F-Secure Responds To Criticism of .bank

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

I'm still not convinced

[j0nb0y]

Quite frankly, the only way to prevent phishing fraud is through user education.

If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

This just seems like it would be a big waste of money for all parties involved.

Re:I'm still not convinced

[allgood2]

OK, well I can see a massive difference. It's far easier to train a user to recognize a combo of .bank and a green bar as legitimate, than it is to education them on all the various phishing options, and then having to keep them up to date, since new ones are added all the time.

My biggest issue with the proposal is the cost; and not that it shouldn't charge big banks $50,000 but that it ignores small banks and credit unions. Especially, since it ignores them with a 'they aren't the ones loosing money or big money' statement. If small banks and credit unions can't get access to the .bank domain, then as far as I can see, your just switching the scammers and phishers from targeting large banks to targeting small banks and credit union. It's a we don't care argument; which weakens the entire effort.

F-Secure mentions Finland, which has a very low rate of phishing due to the fact of its mail confirmations of address. My thoughts are if the .bank domain were to succeed it needs to include small banks and credit unions; which means there needs to be some sort of exception to the fees. Possible a $10,000 domain name purchased combined with physical proof credit union or small bank status, and a certain number of years in operation.

The proof of years in operation as an exchange for relief from cost; seems like a small trade-off for me. I would assume, most phishers' wouldn't be willing to wait 3-5 years and still fork out $10-$15,000 just to engage in a scam. Plus most newly established credit unions and banks fail or succeed (however marginally), within similar time frames of the average business (3-5yrs). Obviously, the verification process would be key, but this would allow small banks and credit unions the same level of security as large banks.

Re:I'm still not convinced

[mark-t]

It's worthwhile to note that bank tellers recognize counterfeits not because they necessarily know what characteristics that particular counterfeit has, but because they handle the real thing all the time, they know what the real thing is supposed to look like, and when something doesn't match what they know, they realize it's a fake. This enables them to even recognize counterfeit bills they may have never seen before. So the idea is that you train people what to look for in the real thing, give them enough exposure to it, and when something bogus comes along, they should be able to see it for what it is because it won't match up.

What the ... ?

[khasim]

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Who determines what "misleading domain names" means?

And we are talking about criminals making MILLIONS of dollars a year.

Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.

Re:Sooo....

[setirw]

The plan is to create a very expensive TLD?

Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

Impossible.

[khasim]

Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

A far better solution would be to go for the simpler approach.

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

Re:Impossible.

[mark-t]

But that wouldn't work that well for people who connect to the internet via dialup, and while they are trying to perform this action, their phone line is busy (or gets auto-forwarded to voice mail).

Re:User's software...

[zappepcs]

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.

There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.

What about DNS hijacking?

[9gezegen]

I don't understand the purpose of having $50,000 registration. The banks are officially recognized by their states. Wouldn't it be sufficient to get an approval from the state? I understand this may require little more paperwork but it will protect the small banks from expansive registration.

As the article mentioned this is not a silver bullet. For example, this won't solve DNS hijacking. Recently, I have observed such an attack. The victim told me that the bank site he was looking asked for national ID number even though the bank officially announced that they would never ask that information at their website. He further told me that the webpage looked little different on his computer compared to his friend's powermac. I was skeptical since I thought if you type a name, you should get the correct IP of the bank. Note that I don't use windows but I'm an expert on linux. So for me, DNS hijacking meant that the DNS server the computer talking was giving the wrong IP. Anyway, I checked the ip of the bank in his computer and did a reverse ip lookup on the web. The first red flag was that the IP was mapped to a dynamic name, further more IP was different when I looked at it on powermac. Luckily for him, spyware doctor was on the computer, so with little hope I run it. It gave warnings on some entries in hosts file. Apparently windows also have some kind of /etc/hosts file. The attacker (probably using some windows vulnerability) successfully added 20-30 bank names to hosts files, all of which mapped to his machine. On his machine, he probably have copies of the entrance pages for each bank. Anyway, this kind of attack (which I understand it is very common) will not be solved with TLD .bank.

Re:Sooo....

[Colin+Smith]

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs. Not a big problem. The browsers can help there. Those with half a brain will get it, those without are a lost cause anyway. You can't run the world on the basis that it has to be safe for the 5 Watt bulbs.

What are the consequences when a bad guy gets in?

[CTho9305]

What are the consequences if somebody malicious does manage to register a misleading .bank domain name? What happens if a .bank or .safe site is hacked? Will they reimburse fraud victims and provide credit monitoring services, or just say, "oops"?

Once you crack the workstation, it's over.

[khasim]

Once you have control of their workstation, there's really nothing you can do ONLINE that can be safe.

That's why you need a SECOND CHANNEL to confirm the transaction.

Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.

This won't stop them from re-routing your transactions. If you're trying to send $500 from your bank account, they can re-route it to their account. But they couldn't make any DIFFERENT transactions.

And the bank could quickly build up a list of known fraudulent addresses.

Re:Sooo....

[jorgevillalobos]

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

But we can trust that if this becomes a standard, browser makers will take advantage of it to make life easier to users, or at least to some users. Just like Firefox turns the URL bar yellow for SSL sites, and IE7 turns it green (I think), there could be some UI cue telling the user that he's visiting a real .bank website. Whether users will pay attention to this and realize that the lack of this cue means potential trouble, well, that's a different story.

I think .bank would add an extra layer of online banking security, and that's a big plus IMO.

Re:I'm suprised

[denebian+devil]

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?

Re:Sooo....

[hedwards]

Expensive isn't necessarily an issue. While 50k seems unreasonable to me. A fee high enough for them to really check and actually do the verification in person would potentially be within the costs of doing business for larger banks. The problem is with smaller banks trying to compete, especially credit unions.

The thing which concerns me is the question of how they would prevent DNS attacks aimed at redirecting traffic to those sites to a filter site. Certificates help as well as the ability to keep people from randomly registering with a .bank TLD, but if the DNS servers aren't able to necessarily guarantee that the browser really is where it should be and that there hasn't been any injections going on, it is just an expensive yacht club type of amenity.

When some banks are rumored to not even have the login page secured, it seems odd to think that this kind of security would fix that. The banks I use could get some benefit out of it. But probably the best thing would be to remember that online fraud and phishing is a lesser cause of fraud than are fraudulent checks by third party scam artists.

One thing they don't address...

[niceone]

...is phishing sites that are not banks. Just look at all the phishing of myspace passwords for an example. This is bound to increase in the future as more of our lives move online. So, people need to be able to recognise phishing in many more cases than .bank will handle.

Re:There are no rogue sites on .gov domain names

[setirw]

There are no rogue sites on .gov domain names

I beg to differ.

What does this do to address URL display bugs?

[SuperBanana]

Nothing in this addresses links that show up in email clients or browsers as say, www.yourbankyouknowandlove.com instead of where they really take you- an IP address of some random server run by the phisher.

If email clients were fixed to show the REAL url on mouseover, people wouldn't click the links in the first place. If browsers (well, mostly IE) were fixed such that you couldn't obfuscate the *real* URL, people would realize quickly what was going on.

Working with a lot of office people, they're all sharp enough to pick up on stuff like this pretty quickly (we use all macs, so we have neither problem- Safari and Apple Mail aren't "spoofed.")

Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions. Mikko does talk about how this won't fix the fact that people are stupid, but says it will make software able to work better. I don't see it - if your software lets you click on exAAmplebAAnk.com when you're trying to reach examplebank.com, it'll let you do that when you're trying to reach examplebank.bank, because it only knows what the link says and whether you clicked on it, not what you *thought* the link said.

You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like

• http://real.bank@example.com/
• real.bank.obfuscating-non-ASCII-characters
• real.bank.3242134832143214.com
• link text that doesn't match href like real.bank
• links that display an image of "real.bank"
• Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.

And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)

There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

Re:Mikko Doesn't Really Answer the "Will it Work"

[Sven+Tuerpe]

The point isn't to make it expensive, it's to improve security.

To improve security, really? Unfortunately, a site having a .bank TLD does not convey any additional information to the user. Let's assume you are a bank customer and thus, a potential phishing victim. You will probably have at most a handful of banks that you do business with. All the addresses of all the online banking sites you ever interact with fit on a sticker that you can put below your screen. What exactly is the additional information you would get from all the addresses ending in .bank?

Re:Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

Browsers with Whitelists? Nonsense - Mikko did wave his hand in that direction, but it's such a bogus concept that I'm surprised he even tried that. Blacklists, sure, you can do that, but the main point of a browser is to be able to look at anything on the Internet, so effectively *everything* is whitelisted unless it's blacklisted.

I suppose you could build a separate browser that only looks at whitelisted sites and tell people to use it instead of their regular browser when they're doing banking - but if that became at all popular, phishers would start sending out their own special browsers or (more realistically, given the size) emails about the special browser-update download you need to install to use your bank safely, and they wouldn't even need to target it to a specific bank - they could send the mail "from" Microsoft or The Federal Banking Regulatory Agency or whatever, and gullible people would install it. That kind of attack does suffer from diminishing returns - the world will never run out of gullible people, but the gullible people can run out of money :-)

Re:...and if a trojan messes with hosts/LMHOSTS?

[EvanED]

course, the "safety toolbar" could then do a WHOIS check and such, but now we're just adding layers of complexity.

Or, you know, a check of the SSL certificate, which you'll need to do anyway.

Re:What about DNS poisoning?

[EvanED]

You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

And then you go to that site... and the browser says "your SSL certificate's no good".

You would also need to compromise one of the SSL certificate authorities.

.bullshit

I think that F-Secure might be more interested in .savingFace than anything else. .bank is a stupid idea proposed by someone who has no understanding of DNS.

Who will be liable when the crime gangs start poisoning DNS and consumers enter details into what they believe is a .bank domain? Will F-Secure be liable for coming up with such a stupid idea?

F-Secure are a laughing stock, this is a PR exercise that fails to address any of the real points.

Pfft.

[way2trivial]

I'm sorry... how hard is it for me to write software that changes your DNS setting...

now how safe is the .bank my DNS server sends you to.....

Re:Pfft.

Okay, change my DNS settings then.

Wait, you need to actually install that software on my computer? Then how is it different from any other piece of malware that could possibly be installed on my computer? If a computer isn't secure then you shouldn't be using it for online banking in the first place.

More TLDs are Just Fine

[billstewart]

Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)

Re:Think about that.

[TheRaven64]

It also doesn't work for people who spend any time away from their registered telephone. I dated a girl from the USA for a while, and her credit card company had a similar policy. They called her registered address to confirm that her card, being used in the UK, was not being used fraudulently. Unfortunately, being in the UK, she wasn't near the telephone at her registered address. Fortunately, the bank wrote to her at her parents' address just before cancelling the card, and she was able to call the bank (an expensive international call) and persuade them that it was her, and they shouldn't cancel the only way she had of accessing her main account for the next few months...

The last but one time I visited the USA, I ordered some things from Amazon.com. If this plan had been implemented, I would have had to wait until I got home and then received the phone call. This would have been a bit late for me to receive the things sent to me in the USA...

The Banks Don't Help Themselves

[s7uar7]

My current account is with NatWest, website www.natwest.com, who's online banking is on www.nwolb.com. My main credit card is with Tesco (www.tesco.com). Their financial site is www.tescofinance.com and their online banking site is cardsonline-consumer.com.

Is it any wonder people end up falling for phishing site?

Re:The Banks Don't Help Themselves

[GigsVT]

Hah, even worse when companies farm out surveys to some random bulk mailing outfit, so you get an email that claims to be from the place that's actually from some bulk mailing service, sometimes even asking you to log in using your normally credentials on another site (less often with banks though).

Re:Sooo....

[Znork]

"you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"

Nah, they use real .gov domains instead.

Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would .bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...

The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.

Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register .bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').

Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.

Won't do jack

[Opportunist]

I think I used the same subject line for the original suggestion, I use it again: All the "explanations" and answers don't even touch the actual problem at hand.

The far bigger problem are trojans that hijack the system to siphon login data from the user, either using browser plugins or hooks into the system. No .bank or .whatever TLD will solve this. The amount of people actually naive enough to follow instructions on a fraud mail are in decline. Every bank I know already informs its customers at least 10 times and every time they log in that they will NEVER EVER contact them via email and ask for login data. Almost all data currently stolen is grabbed when users log in to the real bank site and do their online business.

And how does that get round a domain cert?

[Colin+Smith]

It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.

They missed the 2 biggest flaws...

[KillerCow]

The "point-by-point" response did not address DNS poisoning or l/p obsfucation ( www.citi.bank/youraccount/index.html@fraud.org ).

Re:Sooo....

[MrWarMage]

In case you have never done tech support over the phone, you should know that you've got a 50/50 chance of the user being able to locate the "Address Bar" no matter how clearly you explain its location. Lots of users simply clicky-clicky and just don't pay attention to the target at any point. Moreover, in all the flavors of windows of which I'm aware (which I'm afraid you must still consider as a viable design constraint), the Listbox control does not allow extended properties (color, bold, background) for only a portion of a text string (typically the Caption). Your options are color, font, B-I-U, and that's it.

Re:Sooo....

[leenks]

So the malware now targets the browser and changes the behavior for yourbank.com-html.129381E07271B84121G34121.omgpwn3 d.com.br so that it looks legitimate.

Education is the best line of defense against this type of attack. Too bad one of my credit cards (MNBA) insist on sending me HTML emails with "click here to service your account" to confuse matters (while my other banks tell me to never click a link in an email to do such a thing). The worst bit is they don't seem to care - when I questioned the practice 18 months ago I got nowhere :(

The problem is OCPD

[Moraelin]

At the risk of sounding like a troll, one constant of the universe is that for _everything_ you'll get at least the following kinds of responses:

1. things were working perfectly fine in the good old days, changing things and/or making me learn/do new stuff is _evil_. Someone ought to educate users instead, change the whole culture, whatever. (A.k.a., "back in my days we walked to school 2 miles through the snow, up hill both ways, and we _liked_ it" nostalgia.)

2. It's a conspiracy and/or it will be bought and killed by the conspiracy (A.k.a., paranoia.)

3. (If something physical needs to be built) Not in my back yard!!!

4. Yeah, but it's not 100% perfect and foolproof, therefore it's 100% rubbish (A.k.a., Obsessive-Compulsive Personality Disorder.)

I should qualify it though that being aware of the attacks still possible and planning around them is just the right state of mind for security. Yes, nothing is 100% perfect, so you still need to be on your toes. But claiming that something is useless crap because some convoluted scenario still isn't covered, well, that's already OCPD.

But, anyway, seriously. You could come up with a cheap cure for cancer, and you'd get a bunch of responses along the lines of:

1. "Things were perfectly fine in my days, we don't need no stinking cure for cancer. Just educate the lusers to stop smoking and eat their veggies, and everything will be just fine."

2. "It's not a cure for cancer, it's a big pharma conspiracy to make you take those pills for some other nefarious purpose!" or "The big pharma conspiracy will kill it! They make their money by treating for years, not by curing! They'll never allow an actual cure!"

3. "You're not building that factory in _my_ town! Why, my property value could go down if a factory is visible from the back yard!"

4. "Yeah, but it only cures 95% of the kinds of cancer. Plus, it still doesn't cure diabetes, AIDS and the bird flu! Plus, what do you do if a user is dumb enough to not go to the doctor until they die, or to go to some witch-doctor instead? Therefore it's 100% crap, and we shouldn't waste our time with it."

Number 4 just seems to be especially popular on Slashdot. What else is new?