A Foolproof Way To End Bank Account Phishing?

← Back to Stories (view on slashdot.org)

A Foolproof Way To End Bank Account Phishing?

Posted by kdawson on Monday May 7, 2007 @12:15PM from the worth-a-try dept.

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

16 of 436 comments (clear)

Min score:

Reason:

Sort:

We'll see about that. by brian.gunderson · 2007-05-07 12:16 · Score: 5, Insightful

An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

--
Appended to the end of comments you post. 120 chars.
1. Re:We'll see about that. by sporkmonger · 2007-05-07 12:32 · Score: 5, Insightful
  
  In retrospect, I should have previewed the previous comment. Didn't expect Slashdot to munge the url.
  
  The scheme would still fall victim to urls like this:
  http: //paypal.bank:d7b0425f-a9b5-4dee-8e5d-ae97680e9118 @somedomain .ru Sadly, there doesn't seem to be a way to turn off Slashdot's autolinking. Ignore the spaces.
2. Re:We'll see about that. by uberzip · 2007-05-07 12:34 · Score: 5, Interesting
  
  My thoughts exactly. Currently, most phishing attacks my users have asked about have been for domains such as www.amazon.com.evildomain.com
  
  In the rare event that a user does look at the url they see that first .com and don't bother with the rest of address. I don't see how a .bank would help at all.
  
  Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the .com and try to make any sense of the rest. Like I said, this is a simple example, some of my banksites have long strings of numbers after the .com, change the alias in the address from www to something else, etc.
3. Re:We'll see about that. by grcumb · 2007-05-07 12:51 · Score: 5, Insightful
  
  An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.
  True, but this time, we could actually use technical means to ensure the validity of the address. Browser plugins could quite easily be programmed to mitigate (if not solve) the issues you raise. A hypothetical 'MyBank' plugin could, among other things, use only trusted (or consensus) DNS to resolve the name, and it could absolutely, positively be guaranteed to check the domain spelling every time.
  
  Knowing the precise namespace would not solve every problem, but software developers could do a lot with that one extra datum for validation.
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
4. Re:We'll see about that. by griffjon · 2007-05-07 13:08 · Score: 5, Insightful
  
  I can see it now:
  
  Dear Customer,
  
  We are in the process of moving to our new, more secure .bank domain, as you have read about in the news. Further, you no doubt have read about the various scams and "phishing" attacks preying on value bank customers such as yourself. To avoid these problems, OurBank (tm) has come up with an innovative and secure system to avoid the problems with the transfer of domain names. Attached to this email is a program which will install itself on your computer. It uses some of the very same techniques that many advanced attackers use, but to defend your privacy! It will ensure that when you want to see either OurBank.COM and/or OurBank.BANK, that you'll get to the right location by setting this at your computer, so no mistakes can be made along the way from your computer to ours.
  
  Please be aware that some "anti-ad-ware" programs currently detect our system as a "hijacker" - while we are, in effect, "hijacking" your connection, it is to improve your privacy and we are working with vendors to remove this warning for our program.
  
  Please open and install OurBank.exe - it will ask you to verify your customer information, bank branch, and then log you in (the first time only) to your account with us. Remember to disregard any security warnings and allow our program to communicate through your firewall until we are able to resolve this mis-identification by the anti-ad-ware vendors.
  
  Thanks again for your business,
  
  OurBank./
  
  --
  Returned Peace Corps IT Volunteer
5. Re:We'll see about that. by glittalogik · 2007-05-07 14:57 · Score: 5, Insightful
  
  Whilst I agree with your appraisal of the admins, how is the problem not piss-poor end-users? If certificates 'worked', the bank should have been flooded with calls, and no one should have logged in without confirming the situation over the phone.
6. Re:We'll see about that. by Anonymous Coward · 2007-05-07 17:36 · Score: 5, Interesting
  
  How about browsers like FF, IE, Opera, et al highlighting the domain in bold and in a different color in the address bar?
  
  http//www.wamu.com/personal/default.asp
  
  That calls more attention to the part of the URL which deserves the most attention, no? And how about upping the point size on the address bar too? I look at the top of my browser and I see a sea of similar black type.
Foolproof system by Reason58 · 2007-05-07 12:18 · Score: 5, Funny

"Foolproof systems do not take into account the ingenuity of fools."
1. Re:Foolproof system by bhmit1 · 2007-05-07 12:51 · Score: 5, Interesting
  
  Foolproof systems do not take into account the ingenuity of fools.
  
  You're funny and exactly right at the same time. Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I'll suggest (again) that every financial organization make a "catch a phisher" link on their page that provides a unique (so that phishers can't build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who's account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It's something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.
Re:I know it will never happen by Reason58 · 2007-05-07 12:23 · Score: 5, Funny

But god would it be good to gouge banks for $50k. It would feel so sweet.
Until you realize it was your own money.
Re:dibs!!!!! by EmbeddedJanitor · 2007-05-07 12:25 · Score: 5, Funny

Dear Sir/Madam I am interested in your services:
How do I make an online deposit?
Are there penalties for early withdrawal?

--
Engineering is the art of compromise.
it's not like they use their own domains now... by jfruhlinger · 2007-05-07 12:45 · Score: 5, Interesting

To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.

To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.

To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.

To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.

Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?
Re:Ummmmm... by Score+Whore · 2007-05-07 12:48 · Score: 5, Funny

Now all you've got to do is fake up an email from your bank, send it to yourself. Then when you fall for the trick you'll have your username/account number and passwords. You are truly a l33t hax0r.
URL checking - similar to adblock by Hyperhaplo · 2007-05-07 13:24 · Score: 5, Insightful

How long until all browsers have a url checker built in with some simple basic rules applied?
Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.

Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.

I still wonder why people don't use the Firefix / Adblock / Filterset.G combination as a basic starting point.

It is good to see that there are some anti-phishing addons for Firefox now.

--
You have a sick, twisted mind. Please subscribe me to your newsletter.
Re:How will this stop XSS by Bazar · 2007-05-07 16:26 · Score: 5, Interesting
I think its a good idea, well worth investigating, but its not just another domain that they need, they'd need support of the browsers, as well as greater security and administration of the domain itself.

In browers that supported the .bank domain, they could do a series of checks for example
- Checking the security certificates for the .bank domain, ensuring that the cert is authenticated by the .bank domain. Self created certs would be unacceptable.
- Creating a border or some other distinguishable feature to the rendering of the site, when in a .bank extension. For example, a half inch security border around the screen (Yes, thats a bad idea since it could be mimicked by javascript, but you get the idea)
- Enforcing strict security on owners of the sites, as well as extenstive registration processes. Thus preventing cyber-squatters and phishing
- Email clients that supported it, could be designed to do a security checks from emails claiming to come from .bank domains, and flag them as phishing attempts if they fail
The results wouldn't make sites on that domain entirely secure, but with just a LITTLE community backing from mozilla, microsoft, and the others, it would help GREATLY, its a step in the right direction at the very least.
--
To avoid criticism; Say nothing, Do nothing, Be nothing.
Re:The simple way to end phishing. by MikeyVB · 2007-05-07 19:22 · Score: 5, Interesting

I used to think that was a good idea, until I under realized the true power of stupid people.

As a system admin at my company, we got a call from a user who said she was a victim of a phishing scam, and wanted to see if we could get a copy of the phising e-mail she was sent so she could forward it to her bank and the police, but since she had already deleted it.

We managed to recover the phising e-mail. It was a standard phishing e-mail, however, it was not sent to her form the phisher him/herself, but from a friend of hers!

The subject had the FWD: tag at the begining, and the first line of the e-mail said, "Hey look! A banking scam! Why don't we all put in bogus information and screw them up! hehe!", but this user clicked on the link and entered her *real* information, as she thought it really was from her bank after she read the "security warning" below her friends comment.

Don't under estimate the power of the stupid.