Slashdot Mirror

← Back to Stories (view on slashdot.org)

F-Secure Responds To Criticism of .bank

Posted by kdawson on from the no-silver-bullets dept.

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

3 of 203 comments (clear)

  1. Re:Sooo.... by setirw · · Score: 5, Informative

    The plan is to create a very expensive TLD?

    Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

    The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

    --
    This message printed on 100% post-consumer recycled electrons.
  2. Won't do jack by Opportunist · · Score: 2, Informative

    I think I used the same subject line for the original suggestion, I use it again: All the "explanations" and answers don't even touch the actual problem at hand.

    The far bigger problem are trojans that hijack the system to siphon login data from the user, either using browser plugins or hooks into the system. No .bank or .whatever TLD will solve this. The amount of people actually naive enough to follow instructions on a fraud mail are in decline. Every bank I know already informs its customers at least 10 times and every time they log in that they will NEVER EVER contact them via email and ask for login data. Almost all data currently stolen is grabbed when users log in to the real bank site and do their online business.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. And how does that get round a domain cert? by Colin+Smith · · Score: 3, Informative

    It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.

    --
    Deleted