) has come up with an innovative and secure system to avoid the problems with the transfer of domain names. Attached to this email is a program which will install itself on your computer. It uses some of the very same techniques that many advanced attackers use, but to defend your privacy! It will ensure that when you want to see either OurBank.COM and/or OurBank.BANK, that you'll get to the right location by setting this at your computer, so no mistakes can be made along the way from your computer to ours.

Please be aware that some "anti-ad-ware" programs currently detect our system as a "hijacker" - while we are, in effect, "hijacking" your connection, it is to improve your privacy and we are working with vendors to remove this warning for our program.

Please open and install OurBank.exe - it will ask you to verify your customer information, bank branch, and then log you in (the first time only) to your account with us. Remember to disregard any security warnings and allow our program to communicate through your firewall until we are able to resolve this mis-identification by the anti-ad-ware vendors.

Thanks again for your business,

OurBank./

Re:We'll see about that.

[Mr.+Underbridge]

But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp will cause their eyes to glaze over when all they typed in was www.wamu.com.

Yup. And worse yet, that sort of thing allows the baddies to do something like www.blah blah/wamu.bank. So the ambiguousness of the period in the URL - used for both file and domain delimiters - will further obfuscate things.

Re:We'll see about that.

[karnal]

chase.com does that on their front page. Browser gives the user NO indication that the form is secure, and to be honest - I usually place a bad account number and password combo to force the "https" page up. Try it. Put in 4/4 and hit log on, and it'll redirect you to the full secure page....

Don't know who thought that up.

Re:We'll see about that.

[smegged]

Thanks, now I don't have to bother typing this myself.

Re:We'll see about that.

[zcat_NZ]

You wish!!!

A while back one of the New Zealand banks had their SSL certificate expire, so for an entire afternoon every customer who visited the login page would have got an 'invalid certificate' warning of some sort..

300-odd customers logged in anyway. Only ONE was suspicious enough to contact the bank.

Re:We'll see about that.

[JimDaGeek]

Dear "OurBank", I use Mac OSX and Linux, your "ourBank.exe" did not work. Please send me either a .deb file or an .dmg. That should help me a lot.

Re:We'll see about that.

[glittalogik]

Whilst I agree with your appraisal of the admins, how is the problem not piss-poor end-users? If certificates 'worked', the bank should have been flooded with calls, and no one should have logged in without confirming the situation over the phone.

Re:We'll see about that.

How about browsers like FF, IE, Opera, et al highlighting the domain in bold and in a different color in the address bar?

http//www.wamu.com/personal/default.asp

That calls more attention to the part of the URL which deserves the most attention, no? And how about upping the point size on the address bar too? I look at the top of my browser and I see a sea of similar black type.

Re:We'll see about that.

[Twylite]

Nice idea. See also the petname extension for Firefox.

It provides a coloured bar (yellow/green) for HTTPS connections in which a user-provided identifier is displayed. So you type in the secure site's URL the first time (https://my.bank.com/), then enter an identifier in the petname bar ("Online banking (Twylite)"). Every time you connect to the site in future the extension will pick up an exact match on the domain name and change the bar to green. Other untrusted SSL sites get yellow. Non-SSL sites are white.

This idea is stupid (tld goldrush?)

[Whiney+Mac+Fanboy]

This idea is even stupidder than people who fall for phishing attacks. Another tld gold rush isn't going to solve anything because the problem is people's credulousness,

I'd expect to see a rush of tld registrations to Macedonia (citybank.ba.mk) and Saint Kitts and Nevis (citibank.ba.kn)

Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability.

Re:This idea is stupid (tld goldrush?)

[gmack]

Not even. Most of the phishing emails that reach my inbox don't even bother to make the URL look like the bank. They just redirect you and hope you don't bother to look at the URL at the top.

As long as a signifigant portion of the population doesn't take even basic steps to protect themselves phishing will be a prevalent problem.

Re:This idea is stupid (tld goldrush?)

[tomhudson]

Exactly. For $50,000, I get a domain that people will "know" is phish-proof. A decent scammer can make tht back in a day if everyone "knows" its "the real bank" and lets their guard down ...

People who think this will work are also gonna love "security through obscurity."

Re:This idea is stupid (tld goldrush?)

[OverlordQ]

Neither of those would work, since your main domain name needs to be at least three characters.

Might want to tell that to people who register .co.uk domains.

dibs!!!!!

[Average_Joe_Sixpack]

sperm.bank

Re:dibs!!!!!

[EmbeddedJanitor]

Dear Sir/Madam I am interested in your services:

How do I make an online deposit?

Are there penalties for early withdrawal?

Re:dibs!!!!!

sperm.bank

Deposits will require both the .bank tld and the .xxx tld

I don't even want to know about withdrawals...

Re:dibs!!!!!

[Penguinshit]

Are there penalties for early withdrawal?

Yes; no linked child accounts... although for some that is desirable.

Foolproof system

[Reason58]

"Foolproof systems do not take into account the ingenuity of fools."

Re:Foolproof system

[bhmit1]

Foolproof systems do not take into account the ingenuity of fools.

You're funny and exactly right at the same time. Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I'll suggest (again) that every financial organization make a "catch a phisher" link on their page that provides a unique (so that phishers can't build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who's account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It's something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.

Cutting out the competition

[Harmonious+Botch]

Banks will love this. It makes it even harder for small competitors to enter the market. In the long run that means higher fees for all of us. I'd rather put up with the phishing risk.

Ummmmm...

[TheDarkener]

I just made thedarkener.bank on my own computer, using /etc/hosts. It points to my computer.

I'm gonna go smoke a bowl and see if I can't remember if I spent $50,000 on it or just used basic computer knowledge to bypass the TLD.

Re:Ummmmm...

[Score+Whore]

Now all you've got to do is fake up an email from your bank, send it to yourself. Then when you fall for the trick you'll have your username/account number and passwords. You are truly a l33t hax0r.

Re:Ummmmm...

[roystgnr]

Now all you've got to do is fake up an email from your bank, send it to yourself. Then when you fall for the trick you'll have your username/account number and passwords. You are truly a l33t hax0r.

That, or he'd have to hack into someone else's computer. I know that's impossible today, but a few pessimistic computer scientists suggest that one day Microsoft's crack team of programmers may make a mistake, allowing a malformed file or network connection to initiate the execution of malicious code on an innocent person's computer! Worse yet, some fear that the vigilance of today's sophisticated computer users may itself fail. It's unlikely that anyone would be foolish enough to run an executable file from an untrustworthy source without at least rigorously testing it in a "sandbox" environment, but rumor says that in a few underfunded public schools the computer security classes don't even teach kids how to set up a virtual machine!

Re:I know it will never happen

[Reason58]

But god would it be good to gouge banks for $50k. It would feel so sweet.

Until you realize it was your own money.

make it half a million a year and we're talking...

[MarcoAtWork]

what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)

This wouldn't work

[j0nb0y]

Phishing works because people don't pay attention to URLs. How would changing the URL help?

Re:make it half a million a year and we're talking

[dgatwood]

The banks that do such high volume transactions also tend to be leeches on society, taking a lot and giving back very little. I say make it ten million dollars a year. Those of us with a clue will keep using our credit unions' .org domains while the .bank TLD bleeds the blood suckers dry.

Bad! Bad! Bad!

[NeutronCowboy]

Even if we discount the problems we currently have with various DNS poisoning attacks, social engineering and just URL spam, it's basic premise is completely flawed. Why? Because the two assumptions it rests on are laughably easy to circumvent: spammers don't want to spend $50k on one domain, and registering as a financial institution anywhere is difficult.

If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank. Time to register for mypersonalcity.bank, bankofus.bank, continentwide.bank, and make a killing!

.bank is the wrong name

[adrianmonk]

This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.

First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans, which are also not banks.

On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.

Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption that the set "things crooks want to phish for" equals the set "banks". Which is not reality.

A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".

Duh

[Mwongozi]

There's already a foolproof solution. My bank never contacts me by e-mail! So I know that all e-mails claiming to be from my bank are fake.

Quite simple really.

it's not like they use their own domains now...

[jfruhlinger]

To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.

To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.

To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.

To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.

Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?

No additional security, added cost

[patio11]

Banks spend incredible amounts of effort getting people to use their online properties, since they're the most cost effective way to service retail customers (i.e. natural persons as opposed to businesses, institutions, etc). No bank is going to sink their brand investment in citi.com or bankofamerica.com just to head off a wee bit of fraud. The only thing fraud is to a bank is a cost of doing business, nothing more -- they'll make a dispassionate calculation that fraud is less expensive than launching a new nationwide advertising/customer education campaign and pass on this idea. Its the same way that they've decided that it is more important to be able to receive a credit card decision in 15 seconds than it is to verify the identity of the person submitting the request -- fraud stings, losing potential customers to your easy-to-apply competitors stings more.

This is already a solvable problem.

[Vellmont]

There's no need for some dumb .bank tld for users to hope to verify authenticity of a bank site. All we need is something akin to an electronic ATM card.

The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:

authenticates the user to the bank (after you enter in a pin).
authenticates the bank to the user.
authenticates a secure connection to the bank has been established.
authenticates each transaction.

for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).

This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.

Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.

Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.

Suckers usually use IE or AOL, not Firefox...

[billstewart]

Unfortunately, the best customers for phishers usually aren't using Firefox - they're either using the browser that came with their PC, or else the one that came with their AOL account.

And if they're using the one that came with their PC, they may very well have several extra toolbars to "help" them use the Internet, though that can be a problem for phishers because other crackers may get the bank account info before they do.

Re:Suckers usually use IE or AOL, not Firefox...

[Kalriath]

Don't know about Opera, but IE simply wont connect to any URLs in the http://domain/ format. Returns "Invalid Syntax Error". Microsoft just got sick of all the phishers and disabled it within WinInet about 3 years ago.

Re:Suckers usually use IE or AOL, not Firefox...

[Kalriath]

I meant http://user:password@domain/ format. Damn you SlashCode.

URL checking - similar to adblock

[Hyperhaplo]

How long until all browsers have a url checker built in with some simple basic rules applied?
Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.

Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.

I still wonder why people don't use the Firefix / Adblock / Filterset.G combination as a basic starting point.

It is good to see that there are some anti-phishing addons for Firefox now.

Re:URL checking - similar to adblock

[mrcaseyj]

How about this: the browser could highlight the domain in the URL. If you were browsing a page at www.amazon.com.evildomain.com, then evildomain.com would be highlighted. That would hopefully make it obvious that you're not at amazon.com.

Great idea. It wouldn't solve all the problems but it would help a little and it seems like it would be easy to program.

I was trying to tell my dad how to recognize what domain he was at, but I couldn't think of how to describe it while taking into account all the variations a phisher might use. Then I saw a regular expression designed to extract the domain name from a URL. It basically said to take the part just before the third slash. That seems pretty good to me and easy enough to explain to my dad. Can a scammer fake that? Another way in Firefox at least is that Firefox shows the domain on the status bar at the lower right.

Another problem I've run into lately is that a couple of institutions that I deal with have stopped using SSL encryption for the entire login page. They use regular http for most of the page and just have the username and password form submitted with https. The problem is that you see no padlock and there is no way to know that the page is really from the domain you see in the address bar. A man in the middle could have intercepted the page between you and the bank and removed the encryption from the login form and redirected your password to a bad guy. The entire page and everything on it needs to be encrypted with https or the page is insecure. Even Microsoft's Internet Explorer programmers say this is bad and tell the banks not to do it but the banks do it anyway. Read more about it at Microsoft's website.

http://blogs.msdn.com/ie/archive/2005/04/20/410240 .aspx

This is not just a possibility but it seems to me like a realistic attack. On most wired networks you don't have to worry too much about ISP employees doing a man in the middle attack on you, but if you're using wireless at a coffee shop you'd better watch out for the https in your address bar. A hacker might use something like airpwn

http://www.informit.com/guides/content.asp?g=secur ity&seqNum=158&rl=1

to do a man in the middle attack and to intercept your password. It looks like it would be pretty easy.

I read an easy way you can get an entirely encrypted login page even if they don't have one available. You start your login by giving a bogus username and password. The bank will usually come back with an entirely encrypted login page that says you entered the wrong password. Just check the domain and check for the s in https and then go ahead and enter the correct username and password.

because...

[xlsior]

...None of us have ever seen alternate DNS-circumvention crapware layers like new.net running on Joe User's PC without their knowledge.

For the vast majority of users, a new TLD like .bank will be nothing but a false sense of security.

The simple way to end phishing.

[hobo+sapiens]

There's one way to end phishing. IE's anti-phishing service is a laugh. This TLD crap won't work. Here is how to end it:

When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.

Same with the 419 scammers. I particularly enjoy messing with the 419 scammers for this very reason.

The only, and I mean only, reason these things proliferate is because its profitable. This type of scamming is VERY profitable. So, we should be focusing on how to make it a waste of time. That would attack the problem at its root: its profitability.

Obviously, this would take a large bite out of spam, another problem in itself. Sometimes you have to fight fire with fire.

It seems obvious to me, but clearly not so obvious to others. Instead of spending time making a decent browser that supports modern standards properly (though better than IE6), Microsoft spent (probably) millions of dollars developing this ridiculous phishing filter for IE7. That is NOT dealing with the problem at its root. Obviously, they don't get it. Am I alone here? Hello? Anyone?

Re:The simple way to end phishing.

[FutureDomain]

When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore. It would be even better if you had an automatic program that would do the work for you. It would submit bogus usernames and random passwords to drive the phishers crazy. I would call it "Dead Phish". Of course they could block any information from your IP if they figure out what you're doing, but the bogus information is still there for them to try unsuccessfully.

Re:The simple way to end phishing.

[hobo+sapiens]

Have you ever tried messing with 419 scammers or phishing sites? It's quite fun. Try checking out 419eater.com or whatsthebloodypoint.com if you want to see for yourselves (didn't check those URLs before pressing submit, but that'll get you there).

When you mess with 419 scammers, you get the added bonus of being creative. You get to play whatever role you want, you get to mess with someone's head, and you are on the moral higher ground because they are, after all, trying to steal your money!

No way would I let a program do that for me!

I guess the only concern I can think of with going to phishing sites is that they then have your IP. So don't do that if you don't have a firewall. Then again, rip your network cable out of the wall if you don't have a firewall.

Re:The simple way to end phishing.

[MikeyVB]

I used to think that was a good idea, until I under realized the true power of stupid people.

As a system admin at my company, we got a call from a user who said she was a victim of a phishing scam, and wanted to see if we could get a copy of the phising e-mail she was sent so she could forward it to her bank and the police, but since she had already deleted it.

We managed to recover the phising e-mail. It was a standard phishing e-mail, however, it was not sent to her form the phisher him/herself, but from a friend of hers!

The subject had the FWD: tag at the begining, and the first line of the e-mail said, "Hey look! A banking scam! Why don't we all put in bogus information and screw them up! hehe!", but this user clicked on the link and entered her *real* information, as she thought it really was from her bank after she read the "security warning" below her friends comment.

Don't under estimate the power of the stupid.

Re:Not a problem

[SEMW]

Just hack the host file to point bankofamerica.bank to your IP Address. Phishing scheme done. If I've somehow obtained deep enough access to your box to edit your HOSTS file (i.e. admin/root privileges), why bother with phishing emails? I could just install a keylogger, wait for you to visit your bank in the normal course of business, and snag your details. Or just grab them from \My_Documents\misc\unimportantstuff\really_nothing here\FINANCIAL_PASSWORDS.txt. Much more reliable than mucking about with making mockup login pages.

Re:How will this stop XSS

[Bazar]

I think its a good idea, well worth investigating, but its not just another domain that they need, they'd need support of the browsers, as well as greater security and administration of the domain itself.

In browers that supported the .bank domain, they could do a series of checks for example

• Checking the security certificates for the .bank domain, ensuring that the cert is authenticated by the .bank domain. Self created certs would be unacceptable.
• Creating a border or some other distinguishable feature to the rendering of the site, when in a .bank extension. For example, a half inch security border around the screen (Yes, thats a bad idea since it could be mimicked by javascript, but you get the idea)
• Enforcing strict security on owners of the sites, as well as extenstive registration processes. Thus preventing cyber-squatters and phishing
• Email clients that supported it, could be designed to do a security checks from emails claiming to come from .bank domains, and flag them as phishing attempts if they fail

The results wouldn't make sites on that domain entirely secure, but with just a LITTLE community backing from mozilla, microsoft, and the others, it would help GREATLY, its a step in the right direction at the very least.

Re:How will this stop XSS

[alienw]

I don't think you get it. The problem is not the security of the .bank domain. The problem is getting people to recognize that the site they are visiting is not legitimate. Considering that it's already pretty obvious that a URL like http://wellsfargo.scammer.com/scam_me does not belong to a bank, I'd say the .bank extension won't help anything.