F-Secure Responds To Criticism of .bank

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

Sooo....

[borizz]

The plan is to create a very expensive TLD?

What does that help? All it does is raise the barrier of entry for criminals and it provides a false feeling of security to average people (who will think: "Hey! It's .bank, so it's good!").

Re:Sooo....

[setirw]

The plan is to create a very expensive TLD?

Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

Re:Sooo....

[Colin+Smith]

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs. Not a big problem. The browsers can help there. Those with half a brain will get it, those without are a lost cause anyway. You can't run the world on the basis that it has to be safe for the 5 Watt bulbs.

Re:Sooo....

[mad_robot]

When your site at www.paypal-user-login.bank gets rumbled and you have to switch to www.paypal-confirm-details.bank, it's going to cost you a lot of money. What do you reckon the useful lifetime of these phishing sites is? A few days perhaps? A couple of weeks at most? This is going to put a serious hole in your business model.

Of course you could always fall back on other techniques (e.g. www.paypal.bank.09F911029D74E35BD84156C5635688C0.p hish.com). But the .bank TLD would at least be a start.

Re:Sooo....

[jorgevillalobos]

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

But we can trust that if this becomes a standard, browser makers will take advantage of it to make life easier to users, or at least to some users. Just like Firefox turns the URL bar yellow for SSL sites, and IE7 turns it green (I think), there could be some UI cue telling the user that he's visiting a real .bank website. Whether users will pay attention to this and realize that the lack of this cue means potential trouble, well, that's a different story.

I think .bank would add an extra layer of online banking security, and that's a big plus IMO.

Re:Sooo....

[hedwards]

Expensive isn't necessarily an issue. While 50k seems unreasonable to me. A fee high enough for them to really check and actually do the verification in person would potentially be within the costs of doing business for larger banks. The problem is with smaller banks trying to compete, especially credit unions.

The thing which concerns me is the question of how they would prevent DNS attacks aimed at redirecting traffic to those sites to a filter site. Certificates help as well as the ability to keep people from randomly registering with a .bank TLD, but if the DNS servers aren't able to necessarily guarantee that the browser really is where it should be and that there hasn't been any injections going on, it is just an expensive yacht club type of amenity.

When some banks are rumored to not even have the login page secured, it seems odd to think that this kind of security would fix that. The banks I use could get some benefit out of it. But probably the best thing would be to remember that online fraud and phishing is a lesser cause of fraud than are fraudulent checks by third party scam artists.

Re:Sooo....

[scribblej]

What about places that handle "money" and need to be secure but aren't banks?

Shopping carts, mall websites, payment gateways, -- anything with a payment form on the site... they are all attacked more than "banks" right now. It's easier to skim a lot of small insecure sites than hit one big well-protected one. I learned that from Neuromancer.

Re:Sooo....

[TheRaven64]

After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. I used to know someone who had a .gov.uk domain. He didn't use it much; he got it set up for testing purposes when he was doing some contract work for a government agency and never got around to telling them that it was no longer needed. Apparently getting it set up in the first place only required one telephone call, and didn't involve any additional checks.

Re:Sooo....

Presumably, England's policy regulating .gov.uk registration is substantially different from the U.S.'s, where there do not exist any .gov sites that do not actually represent government agencies.

Re:Sooo....

[Znork]

"you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"

Nah, they use real .gov domains instead.

Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would .bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...

The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.

Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register .bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').

Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.

Re:Sooo....

[TubeSteak]

Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive)... As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

Proof of legitimacy & exclusivity...
TFA mentions State tlds like .bank.uk
So do only USA banks get to have a .bank url?

Or, can I setup a dummy bank in the Cayman Islands, pay $50K and have my own personal website @ TubeSteak.bank?

For whatever reason, the people at F-Secure (and you) don't seem to think that criminals capable of corrupting governments and laundering billions in [currency] per year will be able to setup (on paper) a legitimate looking bank.

I'd suggest that the bigger crime rings would benefit from a $50,000 registration fee, since it would squeeze all the small scammers out of the "looks legit" marketplace.

Re:Sooo....

[CommunistHamster]

Why don't we highlight the TLD in the url?

Re:Sooo....

Did the two of your (parent and GP) not read TFA at all? both of your points (high cost and URL format of .bank) were specifically addressed in the blog posting...

Re:Sooo....

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

The real problem is that this only solves the problem for the big guys. The "small players" will not only find themselves targetted more than ever, but their own customers won't trust their sites because they're not ".safe" or ".bank" or whatever.

Re:Sooo....

[MrWarMage]

In case you have never done tech support over the phone, you should know that you've got a 50/50 chance of the user being able to locate the "Address Bar" no matter how clearly you explain its location. Lots of users simply clicky-clicky and just don't pay attention to the target at any point. Moreover, in all the flavors of windows of which I'm aware (which I'm afraid you must still consider as a viable design constraint), the Listbox control does not allow extended properties (color, bold, background) for only a portion of a text string (typically the Caption). Your options are color, font, B-I-U, and that's it.

Re:Sooo....

[turly]

You can't run the world on the basis that it has to be safe for the 5 Watt bulbs.

Hmm, I thought the US was being run by a 5 Watt bulb.

Joke! Honest!

Re:Sooo....

[leenks]

So the malware now targets the browser and changes the behavior for yourbank.com-html.129381E07271B84121G34121.omgpwn3 d.com.br so that it looks legitimate.

Education is the best line of defense against this type of attack. Too bad one of my credit cards (MNBA) insist on sending me HTML emails with "click here to service your account" to confuse matters (while my other banks tell me to never click a link in an email to do such a thing). The worst bit is they don't seem to care - when I questioned the practice 18 months ago I got nowhere :(

Re:Sooo....

[theArtificial]

The term "Address Bar" tends to be a term that throws the non technical crowd off. I've found that referring to it as the "Http Bar" tends to get better results. This still doesn't help if they enter things into toolbars though :/

Re:Sooo....

[Heembo]

How would a .bank TDL stop a phishing attacks in any way without browser-specific support? This does not seem to be a very revolutionary or even helpful idea to me at all.

Re:Sooo....

[kuleiana]

Oh, Jim, you misunderestimated ole George Bush again. Just tell the dev teams to integrate it into the next incremental version of Firefox, Safari and MSIE and life will be good - just make sure you hire real software engineers and not ones that use "advanced, unmaintainable techniques".

I'm still not convinced

[j0nb0y]

Quite frankly, the only way to prevent phishing fraud is through user education.

If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

This just seems like it would be a big waste of money for all parties involved.

Re:I'm still not convinced

[mark-t]

Or worse... if the security was compromised later, long after the user is accustomed to implicitly trusting the green bar, and their confidential data is given to someone who was not who they thought it was.

You are right on the money on this issue. Education is the only real solution to the problem, and trying to impose a technological solution to what is ultimately a social problem only makes it that much harder to teach people how to avoid it later because they are that much more used to trusting supposedly "secure" systems.

Re:I'm still not convinced

[pcgamez]

You are missing the point. The idea is to make this one part of an overall strategy. Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people. Furthermore, user education has limited effectiveness and takes a long period of time. It is unlikely that we would be able to properly educate the majority of people if we had a decade.

Re:I'm still not convinced

[mark-t]

Except that you are still going to need to educate at least that many people later (more actually, since the population is constantly growing) even *IF* they implement this solution. Delaying education only makes things worse.

You are right that it would expensive, but it would be orders of magnitude more effective than a technological solution like a trusted top level domain name that in the end accomplishes nothing more than being a placebo.

Re:I'm still not convinced

[allgood2]

OK, well I can see a massive difference. It's far easier to train a user to recognize a combo of .bank and a green bar as legitimate, than it is to education them on all the various phishing options, and then having to keep them up to date, since new ones are added all the time.

My biggest issue with the proposal is the cost; and not that it shouldn't charge big banks $50,000 but that it ignores small banks and credit unions. Especially, since it ignores them with a 'they aren't the ones loosing money or big money' statement. If small banks and credit unions can't get access to the .bank domain, then as far as I can see, your just switching the scammers and phishers from targeting large banks to targeting small banks and credit union. It's a we don't care argument; which weakens the entire effort.

F-Secure mentions Finland, which has a very low rate of phishing due to the fact of its mail confirmations of address. My thoughts are if the .bank domain were to succeed it needs to include small banks and credit unions; which means there needs to be some sort of exception to the fees. Possible a $10,000 domain name purchased combined with physical proof credit union or small bank status, and a certain number of years in operation.

The proof of years in operation as an exchange for relief from cost; seems like a small trade-off for me. I would assume, most phishers' wouldn't be willing to wait 3-5 years and still fork out $10-$15,000 just to engage in a scam. Plus most newly established credit unions and banks fail or succeed (however marginally), within similar time frames of the average business (3-5yrs). Obviously, the verification process would be key, but this would allow small banks and credit unions the same level of security as large banks.

Re:I'm still not convinced

[Khyber]

"Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people."

Expensive? I can educate a couple bilion people cheaply - make a text website that simply says "Keep your account secure - don't bank online, get off your lazy ass, and learn how to write checks and mail them." and point them to that site.

Problem solved.

Re:I'm still not convinced

[j0nb0y]

Anti phishing education is actually quite simple right now.

What's the URL of your bank?

Before you type in your login/bank information, check to make sure that the URL in the URL toolbar is the URL of your bank. If it isn't, then this is most likely a phishing scam, and you shouldn't enter any information.

All banks have to do is put this information on a nice one sheet insert, and put it in with the account statements that they mail out monthly anyway.

Re:I'm still not convinced

[mark-t]

It's worthwhile to note that bank tellers recognize counterfeits not because they necessarily know what characteristics that particular counterfeit has, but because they handle the real thing all the time, they know what the real thing is supposed to look like, and when something doesn't match what they know, they realize it's a fake. This enables them to even recognize counterfeit bills they may have never seen before. So the idea is that you train people what to look for in the real thing, give them enough exposure to it, and when something bogus comes along, they should be able to see it for what it is because it won't match up.

Re:I'm still not convinced

[dabraun]

Before you type in your login/bank information, check to make sure that the URL in the URL toolbar is the URL of your bank. If it isn't, then this is most likely a phishing scam, and you shouldn't enter any information.

Then you get companies like citibank which insists on putting their online credit card access under "citicards.com". How about educating the banks themselves? Get it through their head that they need ONE site with ONE name which is their OFFICIAL name that their customers know.

Then build a setup where a given domain can be "locked down" to be https only, have browsers not even allow sites on this list to be accessed via http. Gobble up all reasonable variants (.com, .org, .net etc) by either having them all registered or blocking all but the official one.

Re:I'm still not convinced

[veganboyjosh]

Cos you read those through and through? Granted, a one sheet thing would be more widely read than a whole folded small print booklet/pamphlet, most people I think just get the statement, and toss the rest.

Re:I'm still not convinced

[Cheapy]

How about this. We attach UZIs to every computer sold. If this URL isn't "green" and the user clicks on it, the UZI will shoot. A lot. And hopefully take out the user. The phishing scam didn't work and the stupid user is dead!

Darwin would love it!

Re:I'm still not convinced

[TwilightXaos]

Worse. I don't even read the mailed statement. I view my statements online, on my banks website. It seems kinda foolish for them to put this info there doesn't it?

Re:I'm still not convinced

[allgood2]

Not just Citibank, what about fairly large institutions like Associated Bank or Household Bank. Household Bank is fine when your banking, but to look up my credit card data, I have to go to HSBC or hsbccreditcard.com. I need a crib sheet just to keep up with the variations of names related to my credit card; and that doesn't even count when a bank decides it needs to distinguish urls for business or personal accounts, checking and savings, etc., etc. Most banks have a litany of urls associated with them. I have more than three bookmarks for my primary bank, each highlighting a different service I use frequently, that they've create separate login pages for. I could start from the front page, but then I have to go ten clicks in before, I get to what I need. It's easier to just bookmark, business account, personal account, credit card, and main page.

If banks would keep everything to one simple url, then yeah, phishing training would be darn easy; but it's not that easy right now; and what makes it worse, is some services aren't even managed by the bank. I'm the queen of research, and if I get annooyed out how long it takes to verify if a url is actually associated with my bank, has my bank been purchased/merged/ or otherwise renamed, etc., etc. Then I'm not expecting the average user to catch up quickly.

Re:I'm still not convinced

[Workaphobia]

I recently got two unsolicited and unprofessional emails, supposedly from my bank (HSBC), that seemed very suspicious. They asked me to log in with my existing username and password for a new service, and mentioned that inaction on my part would lead to no further contact on the matter. They made that sound friendly yet threatening enough to induce me to actually consider visiting whatever service they were describing. All the images and hyperlinks were from a different domain (hsbcusa.com) than their well-known and advertised one (hsbc.com), and although the first website frequently linked to the main one, there were no return links to indicate to me that both were legit. To top it off, words like "free" were capitalized and highlighted, and the subject line contained "Urgent action needed on your account".

I'm guessing it was legit because the domain hsbcusa.com was registered with reasonable whois information (as far as I can judge) and I kind of doubt a phisher would care to mask his tracks from someone who'd actually investigate that. But if it is, then that demonstrates that it's more difficult than it should be to tell the difference between fraudulent and real messages, even for an educated user (unless I'm a moron - here's crossing my fingers that I'm not).

Re:I'm still not convinced

[TheSciBoy]

It bothers me that people think this is a big waste of money. It will be a very cheap thing to do. Consider the amounts the banks are losing now. I'm thinking that even a small dropoff in that amount would easily pay for something so trivial as a new top level domain.

Adding a dialogue that is shown once you first step into a .bank domain that informs you that "you are now entering a safe .bank site, that is why the address bar is green" which is never shown again would educate most people who read dialogues. Not all people do, of course, but the people that don't will have to look out for themselves.

Also, DNS poisoning requires trojans and stuff, now we're talking a whole other level of problem. Once a computer has been compromised that way, there are a thousand ways to obtain vital phishable information about a user.

I would say, my bank uses one of the few fairly safe systems. When logging in, you use a small device that generates pseudo-random-numbers. A challenge-response for logging on, for adding new receiving bank-accounts and for transferring money and you would have to be duped more than once (and the actual bank account number for the receiving account AND the amount of money beign transferred would have to be used or an incorrect response would be generated).

It's not foolproof, but it's very good in my opinion and as safe as you can get I think. Now they have even added a 9 at the beginning of all the logon random numbers so that a phishing site can't use it to generate "acceptable" amounts for transfer. At least I would react if someone tried to transfer an eight-digit amount of money from my account and the first digit being a 9. :)

What the ... ?

[khasim]

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Who determines what "misleading domain names" means?

And we are talking about criminals making MILLIONS of dollars a year.

Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.

Re:What the ... ?

[Colin+Smith]

The $50,000 presumably isn't the only authentication mechanism. With a $50,000 registration fee it's possible to perform significant checks on the applicants.

Re:What the ... ?

To get the domain you have to be a real bank in the US. Verifying such entities should be pretty simple. They are tightly regulated after all.

A misleading domain name is one that is easy to mistake for another one, or doesn't reflect the name of the bank to which the domain is registered. Conventional trademark law will probably cover 90% of the issues here.

Re:What the ... ?

[vux984]

Spending $50K to make $5,000K is a GREAT deal.

If that were true. Do you have any evidence to support the claim that one phishing site is likely to return 5000k?

How long does the average phishing site stay active before people figure it out, and it gets shutdown?
Phishers, from my understanding of it, plow through junk domains, I'm not even sure they go a full day before getting knocked offline, and probably only hours before they a get added to the list of known phish sites and get blocked by 'anti-phish' software.

If criminals have to setup 500 50k sites to make $5,000k, will.. that's not going to make anybody rich. They simply aren't going to do it. Even if they can bribe people to get the domains they'll get blacklisted or delisted so quickly it just won't be worth the expense and hassle of setting them up.

Re:What the ... ?

When did insightful come to mean "lacking imagination"? For $50,000 a domain it should be very simple to exclude "misleading domain names" and to verify who is using the domain names.

A criminal making $5000K a year who managed to game the system would have to keep their domain operational for 4 days just to make $5K profit excluding all other costs. If they are correct about how difficult it will be to register such a domain and how quickly a rogue one would be removed, the steep price tag basically guarantees the criminals will not even attempt it.

Re:What the ... ?

[Sven+Tuerpe]

And we are talking about criminals making MILLIONS of dollars a year.

They might stop immediately as they notice that selling .bank domains yields much higher profits.

Re:What the ... ?

[OdinOdin_]

Banks are a highly regulated industry.

Each countries government would be able to draw up a list of valid banks within their country, the procedure for getting your application for a .bank verified as being legitimate would require a large amount of red tape with the financial services authority (FSA) or equivalent body within your terretory being involved and appointed to vet the applications (who would be paid to vet applications and financially punished for allowing a bogus application through the checking process).

Maybe each country should have a 2 letter country code like .uk.bank and .us.bank. to allow for name clashes.

User's software...

[iknownuttin]

The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with.

Ok, so he's counting on every browser publisher to put in software that will all work the same and flawlessly? And he's counting on everyone (banks, software vendors, etc...) to come together with a standard that all will accept to make things more secure? And of course, the bank will just do this to save themselves money.

All of the losses that banks incur are just passed on to the consumer: the banks are not losing money. They really don't suffer any consequences that I've seen from these phishing problems. Or let me put it this way, exactly what will get the big mega banks on board for this? Because, if it were really a problem for them, they would have done something a long time ago. As it is, it's just a big pain in the ass for the victims and the victims only, banks just apologize "for the inconvenience" and move along - business as usual.

Re:User's software...

[zappepcs]

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.

There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.

Re:User's software...

[EvanED]

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

There are two levels of answers:

1.) They're aiming at protecting phishing, not all malicious activity. I email you [not you specifically, generic you] something that says "ur account wi11 expir3 n 3 days" and you click on the link and enter your information into the page that loads. There isn't any room in there for me to remap your hosts file.

2.) If I do have the access to remap your hosts file, there are easier ways to figure out what your password is then having it sent through my website. Like, install a keylogger and wait 'till you just go to your bank outright.

3.) Combined with SSL certificates, the browser could positively identify that you are talking to the computer that is *actually* at citi.bank. This is already done somewhat with .com domains, but .bank you then get the added assurance (in theory) that citi.bank actually belongs to citibank.

Re:User's software...

[hkmwbz]

Not every browser, just the major ones. And Apple, Opera, Mozilla and Microsoft are already talking together about anti-phishing measures.

Re:User's software...

I doubt any bank's website would be hackable with keyloggers. For my banks, for the first one, all a keylogger would get is the status of my account, but the attacker wouldn't be able to make any transactions or even get detailed information. For the other he wouldn't even get in.

Re:User's software...

I doubt any bank's website would be hackable with keyloggers. For my banks, for the first one, all a keylogger would get is the status of my account, but the attacker wouldn't be able to make any transactions or even get detailed information. For the other he wouldn't even get in.

If he has software running on your machine he's already in!

V1@gr@

[Gary+W.+Longsine]

"The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with."

So, uh... build a white list of valid banks. How hard can that be? What are you going to do with that while list, eh? Block everything that isn't on it? This is clearly an idea they haven't throught through, and they felt a little defensive about it after the thrashing they received from Slashdot. Their defense could use help. Maybe a dose of V1@gr@?

Impossible.

[khasim]

Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

A far better solution would be to go for the simpler approach.

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

Re:Impossible.

[mark-t]

But that wouldn't work that well for people who connect to the internet via dialup, and while they are trying to perform this action, their phone line is busy (or gets auto-forwarded to voice mail).

Re:Impossible.

[pdbaby]

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

What I've wanted for years is for my bank to let me specify this for my Mastercard or my Debit card - you go out to dinner, pay with your card and the bank's system calls you and asks you to authorise the payment by pressing a key / entering a password PIN on the phone. How difficult can that be to implement? How much basic fraud would it prevent?

I wonder if it would reduce fraud enough that it's profitable for the bank to do it without charging the consumer for the privilege.

Re:Impossible.

[maxume]

When fraud happens, the bank says 'Neener-neener' and makes the business eat the cost of the fraud. So they won't offer such a thing for free, without changing other stuff.

Re:Impossible.

WTF? I don't have a phone. And I certainly don't want be phoned. Most certainly not by a corporation i despise and only have out of necessity: a bank.

Re:Impossible.

300 million? - lets analysis that number. 300million people do not have bank accounts. Even less than those who have bank accounts use online banking or even own computers. So your 300 million number is complete and absolute bunk.

Another flawed part of your argument is the phone. Phones fail, phones battery's get low, phones get lost, phones are expensive - honestly if I have to approve every transaction out of band you will guarantee that I will stop using the card. In addition - the real money is not charging my dinner to someone else's credit card - its online transfers or buying a major ticket item that can be turned into cash (flat screen tv).

Re:Impossible.

[grrrl]

National Bank and Commonwealth Bank (and probably others) in Australia have an SMS feature where they SMS a code to your mobile and you have to enter that to authorise the transaction. It is voluntary (for me it's not worth the hassle) but it's a good option to have.

Re:Impossible.

[OdinOdin_]

LOL and just how many calls do you think you'd get to make for 300 million ? How many transactions per year would be authorized in this way ?

I'm not knocking the process, that idea has been around for a while, that the bank account holder uses are seperate channel to authorize each financial transaction than the channel the transactions was taken on. This can involved using the online banking itself to authorize, a land line or probably better a mobile/SMS/WAP service or a one time usable authentication password/pin.

The operational costs for .bank would be far lower in the long run. The cost of educating for the most part is not that much, in bank leaflets, leaflets dropped into the postal statement, notice information during the login process, word of mouth. Sure its possible to go to a marketing company and spend 300 million on it, but that unecessary.

I'm pretty sure the bank doesn't actually loose any money through fradulent transactions. The credit card industry is able to recovery the money, interest and claim charge backs and the end of the day fraud actually makes money.

Hmmm

[Realistic_Dragon]

Will they assign not.a.bank as a redirect to paypal.com?

Re:hmmm

[yakumo.unr]

ba.nk wouldn't fool browser security updates/certs designed to be damn sure the domain stops at blah.bank and not blah.bank.com or anything as TFA implies.

Re:hmmm

Too bad North Korea doesn't have ".nk", huh? They've got ".kp".

Re:hmmm

But it would fool users

There are many people who will see what looks like ".bank" in their address bar and think "oh that's safe" even though their browser isn't telling them so... unless the browser were required to display "this is NOT a bank" on every other url, but that would get a bit silly.

...and if a trojan messes with hosts/LMHOSTS?

[Penguinisto]

It wouldn't take much to munge up the /etc/hosts or 'doze LMHOSTS file to make a certain ".bank" name redirect to whatever you want...

While admittedly it would take a compromise of the user's computer to do it, it still points out the one big, fat inherent weakness of a new TLD: The fact that sites aren't specifically identified by DNS name per se, but by a translation mechanism that points to the real site identifier (IP).

('course, the "safety toolbar" could then do a WHOIS check and such, but now we're just adding layers of complexity... and where would that end?)

/P

Re:...and if a trojan messes with hosts/LMHOSTS?

But that's always a risk regardless of TLD. It's not an argument against . bank since it doesn't detract from the benefits of it.

Re:...and if a trojan messes with hosts/LMHOSTS?

[EvanED]

course, the "safety toolbar" could then do a WHOIS check and such, but now we're just adding layers of complexity.

Or, you know, a check of the SSL certificate, which you'll need to do anyway.

Re:...and if a trojan messes with hosts/LMHOSTS?

What benefits? That users can be taught to trust .bank is the claimed 'benefit'.

Re:...and if a trojan messes with hosts/LMHOSTS?

> Or, you know, a check of the SSL certificate, which you'll need to do anyway.

In which case .bank is a little pointless isn't it?

Re:...and if a trojan messes with hosts/LMHOSTS?

[EvanED]

That depends how carefully you check. If you just look for a yellow bar, then no, it isn't pointless.

If I'm a phisher, I can register phish.com, get an SSL cert for phish.com, and serve pages from phish.com and turn the address bar yellow.

There are two parts to this authorization:
1) Am I talking to www.whatever.bank
2) Is www.whatever.bank my bank?

SSL mostly solves the first problem, .bank solves the second.

What about DNS poisoning?

[CPE1704TKS]

He didn't address that point. You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

Even worse, hackers can start poisoning the hosts on individual machines, which makes it even worse. It's already at a known address: %SystemRoot%\system32\drivers\etc. Once they start adding their own entries into the hosts file for Windows users, they are fucked. It will be so easy to point them whereever the hackers want.

His suggestion solves NOTHING. In fact, it is extremely shortsighted and amateurish for a so-called CTO of a security company, and makes me question how good his company is if the CTO can't even get this right.

Re:What about DNS poisoning?

[EvanED]

You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

And then you go to that site... and the browser says "your SSL certificate's no good".

You would also need to compromise one of the SSL certificate authorities.

Re:What about DNS poisoning?

[azrider]

We seem to be missing one important part: Who gets the $50K for doing the certification, and how do we know we can trust them?. Surely, F-Secure would love to be the one providing this necessary service (naturally, they would do this free since this is for the consumer

Re:What about DNS poisoning?

[CPE1704TKS]

Wrong. How often do you actually check for https being used? When you go to gmail.com or yahoo.com, yes, it uses https to exchange login information, but the URL in the top bar is always http://./

Thus, they don't even need to use an SSL cert they can just use regular http, and no one will ever tell the difference.

Re:What about DNS poisoning?

[EvanED]

This isn't in the proposal, but you could require .bank domains to use https even if there isn't any sensitive data. (Or make it a standard for the browser to complain loudly if this convention isn't followed.)

For a CS person I'm relatively lax about security stuff (I find the division between security and convenience closer to the convenience of other people), but I do glance for the yellow bar when I go to banking sites (or other places where I a actually care about security).

Re:What about DNS poisoning?

You need to read how the internet works. If you get re-directed to a bogus site the cert fails (since this is still an https transaction).

It doesn't matter.

[khasim]

Either very few will spend the money to get the domain name, in which case there won't be enough information out to know that .bank was 'safe' ... or was it .safe?

Or lots of banks will spend the money and that will mean lots of different people will be performing the checks.

Now, you DO realize that we are talking about "criminals", right? The people who already break the law. So things like bribery and extortion will not be forbidden.

Just look at the drug trade.

I'm suprised

[yakumo.unr]

I know its traditional for slashdotters to NOT RTFA but I'm still surprised how negative people are being about this clearly without having bothered to.

Name ONE genuinely negative aspect of this to the individual consumer.
I can't think of one but I'm not so egotistical as to think there might not be one, but there are certainly lots of positive aspects.

You won't be paying for this, the banks will, why do you care.

As TFA states there are .aero for aviation, and .museum, so why not .bank to actually help protect your, and other peoples money for gods sakes, isn't that more important to you?

Reductions in fraud on-line would also limit banks excuses for high fees to counter their losses.

And it's NOT just a very expensive TLD, it's one where the organisation in question would have to prove absolutely and legally that they are a fitting organization for the TLD, as TFA states as an example you just don't get fake .gov sites.
If someone did somehow sneak through they would be shut down very quickly and easily, compared to constantly re-locating .com .org .net sites.

Re:I'm suprised

[denebian+devil]

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?

Re:I'm suprised

Agreed. And by the looks of it, there are a handful of users (*cough* khasim *cough*) here that seem to take this very personally. As though the .bank domain would somehow hurt them. I don't get it.

Re:I'm suprised

> Name ONE genuinely negative aspect of this to the individual consumer.

The consumer would grow to implicitly trust the .bank TLD. This could result in them being less alert when subject to DNS poisoning.

And so on...

> TFA states as an example you just don't get fake .gov sites.

echo "127.0.0.1 whitehouse.gov" >> /etc/hosts

You and F-Secure are too stupid to have a valid opinion on security.

Re:I'm suprised

Sorry, those are not arguments against a special TLD.
They are problems that exist now and a new TLD doesn't solve. But he explicitly says that he is not claiming a new TLD would solve all problems. Nothing solves all problems. That's not a reason against soling some of them.

Learn some logic before accusing others of being stupid.

Re:I'm suprised

> Sorry, those are not arguments against a special TLD.

No, they are arguments against abuse of the DNS.

> They are problems that exist now and a new TLD doesn't solve

Then what's the point? But no, users do not implicitly trust .com as they would .bank - that's the entire argument F-Secure are making.

> Learn some logic before accusing others of being stupid.

RTFA!

Re:I'm suprised

[Ilgaz]

I have read/commented on first story and after reading this one and comments, I'd say everyone to check http://www.phishtank.com/ and enjoy that mess they are defending.

Re:I'm suprised

Noone is defending phishing, they're just saying that the due to the technical nature of DNS, the .bank TLD proposal is utter nonsense.

The security of the .bank TLD that doesn't yet exist would rely solely on EV SSL certs that do. Quoting TFA:

it would authenticate the domain as trusted by the name alone.

...and this is supposed to be a security company? Pffft!

Re:I'm suprised

[yakumo.unr]

Oh come on now, if your local systems compromised your totally screwed whatever.

That's like arguing for not bothering with locks on vaults/tills because bank staff with enough security clearance could pocket wads of cash on the sly if they're careful enough anyway.

Just because there are insurmountable flaws, doesn't mean you shouldn't do everything you possibly can to cover the others to help limit the damage as best you can.

Re:I'm suprised

It's not just the local system that can be subject to DNS poisoning - for example any network running DHCP is vulnerable. The required security comes from a certificate authority, the TLD adds nothing. If users can't even detect when they're not on a SSL site when we now have multiple visual indicators in the browser UI, what added security would a TLD add?

F-Secure make entirely specious arguments to support their position.

Re:I'm suprised

[bitserf]

Yeah, seriously. Most of these negative folks want the system to be foolproof even if your system is spyware-laden, has a keylogger installed, and compromised/patched files of everything important on the system.

Newsflash: If the system is compromised, you have bigger problems. The flaws of .bank are orthogonal. Even if .bank didn't have problems at all in that case, you'd still be fucked.

I don't see any alternatives being proposed. Guess our little misanthropes just wanted to bitch about something, not actually contribute to working towards improving things.

Re:I'm suprised

[Sven+Tuerpe]

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

They are trying to be polite. For those who fail to understand the point, let me express it this way: The entire .bank proposal is utter bullshit. The real problem of phsihing and related attacks (namely pharming and Trojans) is pretty simple: doing business over a compromised channel. We do have security mechanisms such as SSL that in theory protect the channel, but they fail as they ultimately rely on the user. And today we know that the average user is unable to reliably detect compromised channels even if provided with security indicators. So how exactly would a .bank TLD solve this problem or any part thereof?

Re:I'm suprised

[Sam+Ritchie]

As TFA states there are .aero for aviation, and .museum, so why not .bank to actually help protect your, and other peoples money...

This annoyed me when I read TFA - you can't use the proliferation of similarly idiotic TLDs as a valid argument for another idiotic TLD. How does the fact that ICANN has caved to special interest groups in the past make an argument for better security?

Name ONE genuinely negative aspect of this to the individual consumer.

Probably the US-centrism. I'm struggling to find an aspect that couldn't be done better via an international body maintaining an anti-phishing whitelist of domains/IPs. I'm fairly sure suitable international banking associations already exist.

Re:I'm suprised

Newsflash: You don't have a clue about DNS or network administration. Why not STFU and listen to what those who do are telling you about the pointless stupidity that is this .bank proposal.

I should have gone with that one first.

[khasim]

Yes, look at the drug trade.

Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

Does ANYONE think that that would be a good idea? That it would reduce drug smuggling in any way?

Or would you just laugh at the person naive enough to suggest it?

Re:I should have gone with that one first.

[setirw]

Fallacious logic. The .bank registrar isn't performing a background check on the individual registering the domain. Instead, it's ensuring that the name being registered will actually represent a major financial institution. It's the same case with other "exclusive" domains: I don't think the .gov or .mil registrar performs a background check on the actual person registering the domain, but rather ensures that army.mil truly represents the United States Army.

Granted, there are many more financial institutions than government agencies, but it's possible to ensure that every .bank domain registered actually represents its respectively financial institution. The criminal deterrent isn't the $50,000, but rather the difficulty of proving that the domain represents what it claims to. I don't think the average phisher with $50,000 has any remote chance of convincing a discriminating registrar that he actually represents J.P. Morgan Chase. Returning to your analogy, it's a lot easier for a drug runner with $50,000 to falsify his own personal background than to convince DEA agents that he represents a pharmaceutical that transports painkillers, since the latter presumably requires statements from executives in the pharmaceutical stating that the transportation is legitimate.

Re:I should have gone with that one first.

[EvanED]

Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

It's more that the seal was put on by a theoretically trusted party and is virtually tamperproof. So it's not so much trusting that the person who put it on is lying, it's trusting that they were already checked out before and haven't changed the contents of their van.

And if the original party is *actually* trustworthy, then yes, I think it would be a decent idea.

Re:I should have gone with that one first.

[Colin+Smith]

It's an entirely different situation, a domain would only work until they were reported, i.e. the first time someone was ripped off. Then the domain would have to close and the phishers would be out $50,000. They would have to be very sure of returning more than $50k which means most phishing would stop.

Re:I should have gone with that one first.

[vux984]

Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

Right lets keep going with that, because your analagy is flawed, and this will fix it up:

Now suppose that seal had a serial number as part of its design, and it was displayed prominently. (because each domain name is different)

Next suppose that the this seal was actually worn by the street pusher behind the 7-11 to avoid law enforcement harrassment (you know the guys who deal directly with the general public - because that's who these phish sites deal with).

Except he's not behind the 7-11 he's standing up front and center where EVERYONE can see him. (Phishers spam everybody not just suckers.)

All it takes is one guy to report that he's a drug dealer. And now he's an easy target for the cops because he's got a big seal on his car, and they've already done a background check on him so they know where he lives, who he associates with, etc, etc.

So would you spend $50k on the seal, knowing that anyone who sees you standing on the street with it can report you?

Re:I should have gone with that one first.

[Sam+Ritchie]

I can just see banks worldwide falling all over themselves to hand their online trustworthiness over to a US organisation that promises to delete their domain the first time someone complains about it (or gets a court order requiring its deletion, or the US government decides that country doesn't deserve to bank online any more, etc).

What about DNS hijacking?

[9gezegen]

I don't understand the purpose of having $50,000 registration. The banks are officially recognized by their states. Wouldn't it be sufficient to get an approval from the state? I understand this may require little more paperwork but it will protect the small banks from expansive registration.

As the article mentioned this is not a silver bullet. For example, this won't solve DNS hijacking. Recently, I have observed such an attack. The victim told me that the bank site he was looking asked for national ID number even though the bank officially announced that they would never ask that information at their website. He further told me that the webpage looked little different on his computer compared to his friend's powermac. I was skeptical since I thought if you type a name, you should get the correct IP of the bank. Note that I don't use windows but I'm an expert on linux. So for me, DNS hijacking meant that the DNS server the computer talking was giving the wrong IP. Anyway, I checked the ip of the bank in his computer and did a reverse ip lookup on the web. The first red flag was that the IP was mapped to a dynamic name, further more IP was different when I looked at it on powermac. Luckily for him, spyware doctor was on the computer, so with little hope I run it. It gave warnings on some entries in hosts file. Apparently windows also have some kind of /etc/hosts file. The attacker (probably using some windows vulnerability) successfully added 20-30 bank names to hosts files, all of which mapped to his machine. On his machine, he probably have copies of the entrance pages for each bank. Anyway, this kind of attack (which I understand it is very common) will not be solved with TLD .bank.

Re:What about DNS hijacking?

[someone300]

These seem to be the main issues here: Banks and other forms of attack such as DNS hijacking.

F-secure's comment on this not being an issue for small banks/credit unions doesn't make sense. I assume that if this .bank domain was approved, there'd be a mass marketing push for "Only use .bank addresses for online banking", and quite obviously this is going to make people wary of small banks and credit unions who are forced to do ebanking with .com addresses, and consequently make people less likely to use them. As you stated, this $50k registration seems to be pointless. The fact that small banks aren't losing money from phishing isn't the issue here, and then consider that a phisher isn't going to go through the trouble of setting up a fake .bank URL, they're going to look for the weaker targets, i.e. the banks still needing to use .com addresses.

Man in the middle attacks and DNS hijacks are still quite possible, at least until DNS is implemented securely, that is. As soon as these .bank domains are hijacked (there are plenty of ISP DNS servers vulnerable to poisoning still...), either the public will lose any added trust they had in these domains, or they're going to negatively impact security by giving a false sense of security. People will *still* need to look at security certificates for assurance of identity and that encryption is being used.

Obviously there needs to be some form of solution... they could implement an extension to security certificates that allows the certificate to be flagged as safe for financial transactions; with cooperation with web browsers, there could be some way of displaying this information to the user and possibly warning them if it detects them entering credit card data into a non-finance website. Maybe more effort just needs to be put into making people look for the padlock. That and DNS spoofing and Secure DNS needs more work...

Also, in my opinion, two stage logins and showing the user a personalised picture/theme or something that a phisher couldn't show them is a good idea.

Re:What about DNS hijacking?

[DaleGlass]

My guess is that the $50K would be because running a TLD takes resources, and since .bank would be a very exclusive one, the cash to run it would have to come out of somewhere. If it cost $10 a year then the cash for funding it would have to come from somewhere else, but the $50K are probably enough to cover the infrastructure and personnel.

hmmm

[joe+155]

I see big business for North Korea selling the domain name "ba.nk".

This in no way will "fix" the problem. It would however make sure that smaller banks can't get a look in which will help to enforce the monopoly of the large ones... and make a fuck of a lot of money for the people who get to pocket that 50k.

What would be a far better resource would be a firefox plug-in which highlights the part of the name which is the website, so "itsyourbank.obviouslyphishing.co.uk" would highlight the relevant part for figuring out what the actual domain name is that is registered. I've heard someone mention this before but not really seen anything about it

Straw men

[tverbeek]

You can usually gauge the strength of someone's position in a debate by how quickly they bring out the strawmen to knock down. The first two items in their "rebuttal" ("New top-level domain will not solve the phishing problem once and for all, so it's not even worth considering." and "But .com works just fine!") are pretty transparent misrepresentations/exaggerations of the arguments made against their proposal.

Re:Straw men

I find their suggestion very good, if not for the ultimate word in getting rid of phishing, but for perhaps other things.

They aim to:
    - make the TLD more exclusive (higher costs, "closed group" so to speak), and
    - make the TLD more accountable by demanding rigorous proof of identity of registrar

This would create a TLD where someone claiming to be the person/organisation X would indeed be such, or otherwise the TLD would not be registered to them in the first place.

I don't see why this is such a bad thing.

As for you, why didn't you list the actual points made against the proposal which they failed to address? A simplification or label to replace many pages full of text is not really a straw man.

Re:Straw men

[tverbeek]

A simplification or label to replace many pages full of text is not really a straw man.

It is is when you phrase it to make the opposing viewpoint sound particularly idiotic.

What are the consequences when a bad guy gets in?

[CTho9305]

What are the consequences if somebody malicious does manage to register a misleading .bank domain name? What happens if a .bank or .safe site is hacked? Will they reimburse fraud victims and provide credit monitoring services, or just say, "oops"?

Once you crack the workstation, it's over.

[khasim]

Once you have control of their workstation, there's really nothing you can do ONLINE that can be safe.

That's why you need a SECOND CHANNEL to confirm the transaction.

Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.

This won't stop them from re-routing your transactions. If you're trying to send $500 from your bank account, they can re-route it to their account. But they couldn't make any DIFFERENT transactions.

And the bank could quickly build up a list of known fraudulent addresses.

Re:Once you crack the workstation, it's over.

[jonwil]

The best idea I have seen is the idea of a little calculator type device that you plug the transaction details (amount and account number into) and get a hash back that you feed to the bank. That way, unless the hacker is able to steal the number inside the little calculator, they can't steal any money. Solves phishing, hosts file attacks, trojan horses, keyloggers and rootkits.

Re:Once you crack the workstation, it's over.

[finkployd]

Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.

Making online banking useless unless you are at home.

Not to mention, every banking website I have ever used allows you to change your phone number there.

And...?

[sid0]

This risk is still there with current domains. In fact, it should be easier with the .bank TLD -- just make sure that there are *no* .bank entries in the hosts file.

As TFA has stated, this is not a silver bullet. It won't magically solve all the problems with phishing. However, this, along with user education, can ameliorate the situation. For example, a newbie can be told to make sure that the word "bank" appears before the first slash, and so on. Not perfect, but definitely better than the current system.

Count me in as a supporter.

There are no rogue sites on .gov domain names

[Chas]

Uhm...

Uhm...

My lawyer says my comment is NO COMMENT.

Re:There are no rogue sites on .gov domain names

[setirw]

There are no rogue sites on .gov domain names

I beg to differ.

Re:There are no rogue sites on .gov domain names

[Tatsh]

Ugh that site looks like crap on my Firefox. I love how people still do not understand developing to W3C standards (even the government workers).

Re:There are no rogue sites on .gov domain names

[TheRaven64]

Haha! You slahsdotted the White House!

Watch out for homeland security...

Re:There are no rogue sites on .gov domain names

[serialdogma]

It works alright for me in Seamonkey 1.1.1 on linux, maybe you have disabled something that messes it up. That being said the design is awful, though not quite as bad as http://www.parliament.uk/.

Re:There are no rogue sites on .gov domain names

[AlmostEarthling]

Maybe not strictly rogue, but if you like you can find a distribution of Moria here instead.

F.

Think about that.

[khasim]

So your transaction isn't released until you get off the phone line and take the call from the bank.

This is a good thing. The system fails in such a manner that your money STAYS with you.

This gets to the concepts of not doing something if it cannot be secured and verified
vs
Making it as easy as possible for the customer even it it makes it easier to criminals to steal the customer's money.

Re:Think about that.

[TheRaven64]

It also doesn't work for people who spend any time away from their registered telephone. I dated a girl from the USA for a while, and her credit card company had a similar policy. They called her registered address to confirm that her card, being used in the UK, was not being used fraudulently. Unfortunately, being in the UK, she wasn't near the telephone at her registered address. Fortunately, the bank wrote to her at her parents' address just before cancelling the card, and she was able to call the bank (an expensive international call) and persuade them that it was her, and they shouldn't cancel the only way she had of accessing her main account for the next few months...

The last but one time I visited the USA, I ordered some things from Amazon.com. If this plan had been implemented, I would have had to wait until I got home and then received the phone call. This would have been a bit late for me to receive the things sent to me in the USA...

Re:Think about that.

[drawfour]

If you know you're going to be away from your registered phone number for a while, you can always pre-emptively call your bank/CC company and tell them. If such a verification program were in place, it should be easy to add things like this. Call from your registered phone to their number and give them a new number where you will be reachable, and for how long, where, etc...

My CC company (Wells Fargo Mastercard) likes to call me when they see charges that are different from my usual purchasing pattern. They get confirmation on the last 5 or so charges to make sure they aren't fraudulent. I wonder what would happen if their fraud detection kicked in and I wasn't available at that phone number. I assume that after a few days of not validating the charges, they would deny future charges to that card. They do have an international collect number that I can call if my card gets denied and I'm overseas, and an 800 number for inside the US.

The real solution...

[Karganeth]

The real solution is to simply test the users ability to spot a phising attack before letting them using an online bank. For example, the test might consist of questions asking "is this the official website or a fake one?" with images etc. If they fail the test, they are not allowed. They must pass the test (this means taking the test however many times) to be given the authorization to use the online bank. And voila, problem solved.

One thing they don't address...

[niceone]

...is phishing sites that are not banks. Just look at all the phishing of myspace passwords for an example. This is bound to increase in the future as more of our lives move online. So, people need to be able to recognise phishing in many more cases than .bank will handle.

Re:One thing they don't address...

[AndrewM1]

It doesn't cost you the entire contents of your bank account if someone figures out your MySpace credentials.

It's simply a matter of going after the most important phishing first... At least, it should be. Neopets, for example, actually gets you to enter your username, then displays a page with some information about your account on it. Only then can you enter your password, after you've confirmed you're talking to the real Neopets homepage. One seriously has to wonder what's up when Neopets has better phishing prevention than your average bank...

Re:One thing they don't address...

[Lord_Sintra]

You'd be amazed at the number of people who use the same email/password combination for stuff like that and their Paypal account....

Re:One thing they don't address...

[wellingtonsteve]

HAHA You'd have to be really stupid to do that!!. Oh.. Wait a minute..

/me changes Paypal password

and while we are at it

[crashelite]

why dont we also have a .phishing domain so that way the we could find out who is really stupid or not. come on most people that read /. are smarter then the average internet user and also know how stupid people really are. the # of times i have seen a person using limewire or kazaa and are complaining that their network is slow or they have viruses is beyond reason. so would creating a new top level domain REALLY work, would people still be idiots and go to bobsbank.com or bobsbank.bank and would they look and make sure that it is their banking site in the URL or would bobsbank.phishing show up and they would login like they would normally... and also where would this 50k go to? why not just make a agreement that if it is a fraudulent site it would just be shut down and no refund of your 50K... but if they are phishing bank sites would it really mean they are paying for it or would they use some customer that they stole their account to pay for it. oh well the keyloger on the computer will just send the information out sooner or later...

What does this do to address URL display bugs?

[SuperBanana]

Nothing in this addresses links that show up in email clients or browsers as say, www.yourbankyouknowandlove.com instead of where they really take you- an IP address of some random server run by the phisher.

If email clients were fixed to show the REAL url on mouseover, people wouldn't click the links in the first place. If browsers (well, mostly IE) were fixed such that you couldn't obfuscate the *real* URL, people would realize quickly what was going on.

Working with a lot of office people, they're all sharp enough to pick up on stuff like this pretty quickly (we use all macs, so we have neither problem- Safari and Apple Mail aren't "spoofed.")

Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions. Mikko does talk about how this won't fix the fact that people are stupid, but says it will make software able to work better. I don't see it - if your software lets you click on exAAmplebAAnk.com when you're trying to reach examplebank.com, it'll let you do that when you're trying to reach examplebank.bank, because it only knows what the link says and whether you clicked on it, not what you *thought* the link said.

You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like

• http://real.bank@example.com/
• real.bank.obfuscating-non-ASCII-characters
• real.bank.3242134832143214.com
• link text that doesn't match href like real.bank
• links that display an image of "real.bank"
• Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.

And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)

There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

Re:Mikko Doesn't Really Answer the "Will it Work"

[hkmwbz]

He does answer it, by pointing to browsers working with whitelists. This would of course require the cooperation of browser vendors, but they seem as eager as everyone else to combat phishing. Microsoft, Opera, Mozilla and Apple even sat down together to agree on how to do stuff.

Re:Mikko Doesn't Really Answer the "Will it Work"

[Sven+Tuerpe]

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions.

Of course it will work, if you take it for what it really is: a cleverly designed domain registrar business model. As a business model, it is surprisingly similar to how phishing works. Approach many for little money, break even on a very small number of respondents. At a price of ... how much? 50,000? per domain it is s safe to assume that your first 5 vict^H^H^H^Hcustomers will cover all the operational cost you will ever have.

Re:Mikko Doesn't Really Answer the "Will it Work"

[jacksonj04]

The point isn't to make it expensive, it's to improve security. Financial institutions generally can do things like cough up $50,000, with a $5,000 per annum renewal charge, probably including an SSL cert. Petty phishing gangs can't, and even if they could then they would have to prove they were a registered financial institution.

Re:Mikko Doesn't Really Answer the "Will it Work"

[Sven+Tuerpe]

The point isn't to make it expensive, it's to improve security.

To improve security, really? Unfortunately, a site having a .bank TLD does not convey any additional information to the user. Let's assume you are a bank customer and thus, a potential phishing victim. You will probably have at most a handful of banks that you do business with. All the addresses of all the online banking sites you ever interact with fit on a sticker that you can put below your screen. What exactly is the additional information you would get from all the addresses ending in .bank?

Re:Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

Browsers with Whitelists? Nonsense - Mikko did wave his hand in that direction, but it's such a bogus concept that I'm surprised he even tried that. Blacklists, sure, you can do that, but the main point of a browser is to be able to look at anything on the Internet, so effectively *everything* is whitelisted unless it's blacklisted.

I suppose you could build a separate browser that only looks at whitelisted sites and tell people to use it instead of their regular browser when they're doing banking - but if that became at all popular, phishers would start sending out their own special browsers or (more realistically, given the size) emails about the special browser-update download you need to install to use your bank safely, and they wouldn't even need to target it to a specific bank - they could send the mail "from" Microsoft or The Federal Banking Regulatory Agency or whatever, and gullible people would install it. That kind of attack does suffer from diminishing returns - the world will never run out of gullible people, but the gullible people can run out of money :-)

Re:Mikko Doesn't Really Answer the "Will it Work"

[hkmwbz]

No one said that you can't look at everything. The whitelist would be one which would let the browser verify on behalf of the user that the site is valid. The user could still browse sites not in the whitelist, but the browser wouldn't show those sites to be real bank sites.

Re:Mikko Doesn't Really Answer the "Will it Work"

[jacksonj04]

Because a .bank domain *must* belong to a financial institution, and enables the browser to prompt the user about this. Eventually the user will know something is wrong when they *aren't* told that they're viewing a bank's site.

Cutains !=cloak

[Stumbles]

Sounds like to me F-Secure wants to be the fox guarding the hen house. It also sounds like it is a half-assed solution. Why is it the proprietary world always choose half-assed solutions. Oh wait I know, so they can sell you some snake oil down the road.

Anybody can start a tax-haven bank

[billstewart]

There are a number of countries that have extensive private banking systems, generally connected with tax-haven free trade environments. You want to start a bank in the Caribbean? It'll cost you more than starting a corporation, and you might need a local partner to sponsor you, but that's well within the range of anybody who's willing to fork over $50K for a bank domain name.

The harder part is getting a *useful* bank domain name - you're probably not going to get chase-manhattan-grand-cayman-branch.bank even if you can prove that you own the real Don Corleone Bank registered in Grand Cayman. (N.B. I don't remember if Grand Cayman lets you start banks easily, or only corporations these days - you can do your own research :-) But if you're creative, you'll find something.

And you verify that ... how?

[khasim]

And if the original party is *actually* trustworthy, then yes, I think it would be a decent idea.

Ah, but if the people putting the seals on the trucks were "*actually* trustworthy" then they would be "a decent idea" with regards to drug smuggling.

Do you see the point?

SOMEONE has to approve the seal. A person. And people can be bought. You will NOT know if that person was "*actually* trustworthy" or not.

Particularly when that seal would mean that EVERYONE in the world KNEW that it was safe to use that site.

.bullshit

I think that F-Secure might be more interested in .savingFace than anything else. .bank is a stupid idea proposed by someone who has no understanding of DNS.

Who will be liable when the crime gangs start poisoning DNS and consumers enter details into what they believe is a .bank domain? Will F-Secure be liable for coming up with such a stupid idea?

F-Secure are a laughing stock, this is a PR exercise that fails to address any of the real points.

Re:More...

[Opportunist]

As soon as we get .loo I'm outta here!

It would still be an invalid domain

[Colin+Smith]

DNS can be authenticated. Without a valid .bank domain certificate it isn't a valid domain and the browser would be correct to mention such. The only way to get a .bank certificate would be to have a real .bank domain.

Re:It would still be an invalid domain

Or for the attacker to both poison DNS and install their own CA on the users machine. .bank provides zero tangible benefits over existing SSL certs.

Re:More...

[bvankuik]

I am not afraid of those but what I don't get is: if .bank is created then why not .fiscal and .med(ical). Are banks the most important thing in a man his life?

Pfft.

[way2trivial]

I'm sorry... how hard is it for me to write software that changes your DNS setting...

now how safe is the .bank my DNS server sends you to.....

Re:Pfft.

Okay, change my DNS settings then.

Wait, you need to actually install that software on my computer? Then how is it different from any other piece of malware that could possibly be installed on my computer? If a computer isn't secure then you shouldn't be using it for online banking in the first place.

Re:Pfft.

No, you just need to attack the DNS cache of your ISP. Or how about a BGP attack to redirect everyone in a certain area? Given that it is possible to shut down (shatter) the internet using BGP attacks, why not use it for fraud instead?

Re:Pfft.

[OdinOdin_]

LOL there is already in existance a solution to this problem. Signed DNS as a prerequisite to using .bank participation could be made mandatory. Then all we need is checking in the client application (much like the forwards DNS vs reverse DNS checks, and Certiciate Revocation List checks that are made for SSL certificates by browsers independantly of that the site claims).

How hard would it be to write software that modifies a system DLL to pervert those checks, who knows as Microsoft, they are touting Vista as a secure system at this time!

More TLDs are Just Fine

[billstewart]

Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)

If a Nigerian or Russian bank can get hold...

[thewils]

...of one of these domain names, then it really isn't going to be secure now, is it?

Re:If a Nigerian or Russian bank can get hold...

[villoks]

It really doesn't matter as long as the the domain names are not confusing with the real bank names. Or would you enter your pincode to Citybank to website, which address is www.royalscambankofnigeria.bank? In addition, with 50k registration fee there's enough resources to make very extensive checks to root out the obvious misleading domains - right?

Re:If a Nigerian or Russian bank can get hold...

I think this would still be a problem if, as the article suggests, security software and browser toolbars put *.bank in a "white list". Then www.royalscambankofnigeria.bank (whose website has been designed to look like Citibank's) is whitelisted and your browser says it's been verified as a safe site.

The Banks Don't Help Themselves

[s7uar7]

My current account is with NatWest, website www.natwest.com, who's online banking is on www.nwolb.com. My main credit card is with Tesco (www.tesco.com). Their financial site is www.tescofinance.com and their online banking site is cardsonline-consumer.com.

Is it any wonder people end up falling for phishing site?

Re:The Banks Don't Help Themselves

[GigsVT]

Hah, even worse when companies farm out surveys to some random bulk mailing outfit, so you get an email that claims to be from the place that's actually from some bulk mailing service, sometimes even asking you to log in using your normally credentials on another site (less often with banks though).

Won't do jack

[Opportunist]

I think I used the same subject line for the original suggestion, I use it again: All the "explanations" and answers don't even touch the actual problem at hand.

The far bigger problem are trojans that hijack the system to siphon login data from the user, either using browser plugins or hooks into the system. No .bank or .whatever TLD will solve this. The amount of people actually naive enough to follow instructions on a fraud mail are in decline. Every bank I know already informs its customers at least 10 times and every time they log in that they will NEVER EVER contact them via email and ask for login data. Almost all data currently stolen is grabbed when users log in to the real bank site and do their online business.

And how does that get round a domain cert?

[Colin+Smith]

It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.

Re:And how does that get round a domain cert?

[KillerCow]

...because the kind of people that this is proposed to protect always make sure that SSL is enabled.

They missed the 2 biggest flaws...

[KillerCow]

The "point-by-point" response did not address DNS poisoning or l/p obsfucation ( www.citi.bank/youraccount/index.html@fraud.org ).

Re:They missed the 2 biggest flaws...

[bluephone]

user@domain.org doesn't work in IE anymore, and Firefox prompts you whit a big honking warning.

Fuck off

There are many people here who understand that a new TLD solves nothing. Don't be suckered by the snake-oil seller, they probably have some proprietary DNS product in the pipeline to fix a problem that they first need to create. Nobody with a clue about security is buying their bullshit!

Drop your veiled accusations and get a clue!

Not Even News-Worthy

[bigdavesmith]

Ok, if this were aol.com I could see how this might be a legit news story, but come on. I like to think we're a step above that. Real geeks don't even bother with DNS, and us 66.35.250.150ers have better things to do than waste our time with a noob story like this.

Re:More...

[smallfries]

Why would that be a bad thing?

The whole point of a hierarchical naming scheme was to spread the load around and remove a centralised point from the network. At the moment 99% of websites are .com and the extension has become meaningless. If URLs were actually split into domains that made sense it would be easier for people to remember web addresses...

Yes.

[khasim]

So would you spend $50k on the seal, knowing that anyone who sees you standing on the street with it can report you?

Sure. Why not?

Should it pose a problem, your criminal friends can spend their spare time reporting every other seal. The cops won't know the legitimate complaints from the fraudulent ones.

And all you need is enough time to turn that $50K investment into $5,000K.

This is not about establishing a permanent presence. This is about cashing out a LOT of money as QUICKLY as possible by exploiting the knowledge that since you have that seal, you are safe. You will be operating in BULK.

Eventually it will be closed down. And you will already have used the profits to purchase another one.

Re:Yes.

[vux984]

Should it pose a problem, your criminal friends can spend their spare time reporting every other seal. The cops won't know the legitimate complaints from the fraudulent ones.

In some cases yes. In most cases no.

And all you need is enough time to turn that $50K investment into $5,000K.

And you aren't going to get it.

This is about cashing out a LOT of money as QUICKLY as possible by exploiting the knowledge that since you have that seal, you are safe. You will be operating in BULK.

Precisely... each domain makes a small chunk of cash, if that. Each domain costs tens of thousands. "Operating in bulk" just magnifies your losses. Additionally, the application process is designed to be expensive, and thorough... its not an online form at bulk-domains.com that you fill out anonymously. Operating in bulk will likely get you noticed. You can't just lose yourself amongst all the people buying up bulk ad landing domains and speculating on bulk domain blocks from dictionary words.

A few hundred domains, maybe a couple thousand tops, will be legit. You can't hide several hundred disposable domains a day in an environment like that.

Eventually it will be closed down. And you will already have used the profits to purchase another one.

Not even close.

Hijacking

[Bellum+Aeternus]

.bank TLD has some merit. Unlike a lot of current online systems, this one could be well funded enough to actually use humans to decide if an institution is worthy of obtaining a domain with the .bank TLD. Which is a very un-Google way of doing this, so it's probably not cool, but when you have human intervention and those humans are naturally skeptical because it's their job to be so; you tend to get pretty good security. However, some have pointed out that by infecting the host file, hijackers could get around the .bank TLD. Agreed. Why not lock .bank and a few other 'secure' TLD's down to a specific A-block of IPs controlled by some international oversight body (heck, could be American national, but why exclude everybody else?).

Benefits: easy for neophytes to figure out, east for machines to figure out, and difficult to falsify.

Rehehehelly

[Joebert]

Today, anybody can get a .com domain with a fake name and fake address, with a fake credit card. That's just fine with everybody? Don't we really need a TLD where you could actually trust that you know who owns the domain?

Why yes, yes we do, apparently, we also need a replacement for .com suitable to shop on as well.
What are we supposed to do, go online to do our banking & that's it ?
If the internet is soo insecure that banks can not do business, why should anyone do business online ?

Security software and browser toolbars would essentially have a "white list" to work with.

Along with malware writers.
A defence that can be used against you is no defence at all.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Untill Christmas comes along.

We already have a TLD for airlines (try www.nw.aero) and museums (try the.british.museum). Isn't it a bit odd we don't have one for banks? Although they are the ones that get attacked all the time?

That's a very good point.

Would it work?
Yes: in the end there probably would be no rogue sites under such a new TLD. They would be elsewhere.

How can the answer be "yes", when there would "probably" be no rogue sites ?

It increases costs

[fmobus]

As most companies end up buying .com, .org, .net, .biz, etc just to keep their businesses safe against squatting. I can't see any good reason for multiple TLD other than pouring more and more money into registrar's pockets. If you think US situation is bad already, I should inform you my country (Brazil) has (hold your breath) 55 (last time I counted) distinct SLDs!.

The country that got it right in my book was germany. There's only .de as TLD and it is enough.

Re:It increases costs

[fmobus]

Oh, additional link. It shows the number of domains registered per second level domain.

Re:It increases costs

Actually, the more second-level (and top-level, for that matter) domains there are, the better.
Once there are hundreds or thousands of top-level domains for all kinds of businesses, services, commodities etc it will become very unpractical to just register one's name in every possible domain. This will save everyone money, and will reduce confusion.

As it is now, domains like .eu have been able to attract attention only because companies did not want to miss the boat and wanted to register their name, that they already had registered under one or more country tlds and .com, under .eu as well. That is utterly useless except for generating income for the registries.
With enough domains, this will not be a problem anymore.

I don't know why you refer to germany. There are few countries (like Brazil and the UK) that have second-level domains, but the majority does not have them.
E.g. here in .nl we had second-level domains for personal domain names, because toplevel domains could only be registered by companies. However, it was a failure and they a deprecated.

PGP...

[Bert64]

I still wonder, why are the email messages from ebay/paypal/banks/etc not PGP signed?
If these companies used trusted public keys, which you download from their website or receive when you sign up..
Any phishing mail would be immediately visible as a scam, and easily deleted. Upstream filters could easily do this too.

Re:More...

No, banks are not the most important things in life, but they are the most phished out.

What's a bank?

[Animats]

Even in the financial services industry, there's disagreement over what a "bank" is. Consider

• PayPal. Probably ought to be regulated as a bank, but is not.
• Western Union, a regulated money transfer service.
• ETrade Etrade is a brokerage house, but owns a bank on the side. Both operate under the "etrade.com" domain.
• Bank of America is a major bank which owns a brokerage house on the side, the reverse of ETrade.
• L. F Rothschild. Once one of the old-line banking houses of Europe, after about three mergers and breakups, they do offer financial services to the public, but they're not regulated as a bank.
• UBS Financial Services. In the US, they're a brokerage house, but in Switzerland, they're the Union Bank of Switzerland.
• Provident Credit Union A credit union performs the basic functions of a bank; it takes deposits and makes loans. But it's not a bank.
• Provident Funding, which sells mortgages, but doesn't take deposits. They're the tenth biggest lender in the US, but not a bank.
• Mellon Financial Corporation. They own banks, but are not, themselves, a bank.
• Stanbic Bank of Nigeria Are they real?

OK, who gets to be in ".bank"?

Re:What's a bank?

[Arevazi]

Paypal just got a banking licence in Luxembourg for its european operation (Once you got 1 licence in a member state, you can operate in all the countries of the European Union, through so called "Freedom of Service" regulations)

Re:What's a bank?

[cdrguru]

All of them, if they register and are found to be legitimate.

If you have a business that has nothing to do with banking or money and want a .bank domain, you should be able to get one - if you register and pass their requirements. This is why the article makes specific reference to .bank not being the ideal TLD but just one possibility. The idea is that you have a TLD that means the business that registered it has passed a bunch of requirements for being legitimate. Something that your friendly bunch of dropouts in Russia couldn't manage whereas today they can indeed register a .com domain. And, because of lax registrars, they can register ebay-inc.com or bannkofamerica.com and try to fool people.

Or perhaps you think registering bannkofamerica.com is a free speech right and anyone should be able to register it? And if the general public is too dumb to notice the difference they deserve to lose some money?

Re:What's a bank?

[jhol13]

I think the parents point is that there cannot be universal rules for "passing their requirements".

Unless, of course, "they" are not accountable (i.e. cannot be sued). Which, of course, just paves way for bribery, mistreatment, unjustice, nepotism, etc.

The Real Reason F-Secure Is Pushing This

[tqbf]

Dave G. covered this on our blog last month. There's backstory to this.

As Mikko acknowledges, the real purpose of ".bank" is not to make it easier for end-users to recognize fake sites. A new TLD does almost nothing to ameliorate that problem; end-users don't know what TLDs are, or what the slash character in a URL means. And before you yelp that end-users should learn that stuff, ask yourself: do you understand how the NANP phone number scheme works, or what the 3-digit exchange number in the middle of your phone number means? But you can use your phone just fine, can't you?

The purpose of ".bank" is to make it easier for security software to patrol for fake bank sites. A great idea! Why didn't somebody think of it before? Because they did: most of the mainstream AV vendors will also sell you something that will spot fake bank sites. They do it by building and tracking whitelists of valid banking sites. If that sounds like a lot of work, it's because it is.

F-Secure would like the rest of the world to do that work for them. If all the banks lived under ".bank", they could issue a ".bank-detector" plugin that would flag illicit bank sites. This may not be a horrible idea; open-source projects could do the same thing easily too. But, as everyone who tracks this stuff is pointing out, the banks aren't going to comply: they already process transactions using a myriad of random-sounding unidentifiable domain names, which drastically complicates whitelisting.

Re:The Real Reason F-Secure Is Pushing This

So the security vendors are going to hardcode IPs or hook the system resolver and implement a secondary secured lookup for .bank domains? Yeah perhaps some genius will patent it, or have they already?

Nobody wants security vendors more involved in infrastructure, they profit from insecurity and that simply isn't appropriate.

I like Citibank's idea

[qazwart]

Maybe it's Bank of America...

Anyway, they let you choose a color and background pattern (or even your own picture). When you visit their website, it displays that picture and color. This is extremely difficult for phishing sites to emulate. They may be able to match the main webpage, but they won't be able to match the background and color since only the real website has this information.

It's easy to train users: Just tell them that all the bank's pages will display their background and color and no others. And, it becomes obvious to the user if they visit a phishing site. It's not just a webaddress they may not notice, or a little icon on the status line, but the whole webpage looks completely different.

That will probably work much better than any new domain name to stop phishing. I'm surprised more banks and other institutions don't do the same thing.

Re:I like Citibank's idea

[Sven+Tuerpe]

Anyway, they let you choose a color and background pattern (or even your own picture). When you visit their website, it displays that picture and color. This is extremely difficult for phishing sites to emulate.

It's pretty simple, actually. All the phishing site has to do is to fetch the color and picture from the real bank site, pretending to be the user.

Re:I like Citibank's idea

[jonwil]

How is that solution resistant to man-in-the-middle attacks?
Picture this:
Phisher copies main page. Unsuspecting user logs into fake bank page. Fake bank page passes username and password on to real bank page. User is now on real bank site only fake bank page now has their username and password.

how stupid are they?

[Mycroft_514]

We still have 50 million or more computers out there running Win 98SE, and how many have not upgraded to IE7 yet? (hell, I even still have a Win95 machine here! And a DOS 3.3 one, niether of which is used much, but there).

(I raise my hand for 4 computers for IE7 alone, as corporate has outlawed that yet on machines that connect to that network).

Yet you expect all 300 million users out there to immediately update their browsers?

Foolish foolish thinking on your part.

barclays.bank.uk.reg

[Garry+Anderson]

Corrupt ICANN and the authorities have always known the answer for authenticating registered trademarks e.g. barclays.bank.uk.reg

So user could enter this URL directly or barclays.co.uk could be redirected to this as certificate of authentication.

Obviously, this would work for all other trademarks in other goods or service (called classification) e.g. apple.computer.us.reg

Please visit http://wipo.org.uk/ - not connected with the crooks at UN's WIPO.org ;)

URL standard

[rserranop]

I think that the people that created the URL was wrong, completely wrong and that creates most of the problems of phishing. It's unnatural the way that you type your URL, thinking in a way that some person watches a URL, you see names separated by points ".", so you think in the www is altavista and ends in com for no reason..... that's the first thing i though when i wanted to browse the web the first time, then after studying what DNS is etc i realized that it was the opposite, so in com you have altavista that has a www. And that's the education that we could teach to the people, or.... simply make it more natural, and putting the name in a way that most people recognizes immediately because it's natural to browse. com.google.www, in the same way as Book 3 Chapter 5 Paragraph 7...... ohhhh wait.... Americans invented URL, they also write the date as Month Day Year... OK forget it, Americans will follow writing stupid conventions even when they cost to them millions of dollars.... like the imperial system..... 1 mile equals 5280 feet.... any way keep talking.....

Re:URL standard

[Actually,+I+do+RTFA]

Ironic that you would use date as an argument because the European version is Day-Month-Year, which follows the same specific to general path as URLs. In fact, this pattern is repeated quite often...

• FirstName LastName (in Western Countries, at least)
• Titles (Vice then President)
• East Germany instead of Germany East

I would go on, but my point is that both methods are used quite often. So it was an arbitrary choice. Someone apparently decided that Specific to General was for URLs.

.bank needs certification - SSL does it too

"Security software and browser toolbars would essentially have a "white list" to work with."

That's what SSL is meant for. .bank registrations would require some sort of standardized, official certification. The same applies to SSL certs... and there already *IS* some sort of a whitelist for them in IE and firefox.

MOD PARENT UP

[DarkJC]

The GP isn't insightful, it's an obvious commentary that has nothing to do with the problem at hand. The parent is right, if your computer is already compromised you're well past the phishing stage.

Re:MOD PARENT UP

DNS is not secure, nobody has to attack your computer to compromise DNS, it's a simplification so that those without any real network knowledge get it.

The security of .bank relies on SSL, that's the correct solution. Still if your machine is compromised the attacker can install his own certificate authority. That's far more difficult than attacking a users DNS.

Only Big Banks are losing money?

[eunos94]

Uh...they obviously aren't in the financial services industry. Phishing is happening at EVERY level of the spectrum. From the $50 million credit union, to the trillion dollare international conglomerate. They ALL face it. I can see a system of subsidizing for smaller organizations, but I'm just not buying that Citibank will pay to fund the domain of Iowa State Community Credit Union.

Re:Only Big Banks are losing money?

iPhone Converter http://www.iphoneconverter.com/

PayPal.bank?

[Doc+Ruby]

Is PayPal a "bank"? No, it's an unregulated global internet banking monopoly, but it's not a "bank" (or it would be regulated as one). Should it get a PayPal.bank domain for people to trust?

What if it did? Should some competing Internet (or real world) payment system that's not regulated as a bank get a .bank domain? If it's not regulated as a bank, why should anyone trust it? Because it's got a .bank domain?

This whole thing is stupid. Real banks are trusted because they are insured, by the FDIC, FSLIC and/or other (eg. international) insurance that ensures your transactions won't get stolen. By outsiders or by the bank itself. What would really help would be if the global banking insurance industry certified banks, then signed their SSL security keys. Then browsers could indicate which signer has signed the HTML fragment, showing the insurer's logo.

Anything else is just more voodoo economics. Which might work - until it doesn't, when it undermines the entire basis of the banking economy, for good and bad banks alike.

Re:PayPal.bank?

[adrianmonk]

Hmm, I was going to say that you're right, because I recall having heard a news story where regulators stepped in severals ago and basically claimed that PayPal was too bank-like to get away with not calling itself a bank (and therefore not having to follow the rules that banks do).

Then I just googled some, and it turns out that you're right.

Re:PayPal.bank?

[Sven+Tuerpe]

Is PayPal a "bank"?

Paypal is about to become one, at least in Europe:

• PayPal becomes European bank
• PayPal Expands European Growth With Bank Charter And New European Headquarters

What's a bank? What's a legitimate business?

[Animats]

I posted "What's a bank?" previously, with some examples of ambiguous cases. If the criteria for some ".bank" domain are broadened to financial service businesses generally, it's even worse. That pulls in mortgage brokers, which range from major firms like Provident to the "Lenders compete from your business" spammer. Then there are the "offshore" operators, the "High Yield Investment Program" people, hedge funds of varying degrees of legitimacy, and armies of "affiliates" and "resellers". Expecting domain registrars, who have a terrible reputation as verification services, to sort this out is asking too much.

We've been struggling with this issue for SiteTruth, where we try to rate businesses for "legitimacy". Simply trying to associate the name and address of a legitimate business with a web site is enough to filter out a huge number of marginal web businesses. But it's not a solid protection against more determined fraud operations. We check against third-party sources for identity verification, which helps. We give the highest rating only to sites for which we have some source of third-party confirmation (a valid SSL cert with a name and address, a BBBOnline seal, etc.)

The Online Better Business Bureau is probably the best verification service right now. Their seal of approval actually means something. (But click on it to check that the BBB site says the seal is valid. We check that automatically with SiteTruth, and there are definitely sites out there using the BBBonline graphic that aren't entitled to do so.)

The PhishTank people have a user-reported list of "phishing sites", but it's always behind. Worse, it's by URL, not domain, so sites that generate a new URL for each spam escape that check.

There have been several previous attempts at "identify your business as legitimate by paying us money". This ".bank" scheme falls into that category. Before that, "High Assurance" certificates were touted as a similar scheme. There are several companies selling "seals of approval"; there's "ValidatedSite.com", the "International Bureau of Certified Website Merchants", "Guardian ECommerce", and the "International Chamber of E-Commerce". Most of the certificate authorities have some kind of seal program, too. This ".bank" thing is the same idea, at a higher price point.

three negatives

[Joseph_Daniel_Zukige]

I can think of immediately, mentioned already, false security (but we have that anyway) and the problem of managing the domain (but without the domain, there is nothing to manage).

Actually, as someone has pointed out about the hosts file, almost every negative mentioned is really the exposure of one way of managing the problem. Exposure of an API may or may not be a bad thing.

The only real negative I can think of is that it makes it that much easier for governments to monitor financial activity on the net. I have to think about this a bit longer to see how much is lost on that front.

not on a general purpose browser, not on MSWxxx

[Joseph_Daniel_Zukige]

I'm pretty sure the .bank tld would be an overall plus (for international banks), and .financial.us or .kin-yuu.jp and the like for local banks, but before we should start with that, we should start with some other essentials.

One, banks have to quit letting people log in from general purpose browsers. Not MSIE, not Firefox, not Safari, not the standard Opera. Not even Lynx.

Banks and other institutions performing financial transactions must start providing their own dedicated browsers. Look up the bank's current interest rate and operating hours on the web, sure, but use a different port and a custom browser that only connects to that bank's url, never looks in the hosts file, and dials (well, e-mails) the cops if the certificate's wrong.

Even your typical on-line store should have its catalog and even its grocery cart under, say, .com, but no way to pass a credit card number over http on port 80 with MSIE (et. al.).

Of course, to really get around key-logging trojans and the like, you should have a completely separate box to transmit the credit card number and such. Anyone want to front me some bread to develop an electronic wallet that plugs into ethernet?

joudanzuki

brainfart, not bank's url, bank's IP

[Joseph_Daniel_Zukige]

Forgot about that one. A dedicated browser really doesn't have to do dns lookup, and shouldn't.

Not to save lookups, of course. Actually, there should probably be double watchdog mechanism, where as many as three separate watchdog servers are monitoring the machines the users log into, and the dedicated browser would query the watchdogs concurrently with logging into the account server: exchange certificates, get a one-time pad token from the account server, confirm the token with the watchdog, or some such.

joudanzuki

the most fundamental issue is not addressed

[drDugan]

He did not address my concerns, posted here
http://it.slashdot.org/comments.pl?sid=233869&cid= 19031685

here they are again:

So who gets to say what is a bank? Do I get to start a bank for my wooden nickel collection? What about the Albanians, or the Panamanians? What about Linden Labs, do they get to have a bank? What about a sperm bank? What about Liberty Dollars backed with Silver - do people who trade in them get to start a bank? Do the Americans, who basically control the Internet now get to say who can be a bank or not? Beyond the obvious, socially accepted, current definitions of a major "bank" you quickly fall into a grey quagmire of people fighting over what different people are allowed to do with a "bank", and what people are allowed to do in general with resources and money. That fight is not the place for TLDs.

Top-level domains should either be very open (any 3 or 4 letter character might be nice), or they should be generic, as they are now. Tying TLD to the function or responsibility of a domain that owns it will inevitable lead to systematic thought control.

Re:the most fundamental issue is not addressed

[vuffi_raa]

I want sperm.bank and blood.bank

idea still asinine; already a better solution

[adrianmonk]

This whole .bank idea is still asinine, and there's already a better solution.

Abusing the DNS system to solve a specific non-technical problem is stupid. It's stupid because it's a piss-poor design from a technical perspective to solve an application-level problem by mucking with the very foundations of the Internet. It's stupid from a practical perspective because .bank doesn't cover credit unions, savings and loans, mortgage lenders, stock brokers, investment companies (a/k/a mutual funds), or insurance companies (through whom you can buy cash value insurance policies that earn interest). And, it's stupid from a functional perspective because it won't work (DNS spoofing, etc.).

Now, here's something that will work and will provide the same benefits that this DNS stuff would, without the stupid $50,000 registration fee requirement: certificate signing authorities. SSL/TLS certificates are already signed by people with root certificates. The root certificates offer various levels of verification, but as of now, browser user interfaces just show whether a certificate is signed by an authority or not. However, there is no reason they must be limited in this way. The state agencies that are in charge of issuing licenses to banks (and credit unions, and so on) could also sign banks' SSL certificates. And someone else could sign the state agencies' SSL certificates to create an umbrella that all financial institutions can fall under. Then a browser can display an icon (maybe a green dollar sign) indicating "such and such organization vouches for the fact that this web page is in fact a bank", or some statement along those lines.

This delivers everything that .bank is offering, and it doesn't require setting up a new registrar. Plus it's DNS-spoof-proof and more flexible. (I live in Texas, so if whatever department in the State of Texas that issues license wants to, they can say, "Hey, this is the web site of a company we've issued a license to.")

but .. but ... I am using win98SE without IE7!

[freaker_TuC]

I am using Win98 without IE upgrade ... I'm using Firefox you insensitive clod!

The problem is OCPD

[Moraelin]

At the risk of sounding like a troll, one constant of the universe is that for _everything_ you'll get at least the following kinds of responses:

1. things were working perfectly fine in the good old days, changing things and/or making me learn/do new stuff is _evil_. Someone ought to educate users instead, change the whole culture, whatever. (A.k.a., "back in my days we walked to school 2 miles through the snow, up hill both ways, and we _liked_ it" nostalgia.)

2. It's a conspiracy and/or it will be bought and killed by the conspiracy (A.k.a., paranoia.)

3. (If something physical needs to be built) Not in my back yard!!!

4. Yeah, but it's not 100% perfect and foolproof, therefore it's 100% rubbish (A.k.a., Obsessive-Compulsive Personality Disorder.)

I should qualify it though that being aware of the attacks still possible and planning around them is just the right state of mind for security. Yes, nothing is 100% perfect, so you still need to be on your toes. But claiming that something is useless crap because some convoluted scenario still isn't covered, well, that's already OCPD.

But, anyway, seriously. You could come up with a cheap cure for cancer, and you'd get a bunch of responses along the lines of:

1. "Things were perfectly fine in my days, we don't need no stinking cure for cancer. Just educate the lusers to stop smoking and eat their veggies, and everything will be just fine."

2. "It's not a cure for cancer, it's a big pharma conspiracy to make you take those pills for some other nefarious purpose!" or "The big pharma conspiracy will kill it! They make their money by treating for years, not by curing! They'll never allow an actual cure!"

3. "You're not building that factory in _my_ town! Why, my property value could go down if a factory is visible from the back yard!"

4. "Yeah, but it only cures 95% of the kinds of cancer. Plus, it still doesn't cure diabetes, AIDS and the bird flu! Plus, what do you do if a user is dumb enough to not go to the doctor until they die, or to go to some witch-doctor instead? Therefore it's 100% crap, and we shouldn't waste our time with it."

Number 4 just seems to be especially popular on Slashdot. What else is new?

Re:The problem is OCPD

Saying anybody who points out the complete lack of technical merit in the .bank proposal has OCPD is low. It's insulting to those speaking out and those who have to live with OCDP. Then you go on to complete mis-characterize the debate by deliberately using an emotionally charged analogy in cancer. Way to go dickhead!

List any positives to this proposal that haven't already been negated by it's opponents... whoops there are none!

Re:The problem is OCPD

[Moraelin]

It's insulting to those speaking out and those who have to live with OCDP[...]Way to go dickhead!

I'm sorry to rain on your parrade, "dickhead", but OCPD _can_ be cured. It's not some genetic incurable condition, it's just a dysfunctional attitude and set of axioms to base one's judgment on. (Just as a reminder: OCPD is not OCD. OCD is lining up pencils as some compulsive rituals. OCPD is lining pencils because it's the Right Thing, and everyone else is an idiot for settling for a less perfect solution.)

And, at least in some cases, it's a fuck-up of education: idiot parents demanding that their kids do everything _perfectly_ and finding flaws in _everything_, raise idiot kids just can't realize when a solution _is_ good enough.

So if you "have to live with OCPD", then do us all a favour already and go join a fucking support group. We've all had it up to _here_ with idiots solving the wrong problem and being obnoxious about it, just because of their fucked-up ideals of perfection.

Because, yes, invariably the "100% uncompromising solutions" that OCPD cases come up with are solving the wrong problem entirely. Real Life problems are usually not boolean yes/no problems with 1 variable, but min-max problems in a space of a dozen variables and two dozen constraints. In a real life problem you usually can't pick one variable, say, X, and max it to 100%, because that would cause the Y and Z variables to move out of the desired solution space.

Enter OCPD "uncompromising" "perfectionists" coming up with a crap solution that maxes X to 100% and proclaims that Y and Z are idiocies that only clueless lusers would care about. In his mind that's the perfect solution because it maximizing the arbitrary criterion of perfection he chose, but for everyone else it's a crap solution or not a solution at all.

So, again, for anyone "who have to live with OCPD": join a support group already. You're not the shining beacon of perfection in a flawed world, you're the guy with a personality disorder. That's it. You may have my compassion for whatever dysfunctional parents molded you that way, but if you choose to "live with OCPD", that's where my compassion ends. It _can_ be cured, and if you choose to annoy everyone around you instead of getting cured, that's already past compassion.

Point by Point... except the one he can't answer

No mention on points raised by many people of DNS poisoning... or even a simple hack into the host file.

I'm all for protection of consumers but "false" protection is even worse. People using a site because the domain ends with .bank thinking it is safe, will be in for a surprise. Place it into .bank, will be easier for phisher to target IMO.

It seems ill thought out and they are now trying to rebuke it but fail to address most people major concern.

I would be more interested if they had mentioned anti-dns-spoof protection.

How about...

[taff^2]

a new TLD .clueless?

http://i.am.clueless/, http://you.are.clueless/, http://we.are.clueless/, http://www.whitehouse.clueless/