Slashdot Mirror
F-Secure Responds To Criticism of .bank
Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."
Quite frankly, the only way to prevent phishing fraud is through user education.
.bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.
.bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?
If you're going to spend money on fixing this problem, I think the best place to put it is in user education.
Suppose
At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive
This just seems like it would be a big waste of money for all parties involved.
If you had super powers, would you use them for good, or for awesome?
Who determines what "misleading domain names" means?
And we are talking about criminals making MILLIONS of dollars a year.
Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a
The plan is to create a very expensive TLD?
.gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."
.bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.
Not only expensive, but also exclusive. As with suffixes like
The only problem I see with
This message printed on 100% post-consumer recycled electrons.
Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.
Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.
A far better solution would be to go for the simpler approach.
For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".
There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).
And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.
"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".
Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?
It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.
There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.
Support NYCountryLawyer RIAA vs People
Deleted
But we can trust that if this becomes a standard, browser makers will take advantage of it to make life easier to users, or at least to some users. Just like Firefox turns the URL bar yellow for SSL sites, and IE7 turns it green (I think), there could be some UI cue telling the user that he's visiting a real .bank website. Whether users will pay attention to this and realize that the lack of this cue means potential trouble, well, that's a different story.
I think .bank would add an extra layer of online banking security, and that's a big plus IMO.
I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."
.bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?
Not every solution can solve every problem, but adding the
You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like
- http://real.bank@example.com/
- real.bank.obfuscating-non-ASCII-characters
- real.bank.3242134832143214.com
- link text that doesn't match href like real.bank
- links that display an image of "real.bank"
- Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.
And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'm sorry... how hard is it for me to write software that changes your DNS setting...
.bank my DNS server sends you to.....
now how safe is the
every day http://en.wikipedia.org/wiki/Special:Random
Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
My current account is with NatWest, website www.natwest.com, who's online banking is on www.nwolb.com. My main credit card is with Tesco (www.tesco.com). Their financial site is www.tescofinance.com and their online banking site is cardsonline-consumer.com.
Is it any wonder people end up falling for phishing site?
"you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"
.gov domains instead.
.bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...
.bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').
Nah, they use real
Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would
The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.
Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register
Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.
It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.
Deleted