F-Secure Responds To Criticism of .bank

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

I'm still not convinced

[j0nb0y]

Quite frankly, the only way to prevent phishing fraud is through user education.

If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

This just seems like it would be a big waste of money for all parties involved.

What the ... ?

[khasim]

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Who determines what "misleading domain names" means?

And we are talking about criminals making MILLIONS of dollars a year.

Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.

Re:Sooo....

[setirw]

The plan is to create a very expensive TLD?

Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

Impossible.

[khasim]

Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

A far better solution would be to go for the simpler approach.

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

Re:User's software...

[zappepcs]

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.

There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.

Re:I'm suprised

[denebian+devil]

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?

Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions. Mikko does talk about how this won't fix the fact that people are stupid, but says it will make software able to work better. I don't see it - if your software lets you click on exAAmplebAAnk.com when you're trying to reach examplebank.com, it'll let you do that when you're trying to reach examplebank.bank, because it only knows what the link says and whether you clicked on it, not what you *thought* the link said.

You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like

• http://real.bank@example.com/
• real.bank.obfuscating-non-ASCII-characters
• real.bank.3242134832143214.com
• link text that doesn't match href like real.bank
• links that display an image of "real.bank"
• Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.

And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)

There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

Pfft.

[way2trivial]

I'm sorry... how hard is it for me to write software that changes your DNS setting...

now how safe is the .bank my DNS server sends you to.....

More TLDs are Just Fine

[billstewart]

Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)

Re:Sooo....

[Znork]

"you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"

Nah, they use real .gov domains instead.

Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would .bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...

The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.

Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register .bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').

Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.