F-Secure Responds To Criticism of .bank

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

I'm still not convinced

[j0nb0y]

Quite frankly, the only way to prevent phishing fraud is through user education.

If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

This just seems like it would be a big waste of money for all parties involved.

Re:I'm still not convinced

[allgood2]

OK, well I can see a massive difference. It's far easier to train a user to recognize a combo of .bank and a green bar as legitimate, than it is to education them on all the various phishing options, and then having to keep them up to date, since new ones are added all the time.

My biggest issue with the proposal is the cost; and not that it shouldn't charge big banks $50,000 but that it ignores small banks and credit unions. Especially, since it ignores them with a 'they aren't the ones loosing money or big money' statement. If small banks and credit unions can't get access to the .bank domain, then as far as I can see, your just switching the scammers and phishers from targeting large banks to targeting small banks and credit union. It's a we don't care argument; which weakens the entire effort.

F-Secure mentions Finland, which has a very low rate of phishing due to the fact of its mail confirmations of address. My thoughts are if the .bank domain were to succeed it needs to include small banks and credit unions; which means there needs to be some sort of exception to the fees. Possible a $10,000 domain name purchased combined with physical proof credit union or small bank status, and a certain number of years in operation.

The proof of years in operation as an exchange for relief from cost; seems like a small trade-off for me. I would assume, most phishers' wouldn't be willing to wait 3-5 years and still fork out $10-$15,000 just to engage in a scam. Plus most newly established credit unions and banks fail or succeed (however marginally), within similar time frames of the average business (3-5yrs). Obviously, the verification process would be key, but this would allow small banks and credit unions the same level of security as large banks.

Re:I'm still not convinced

[mark-t]

It's worthwhile to note that bank tellers recognize counterfeits not because they necessarily know what characteristics that particular counterfeit has, but because they handle the real thing all the time, they know what the real thing is supposed to look like, and when something doesn't match what they know, they realize it's a fake. This enables them to even recognize counterfeit bills they may have never seen before. So the idea is that you train people what to look for in the real thing, give them enough exposure to it, and when something bogus comes along, they should be able to see it for what it is because it won't match up.

What the ... ?

[khasim]

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Who determines what "misleading domain names" means?

And we are talking about criminals making MILLIONS of dollars a year.

Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.

Impossible.

[khasim]

Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

A far better solution would be to go for the simpler approach.

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

Re:Impossible.

[mark-t]

But that wouldn't work that well for people who connect to the internet via dialup, and while they are trying to perform this action, their phone line is busy (or gets auto-forwarded to voice mail).

Re:User's software...

[zappepcs]

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.

There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.

Re:I'm suprised

[denebian+devil]

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?

Re:Sooo....

[hedwards]

Expensive isn't necessarily an issue. While 50k seems unreasonable to me. A fee high enough for them to really check and actually do the verification in person would potentially be within the costs of doing business for larger banks. The problem is with smaller banks trying to compete, especially credit unions.

The thing which concerns me is the question of how they would prevent DNS attacks aimed at redirecting traffic to those sites to a filter site. Certificates help as well as the ability to keep people from randomly registering with a .bank TLD, but if the DNS servers aren't able to necessarily guarantee that the browser really is where it should be and that there hasn't been any injections going on, it is just an expensive yacht club type of amenity.

When some banks are rumored to not even have the login page secured, it seems odd to think that this kind of security would fix that. The banks I use could get some benefit out of it. But probably the best thing would be to remember that online fraud and phishing is a lesser cause of fraud than are fraudulent checks by third party scam artists.

One thing they don't address...

[niceone]

...is phishing sites that are not banks. Just look at all the phishing of myspace passwords for an example. This is bound to increase in the future as more of our lives move online. So, people need to be able to recognise phishing in many more cases than .bank will handle.

Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions. Mikko does talk about how this won't fix the fact that people are stupid, but says it will make software able to work better. I don't see it - if your software lets you click on exAAmplebAAnk.com when you're trying to reach examplebank.com, it'll let you do that when you're trying to reach examplebank.bank, because it only knows what the link says and whether you clicked on it, not what you *thought* the link said.

You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like

• http://real.bank@example.com/
• real.bank.obfuscating-non-ASCII-characters
• real.bank.3242134832143214.com
• link text that doesn't match href like real.bank
• links that display an image of "real.bank"
• Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.

And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)

There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

Re:Mikko Doesn't Really Answer the "Will it Work"

[Sven+Tuerpe]

The point isn't to make it expensive, it's to improve security.

To improve security, really? Unfortunately, a site having a .bank TLD does not convey any additional information to the user. Let's assume you are a bank customer and thus, a potential phishing victim. You will probably have at most a handful of banks that you do business with. All the addresses of all the online banking sites you ever interact with fit on a sticker that you can put below your screen. What exactly is the additional information you would get from all the addresses ending in .bank?

Re:Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

Browsers with Whitelists? Nonsense - Mikko did wave his hand in that direction, but it's such a bogus concept that I'm surprised he even tried that. Blacklists, sure, you can do that, but the main point of a browser is to be able to look at anything on the Internet, so effectively *everything* is whitelisted unless it's blacklisted.

I suppose you could build a separate browser that only looks at whitelisted sites and tell people to use it instead of their regular browser when they're doing banking - but if that became at all popular, phishers would start sending out their own special browsers or (more realistically, given the size) emails about the special browser-update download you need to install to use your bank safely, and they wouldn't even need to target it to a specific bank - they could send the mail "from" Microsoft or The Federal Banking Regulatory Agency or whatever, and gullible people would install it. That kind of attack does suffer from diminishing returns - the world will never run out of gullible people, but the gullible people can run out of money :-)

Re:...and if a trojan messes with hosts/LMHOSTS?

[EvanED]

course, the "safety toolbar" could then do a WHOIS check and such, but now we're just adding layers of complexity.

Or, you know, a check of the SSL certificate, which you'll need to do anyway.

Re:Sooo....

[scribblej]

What about places that handle "money" and need to be secure but aren't banks?

Shopping carts, mall websites, payment gateways, -- anything with a payment form on the site... they are all attacked more than "banks" right now. It's easier to skim a lot of small insecure sites than hit one big well-protected one. I learned that from Neuromancer.

Re:What about DNS poisoning?

[EvanED]

You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

And then you go to that site... and the browser says "your SSL certificate's no good".

You would also need to compromise one of the SSL certificate authorities.

.bullshit

I think that F-Secure might be more interested in .savingFace than anything else. .bank is a stupid idea proposed by someone who has no understanding of DNS.

Who will be liable when the crime gangs start poisoning DNS and consumers enter details into what they believe is a .bank domain? Will F-Secure be liable for coming up with such a stupid idea?

F-Secure are a laughing stock, this is a PR exercise that fails to address any of the real points.

Pfft.

[way2trivial]

I'm sorry... how hard is it for me to write software that changes your DNS setting...

now how safe is the .bank my DNS server sends you to.....

Re:Pfft.

Okay, change my DNS settings then.

Wait, you need to actually install that software on my computer? Then how is it different from any other piece of malware that could possibly be installed on my computer? If a computer isn't secure then you shouldn't be using it for online banking in the first place.

More TLDs are Just Fine

[billstewart]

Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)

Re:Think about that.

[TheRaven64]

It also doesn't work for people who spend any time away from their registered telephone. I dated a girl from the USA for a while, and her credit card company had a similar policy. They called her registered address to confirm that her card, being used in the UK, was not being used fraudulently. Unfortunately, being in the UK, she wasn't near the telephone at her registered address. Fortunately, the bank wrote to her at her parents' address just before cancelling the card, and she was able to call the bank (an expensive international call) and persuade them that it was her, and they shouldn't cancel the only way she had of accessing her main account for the next few months...

The last but one time I visited the USA, I ordered some things from Amazon.com. If this plan had been implemented, I would have had to wait until I got home and then received the phone call. This would have been a bit late for me to receive the things sent to me in the USA...

Re:Sooo....

[MrWarMage]

In case you have never done tech support over the phone, you should know that you've got a 50/50 chance of the user being able to locate the "Address Bar" no matter how clearly you explain its location. Lots of users simply clicky-clicky and just don't pay attention to the target at any point. Moreover, in all the flavors of windows of which I'm aware (which I'm afraid you must still consider as a viable design constraint), the Listbox control does not allow extended properties (color, bold, background) for only a portion of a text string (typically the Caption). Your options are color, font, B-I-U, and that's it.

Re:Sooo....

[leenks]

So the malware now targets the browser and changes the behavior for yourbank.com-html.129381E07271B84121G34121.omgpwn3 d.com.br so that it looks legitimate.

Education is the best line of defense against this type of attack. Too bad one of my credit cards (MNBA) insist on sending me HTML emails with "click here to service your account" to confuse matters (while my other banks tell me to never click a link in an email to do such a thing). The worst bit is they don't seem to care - when I questioned the practice 18 months ago I got nowhere :(