F-Secure Responds To Criticism of .bank

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

I'm still not convinced

[j0nb0y]

Quite frankly, the only way to prevent phishing fraud is through user education.

If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

This just seems like it would be a big waste of money for all parties involved.

What the ... ?

[khasim]

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Who determines what "misleading domain names" means?

And we are talking about criminals making MILLIONS of dollars a year.

Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.

Impossible.

[khasim]

Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

A far better solution would be to go for the simpler approach.

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

Re:User's software...

[zappepcs]

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.

There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.

Re:I'm suprised

[denebian+devil]

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?

Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions. Mikko does talk about how this won't fix the fact that people are stupid, but says it will make software able to work better. I don't see it - if your software lets you click on exAAmplebAAnk.com when you're trying to reach examplebank.com, it'll let you do that when you're trying to reach examplebank.bank, because it only knows what the link says and whether you clicked on it, not what you *thought* the link said.

You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like

• http://real.bank@example.com/
• real.bank.obfuscating-non-ASCII-characters
• real.bank.3242134832143214.com
• link text that doesn't match href like real.bank
• links that display an image of "real.bank"
• Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.

And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)

There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

Pfft.

[way2trivial]

I'm sorry... how hard is it for me to write software that changes your DNS setting...

now how safe is the .bank my DNS server sends you to.....

More TLDs are Just Fine

[billstewart]

Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)