×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Foolproof Way To End Bank Account Phishing?

kdawson posted more than 6 years ago | from the worth-a-try dept.

Security 436

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

436 comments

We'll see about that. (5, Insightful)

brian.gunderson (1012885) | more than 6 years ago | (#19029705)

An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

Re:We'll see about that. (5, Insightful)

sporkmonger (922923) | more than 6 years ago | (#19029925)

In retrospect, I should have previewed the previous comment. Didn't expect Slashdot to munge the url.

The scheme would still fall victim to urls like this:

http: //paypal.bank:d7b0425f-a9b5-4dee-8e5d-ae97680e9118 @somedomain .ru Sadly, there doesn't seem to be a way to turn off Slashdot's autolinking. Ignore the spaces.

Re:We'll see about that. (1)

maxume (22995) | more than 6 years ago | (#19030273)

Post as extrans(preview worked)?

http://paypal.bank:d7b0425f-a9b5-4dee-8e5d-ae97680 e9118@somedomain.ru

We'll see about HTTPS. (-1)

Anonymous Coward | more than 6 years ago | (#19029939)

"DNS poisoning is still just as prolematic"

That's why there's still authentication.

Re:We'll see about that. (5, Interesting)

uberzip (959899) | more than 6 years ago | (#19029945)

My thoughts exactly. Currently, most phishing attacks my users have asked about have been for domains such as www.amazon.com.evildomain.com

In the rare event that a user does look at the url they see that first .com and don't bother with the rest of address. I don't see how a .bank would help at all.

Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp [wamu.com] will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the .com and try to make any sense of the rest. Like I said, this is a simple example, some of my banksites have long strings of numbers after the .com, change the alias in the address from www to something else, etc.

Re:We'll see about that. (0)

hpavc (129350) | more than 6 years ago | (#19030079)

Look how well people got their wow passwords stolen from simple spyware ads. Imagine how much banking evil goes on. This ends nothing, I causes more issues if anything. Makes money for Intuit/MSMoney, not they can push a new version thats '.BANK' version.

Re:We'll see about that. (5, Insightful)

grcumb (781340) | more than 6 years ago | (#19030105)

An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

True, but this time, we could actually use technical means to ensure the validity of the address. Browser plugins could quite easily be programmed to mitigate (if not solve) the issues you raise. A hypothetical 'MyBank' plugin could, among other things, use only trusted (or consensus) DNS to resolve the name, and it could absolutely, positively be guaranteed to check the domain spelling every time.

Knowing the precise namespace would not solve every problem, but software developers could do a lot with that one extra datum for validation.

Re:We'll see about that. (5, Insightful)

griffjon (14945) | more than 6 years ago | (#19030251)

I can see it now:

Dear Customer,

We are in the process of moving to our new, more secure .bank domain, as you have read about in the news. Further, you no doubt have read about the various scams and "phishing" attacks preying on value bank customers such as yourself. To avoid these problems, OurBank (tm) has come up with an innovative and secure system to avoid the problems with the transfer of domain names. Attached to this email is a program which will install itself on your computer. It uses some of the very same techniques that many advanced attackers use, but to defend your privacy! It will ensure that when you want to see either OurBank.COM and/or OurBank.BANK, that you'll get to the right location by setting this at your computer, so no mistakes can be made along the way from your computer to ours.

Please be aware that some "anti-ad-ware" programs currently detect our system as a "hijacker" - while we are, in effect, "hijacking" your connection, it is to improve your privacy and we are working with vendors to remove this warning for our program.

Please open and install OurBank.exe - it will ask you to verify your customer information, bank branch, and then log you in (the first time only) to your account with us. Remember to disregard any security warnings and allow our program to communicate through your firewall until we are able to resolve this mis-identification by the anti-ad-ware vendors.

Thanks again for your business,

OurBank./

Re:We'll see about that. (2, Insightful)

jorgevillalobos (1044924) | more than 6 years ago | (#19030185)

An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

I think that if this solution were to be adopted as a standard, browser makers would follow and reflect the "secure" TLD on the main UI. Firefox and IE7 already to this to some extent (yellow URL bar for SSH enabled sites, green (I think) on IE). There could be a special UI state that indicates you're on a secure .bank site. This would help make this solution even more robust and harder to circumvent.

This is obviously not fool proof, and I don't think such a solution exists, as there will always be someone oblivious or stupid enough not to notice the blatant lack of security signs, or highly sophisticated attacks (window spoofing, for instance) that confuse even savvy users.

Re:We'll see about that. (1)

Anomolous Cowturd (190524) | more than 6 years ago | (#19030259)

DNS poisoning is a tough one. But how about something like this:

When you first get your bank login credentials, you "prime" your browser (via a special new browser feature) with the set of of (domain, ip address range, site certificate, username, password) as provided by your bank. Store a hash of the password not the password itself.

Then anytime you try to enter your credentials on any site, it checks to see if what you're submitting contains that username/password, and prevents submission if the site info doesn't match up. You could still game it with javascript form field trickery, but perhaps the extension could automatically refuse submission in such an event.

Firefox could support something like this before you could blink, opera too probably, and MS would be obliged to play catch-up. Then the banks could just strongly encourage people to use such a feature... then we wait and see what the phishers do next.

This idea is stupid (tld goldrush?) (4, Insightful)

Whiney Mac Fanboy (963289) | more than 6 years ago | (#19029717)

This idea is even stupidder than people who fall for phishing attacks. Another tld gold rush isn't going to solve anything because the problem is people's credulousness,

I'd expect to see a rush of tld registrations to Macedonia [wikipedia.org] (citybank.ba.mk) and Saint Kitts and Nevis [wikipedia.org] (citibank.ba.kn)

Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability [secunia.com] .

Re:This idea is stupid (tld goldrush?) (1)

bishiraver (707931) | more than 6 years ago | (#19029875)

Neither of those would work, since your main domain name needs to be at least three characters.

Re:This idea is stupid (tld goldrush?) (3, Insightful)

OverlordQ (264228) | more than 6 years ago | (#19029907)

Neither of those would work, since your main domain name needs to be at least three characters.

Might want to tell that to people who register .co.uk domains.

Re:This idea is stupid (tld goldrush?) (1)

h2oliu (38090) | more than 6 years ago | (#19029963)

This is a little different as the co.uk is a government determined domain, not a individually registerable domain.

Re:This idea is stupid (tld goldrush?) (2, Informative)

tomhudson (43916) | more than 6 years ago | (#19029961)

"Neither of those would work, since your main domain name needs to be at least three characters."

Nope. Look at gc.ca [gc.ca] as a counter-example. I'm sure there are others ...

Re:This idea is stupid (tld goldrush?) (1)

Mr Chund Man (1013539) | more than 6 years ago | (#19030009)

ti.com?
hw.ac.uk?
bu.edu?

Unless of course you know something about TLDs from Macedonia or St Kitts & Nevis that we don't...

Re:This idea is stupid (tld goldrush?) (3, Insightful)

gmack (197796) | more than 6 years ago | (#19029887)

Not even. Most of the phishing emails that reach my inbox don't even bother to make the URL look like the bank. They just redirect you and hope you don't bother to look at the URL at the top.

As long as a signifigant portion of the population doesn't take even basic steps to protect themselves phishing will be a prevalent problem.

Re:This idea is stupid (tld goldrush?) (3, Insightful)

tomhudson (43916) | more than 6 years ago | (#19029899)

Exactly. For $50,000, I get a domain that people will "know" is phish-proof. A decent scammer can make tht back in a day if everyone "knows" its "the real bank" and lets their guard down ...

People who think this will work are also gonna love "security through obscurity."

Mod parent up! (1)

khasim (1285) | more than 6 years ago | (#19030205)

Spend $50K to get $500,000? Sure!

And if they time it right (end of month, beginning of month) they could easily make that much before it was shut down.

And how would it be shut down? Who would you complain to? Is there a potential for a DDoS attack against other .bank sites?

Come on people, don't just think how great your idea is. Spend some time thinking about how the bad guys would attack it.

#1. Just buy in. Who's going to validate you?

#2. Fake url's. Exploit old browsers.

#3. DDoS against the other .bank sites so everyone is used to those sites being unavailable and going to .com sites instead.

#4. DNS compromises.

#5. Host file attacks. As long as you can get some crapware installed on their computers.

And I'm sure there are more ways out there. If you REALLY want to solve this, use two channel authorization. If you make any transactions online, the bank will call your phone and ask you to punch 1 for "okay" or 2 for "not okay" or 3 to report a fraudulent transaction.

Re:This idea is stupid (tld goldrush?) (0, Troll)

Lumpy (12016) | more than 6 years ago | (#19029913)

not only that but the guy is so stupid he does not realize that most phishing attacks dont go to "alike" website names but whatever they can hijack.

what is proposed is as dumb as falling for a nigerian scam.

Re:This idea is stupid (tld goldrush?) (1)

Raindance (680694) | more than 6 years ago | (#19029915)

Yeah- I would think that, by training people to trust certain TLDs, spoofing URLs with exploits or unicode or traffic hijacking would become much more effective.

A neat idea, but I'm sure phishers would love this.

Re:This idea is stupid (tld goldrush?) (1)

jamesh (87723) | more than 6 years ago | (#19030219)

Although I don't believe that the idea adds any actual security, things could be improved by building into browsers something that could detect if you were really on a bank domain, and have it display in an obvious way.

But still, the original idea is to increase trust and confidence, and there are so many possible ways around it that we'll end up in with a false sense of security which can be worse than no security...

dibs!!!!! (4, Funny)

Average_Joe_Sixpack (534373) | more than 6 years ago | (#19029721)

sperm.bank

Re:dibs!!!!! (5, Funny)

EmbeddedJanitor (597831) | more than 6 years ago | (#19029835)

Dear Sir/Madam I am interested in your services:

How do I make an online deposit?

Are there penalties for early withdrawal?

Re:dibs!!!!! (4, Funny)

Penguinshit (591885) | more than 6 years ago | (#19030165)

Are there penalties for early withdrawal?

Yes; no linked child accounts... although for some that is desirable.

Re:dibs!!!!! (3, Funny)

Anonymous Coward | more than 6 years ago | (#19029841)

sperm.bank

Deposits will require both the .bank tld and the .xxx tld

I don't even want to know about withdrawals...

Re:dibs!!!!! (0)

Anonymous Coward | more than 6 years ago | (#19029927)

I think your mom already reserved that one.

You just have to wrap the site and redirect parts (1)

WillAffleckUW (858324) | more than 6 years ago | (#19029737)

Most users don't actually check where their links go.

The top domain could even point to .bank, after it did it's job of redirecting your account.

All it needs is your login and password.

Re:You just have to wrap the site and redirect par (1)

vrmlguy (120854) | more than 6 years ago | (#19029801)

That's a spurious complaint. All you have to do to fix it is only allow HTML forms to post to .bank URLs.

Re:You just have to wrap the site and redirect par (1)

WillAffleckUW (858324) | more than 6 years ago | (#19029969)

Well, I could have said we should move to IPv6 and new HTML and other forms, but that wasn't the root topic.

Regardless, even with forwarding such bank hijack attempts to the Secret Service at 419.fcd@usss.treas.gov - these are attempts to play on people's lack of technical knowledge and lack of forethought in replying to emails.

You can close as many doors as you want, but if you left the coal shoot door open and the basement door unlocked, your house is not secure. Or in 22nd century terms, domain restrictions will only make it more obvious who are the sloppy coders amongst the bank fraudsters, but won't stop gullible consumers from being fleeced.

huh? (1)

Misanthrope (49269) | more than 6 years ago | (#19029743)

Can't phishers spoof the domain name anyways? Besides, I doubt the average phishing victim
even looks twice at the address if it's at least a semi-official looking page.

Foolproof system (5, Funny)

Reason58 (775044) | more than 6 years ago | (#19029747)

"Foolproof systems do not take into account the ingenuity of fools."

Re:Foolproof system (5, Interesting)

bhmit1 (2270) | more than 6 years ago | (#19030109)

Foolproof systems do not take into account the ingenuity of fools.

You're funny and exactly right at the same time. Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I'll suggest (again) that every financial organization make a "catch a phisher" link on their page that provides a unique (so that phishers can't build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who's account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It's something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.

Re:Foolproof system (1)

seaturnip (1068078) | more than 6 years ago | (#19030275)

Okay, so your scheme gives you the IP address of some machine they've rooted and are proxying their connection through. How does that help you stop them again?

Re:Foolproof system (2, Informative)

ahg (134088) | more than 6 years ago | (#19030137)

Well... normally I don't split hairs, but the notable quote that I believe you are referring to was just posted today on Slashdot in its complete form:

"A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools".

-- Douglas Adams (1952 - 2001), Mostly Harmless

Re:Foolproof system (2, Funny)

treeves (963993) | more than 6 years ago | (#19030191)

The quote in my sig was previously:

"There's no system foolproof enough to defeat a sufficiently great fool." -- Edward Teller

Cutting out the competition (4, Interesting)

Harmonious Botch (921977) | more than 6 years ago | (#19029749)

Banks will love this. It makes it even harder for small competitors to enter the market. In the long run that means higher fees for all of us. I'd rather put up with the phishing risk.

make it half a million a year and we're talking... (3, Insightful)

MarcoAtWork (28889) | more than 6 years ago | (#19029815)

what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)

Re:make it half a million a year and we're talking (3, Insightful)

dgatwood (11270) | more than 6 years ago | (#19029921)

The banks that do such high volume transactions also tend to be leeches on society, taking a lot and giving back very little. I say make it ten million dollars a year. Those of us with a clue will keep using our credit unions' .org domains while the .bank TLD bleeds the blood suckers dry.

I demand a sum of... TEN MILLION DOLLARS! (1)

Gary W. Longsine (124661) | more than 6 years ago | (#19030257)

"I demand a sum of... ONE MILLION DOLLARS!"
-- Dr. Evil

"Why must I be surrounded by frickin' idiots?"
-- Dr. Evil

Re:make it half a million a year and we're talking (2, Informative)

EvanED (569694) | more than 6 years ago | (#19029923)

If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)

What? The credit union I use is pretty big for a local "bank", but it has only $900,000 in total assets. (I don't think that includes ~$700K in outstanding loans.) Even $50K wouldn't be *that* a small a sum for them...

Re:make it half a million a year and we're talking (2, Insightful)

EvanED (569694) | more than 6 years ago | (#19029937)

Oh wait, I'm an idiot. I take that back.

Those graphs said "(in thousands)"...

Re:make it half a million a year and we're talking (1)

Ajehals (947354) | more than 6 years ago | (#19030247)

OT - But thank you for bringing some happiness to my currently stressed out life, that post made me laugh. a lot.

Re:make it half a million a year and we're talking (1)

suv4x4 (956391) | more than 6 years ago | (#19030089)

what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)

500 grand? Hell, make it 5 billion/year. Apparently since banks hold money, people think this is their money to spend on bullshit. Or maybe reputable banks are reputable because they invest their money wisely, and not because they bought something that normally costs $10 for $500000. Tough call.

I bet the first thing you'll do if you had a million dollars, would be sign up for a millionaires email [millionaires24.com] , wouldn't you, smart spender?

Check their features as well. They offer global access. Amazing.

Re:make it half a million a year and we're talking (0)

Anonymous Coward | more than 6 years ago | (#19030155)

what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it?

The one that doesn't have retards controlling it?

(institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)

Right, but they get advertising with their advertising budgets. In your case they get basically their name on some made up elitist tld.

If you think a tld would stop phishing you've got a lot to read about the behavior of a typical phishing scam victim. Some of them won't even look at the domain and verify it, some will trust the .com more than .bank (hey, we know .com!), and many attacks will simply change vector so the domain doesn't even get into the picture.

Re:Cutting out the competition (1)

2Bits (167227) | more than 6 years ago | (#19030015)

Mod parent up please. This is what I was going to say.

The guy who proposed this is smoking crack. This does not solve any of the problem, and just put artificial entry barriers to the industry to protect the current banks from any new competition. And while you are at it, why stop at 50K, why not 50 million instead? It's not like any bank can't put up with 50 million either.

Putting layers and layers of stupid "solutions" like that is not going to solve the problem.

I'm reminded of the phrase... (2, Interesting)

tekiegreg (674773) | more than 6 years ago | (#19029761)

"Build something that's idiot proof, and they'll build a better idiot..." Really, the same people who fall for attacks to begin with are the people who STILL would despite this .bank implementation. Call me pessimistic but I'm not entirely sure it would work... Good idea though, makes it plainly obvious for the rest of us people with more than 10 IQ points anyways...

Re:I'm reminded of the phrase... (1)

KokorHekkus (986906) | more than 6 years ago | (#19029931)

You are absolutely correct. Even now people are falling for phishing attempts with weirdly formed urls that look like

http://uuu.xxx.yyy.zzz:nnnn/http/app.nordea.se/s itemod/default/...index_php/index.php
I'm guessing because they actually don't have any major clue about how the web works and go "Hey, there's the url... uh.. some numbers ahead... bet that isn't anything important though". Of course the .bank would cut out some phising but calling it foolproof is naive considering this example.

The example url is from a phishing mail targeting Nordea.se (on of the largest swedish banks) that hit swedish mail adresses early this year.

Re:I'm reminded of the phrase... (1)

WombatDeath (681651) | more than 6 years ago | (#19030007)

It may be worth a shot. Make it $500k and spend the revenue on teaching people to look in the bottom-left corner of their browser to check that '.bank' is at the end of the URL.

Better yet, make it $5m. Well, why not? It's a negligible amount of money to all but the tiniest banks, and vanishingly small when compared to the cost of phishing attacks. May not be much use to your local small-town bank, if such a thing still exists, but I doubt that they're going to be a major target of international fraudsters anyway.

Of course it's not fool-proof, but that doesn't mean that the idea is worthless.

Ha (0, Redundant)

EvanED (569694) | more than 6 years ago | (#19029765)

A Foolproof Way To End Bank Account Phishing?

Anyone who thinks this is underestimating the ingenuity of fools.

Ummmmm... (4, Funny)

TheDarkener (198348) | more than 6 years ago | (#19029775)

I just made thedarkener.bank on my own computer, using /etc/hosts. It points to my computer.

I'm gonna go smoke a bowl and see if I can't remember if I spent $50,000 on it or just used basic computer knowledge to bypass the TLD.

Re:Ummmmm... (5, Funny)

Score Whore (32328) | more than 6 years ago | (#19030077)

Now all you've got to do is fake up an email from your bank, send it to yourself. Then when you fall for the trick you'll have your username/account number and passwords. You are truly a l33t hax0r.

Re:Ummmmm... (1, Interesting)

The MAZZTer (911996) | more than 6 years ago | (#19030133)

Well, you seem to be forgetting that IT WILL ONLY WORK FOR YOUR COMPUTER. Domain name registrars exist to allow you to purchase a name for ALL COMPUTERS to recognize.

The only way your method could be used successfully for phishing is if the attacker can modify /etc/hosts or %SYSTEMROOT%\System32\drivers\etc\hosts. But if they can do that, it's already game over, so to speak, for the victim, because that implies the attacker has to have other levels of access through which they can probably do more damage than a simple phishing attack could do...

Solution? (2, Insightful)

g0dsp33d (849253) | more than 6 years ago | (#19029779)

This doesn't stop people to giving out account information over the phone, or link spoofing. How many people just click links and don't read them. "My email says its from a bank, and some Prince wants to give me a buttload of money. Yey!".

Its a step I guess, but education goes a bit further, I think. At least they could use the 50k to help victims of spoofing, or to come up with other (better) solutions.

I know it will never happen (2, Funny)

Frogbert (589961) | more than 6 years ago | (#19029791)

But god would it be good to gouge banks for $50k. It would feel so sweet.

Re:I know it will never happen (5, Funny)

Reason58 (775044) | more than 6 years ago | (#19029813)

But god would it be good to gouge banks for $50k. It would feel so sweet.

Until you realize it was your own money.

Re:I know it will never happen (1)

alvinrod (889928) | more than 6 years ago | (#19029865)

Don't worry, they'll just pass it on to Joe Consumer at some point.

It's also disfavors smaller banks in small towns where $50,000 isn't quite the pocket change it is for larger banks with branches all across the country or world.

And as others have pointed out, it's still not going to keep everyone from being fooled. Scammers are just going to keep finding new and more interesting ways of fooling people.

citibank.bank.customers.spammer.com (2, Interesting)

Toe, The (545098) | more than 6 years ago | (#19029803)

I already see URLs like this:
citibank.com.customers.update.spammer.com

It wouldn't take any more effort to make:
citibank.bank.customers.update.spammer.com

Most people don't know much about URLs. And that's assuming the mark even reads the URL at all.

Good idea! Not 100% Fool-proof! Repost! (1)

madsheep (984404) | more than 6 years ago | (#19029843)

1) Good idea!

Yes, I think it's a great idea. It is very akin to how you go to a .gov site and know it's official. People look for it and know what it means.

2) Not 100% Fool-proof!

Why? Well it's not 100% fool-proof because people are morons. Some people will fall for anything. They'll see citibank.bank.bank-info.info and still fall for it. DNS poisoining will also do the trick. Modified hosts files will also do the trick. People are dumb, but this will still help!

3) Repost!!

Sort of.. we just had this mentioned on Slashdot the other day. See this article link http://it.slashdot.org/article.pl?sid=07/04/10/123 9216 [slashdot.org]

If ICANN introduced a .safe domain (or .sure or .bank), which could only be used by registered financial institutions, it would allow security providers to create better software to protect the public, according to F-Secure. It would be similar to other top level domain names such as .uk and .gov.
A month ago?

Re:Good idea! Not 100% Fool-proof! Repost! (0)

Anonymous Coward | more than 6 years ago | (#19030139)

So you're saying it is 100% fool-proof but not 100% moron-proof? Which one are you?

Banks Only? (1)

That's Unpossible! (722232) | more than 6 years ago | (#19029867)

Great, this could help phishing attacks ... against banks.

Phishers will just move on to easier prey, such as all other institutions that handle lots of money or transactions (eBay, PayPal, etc).

This wouldn't work (4, Insightful)

j0nb0y (107699) | more than 6 years ago | (#19029881)

Phishing works because people don't pay attention to URLs. How would changing the URL help?

Won't stop my mom (1)

TheGuano (851573) | more than 6 years ago | (#19029889)

Who needs bankname.bank.phisher.com? Even if this new XTLA-TLD gets implemented, my mom and my grandma will still click on www.bankname.com.

It's the same as those image captchas BofA uses. It's a nice touch, but if one day you went to the site and it just asked you for a username/password, would you really think something was amiss?

Only nerds understand URLs (1)

eclectro (227083) | more than 6 years ago | (#19029909)

Beyond that, many credit unions would have a hard time swallowing/using the "bank" tld.

$50,000 is too pricey... (1)

Brad_sk (919670) | more than 6 years ago | (#19029919)

50K is too pricey for lot of legitimate foreign banks...It will only work for banks operating in countries like US, Japan, France and a few more...:(

CONFIDENTIAL (0, Offtopic)

fatduck (961824) | more than 6 years ago | (#19029933)

Dear Sir,
Good day and compliments. This letter will definitely come to you as a huge surprise, but I implore you to take the time to go through it carefully as the decision you make will go off a long way to determine the future and continued existence of the entire members of my family.

Please allow me to introduce myself. My name is Dr. (Mrs.) Mariam Abacha, the wife of the late head of state and commander in chief of the armed forces of the federal republic of Nigeria who died on the 8th of June 1998.

My ordeal started immediately after my husband's death on the morning of 8th June 1998, and the subsequent take over of government by the last administration. The present democratic government is determined to portray all the good work of my late husband in a bad light and have gone as far as confiscating all my late husband's assets, properties, freezing our accounts both within and outside Nigeria. As I am writing this letter to you, my son Mohammed Abacha is undergoing questioning with the government. All these measures taken by past/present government is just to gain international recognition.

I and the entire members of my family have been held incommunicado since the death of my husband, hence I seek your indulgence to assist us in securing these funds. We are not allowed to see or discuss with anybody. Few occasions I have tired traveling abroad through alternative means all failed.

It is in view of this I have mandated DR GALADIMA HASSAN, who has been assisting the family to run around on so many issues to act on behalf of the family concerning the substance of this letter. He has the full power of attorney to execute this transaction with you.

My late husband had/has Eighty Million USD ($80,000,000.00) specially preserved and well packed in trunk boxes of which only my husband and I knew about. It is packed in such a way to forestall just anybody having access to it. It is this sum that I seek your assistance to get out of Nigeria as soon as possible before the present civilian government finds out about it and confiscate it just like they have done to all our assets.

I implore you to please give consideration to my predicament and help a widow in need.

May Allah show you mercy as you do so?

Your faithfully,

Dr (Mrs.) Mariam Abacha (M.O.N)

N/B: Please contact Dr Galadima Hassan on this e-mail address for further briefing and modalities.

Bad! Bad! Bad! (3, Insightful)

NeutronCowboy (896098) | more than 6 years ago | (#19029935)

Even if we discount the problems we currently have with various DNS poisoning attacks, social engineering and just URL spam, it's basic premise is completely flawed. Why? Because the two assumptions it rests on are laughably easy to circumvent: spammers don't want to spend $50k on one domain, and registering as a financial institution anywhere is difficult.

If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank. Time to register for mypersonalcity.bank, bankofus.bank, continentwide.bank, and make a killing!

Re:Bad! Bad! Bad! (0)

Anonymous Coward | more than 6 years ago | (#19030183)

If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank.

Correct me if I'm wrong, but bank phishing works by convincing people that they're logging onto their own bank - the bank at which they are a customer and have an account number and password. Let's say you opened a personalcity.bank account with your $50K. How would you convince a person that they were a customer of your bank? What would you do with the account # they gave you? Unless you just wanted to get their Social Security Numbers, I don't see much point in registering your own bank domain.

A Foolproof Way To End Bank Account Phishing? (1)

Jimmy King (828214) | more than 6 years ago | (#19029951)

Sure, let me know when you figure out how to force people to pay attention and educate themselves.

Seriously, though, as I'm sure everyone here knows (but I enjoy preaching to the choir) this is useless. The problem isn't that people can't tell they're not at the actual bank website because it's hard, they can't tell because they don't fucking look and/or don't understand. If after clicking the link (which they shouldn't have clicked to start with) they are incapable of looking at the address bar and thinking to themselves "hey, that doesn't say http://www.wachovia.com/ [wachovia.com] like the e-mail said" then why would they look at it and think "hey, that doesn't say http://www.wachovia.bank/ [wachovia.bank] like the e-mail said"?

My opinion? (0, Troll)

Cheezymadman (1083175) | more than 6 years ago | (#19029959)

If you fall for a phishing scam, you deserve it for being a fucktard and not paying attention to what you're doing.

Hardly worth the summary... (0)

Anonymous Coward | more than 6 years ago | (#19029965)

"I reckon I've solved the whole travelling at the speed of light problem! We just need to paint it blue." ..and thats about how much thought went into this.

Phishing works because people see a link for their bank that looks legit, they click
on it and end up on a login page for their bank that looks legit. It doesn't matter
where the real site is, nor does it matter where the dodgy site is.

The only thing that matters is that:
1. the email looks legit (forged header and some stolen corporate logos)
2. the link looks legit (just an image of the real link with a dodgy href)
3. the login page looks legit (ie. cut and paste job from the real login page - including the ads)
username & password please!

How the f!@# is a new top level domain going to address any of these points ?

m@tt

Back off the end user (0)

Anonymous Coward | more than 6 years ago | (#19030099)

BTW, to all slashdotters who are also taking the time to belt
the stoopid user for falling for a phishing attack... wise up!

Why the f!#@ SHOULD my lovable grandma have to learn all about
URLs, forged emails and the arseholes (more than likely with
a technical bent) that prey on the vulnerable - just because
her bank has forced her into the 21st century where you can
get carjacked online ?

The system is busted... not the user. If the internet is for
everyone, then you cannot expect "everyone" to have an IT degree
or care about one...

m@t

higher - much higher (1)

mgabrys_sf (951552) | more than 6 years ago | (#19029989)

50 thousand is a drop in the bucket for some crimes. Better to make it much higher and use the income to draft a process & org to regulate and oversee all of the applicants on a yearly or monthly basis from application to use. That way even address harvesters who score names from invalidated accounts can't sneak by. There's no way to automate such a system - you have to have some form of regulatory eyeballs - and that takes money.

But if you're charging enough for those eyeballs, that shouldn't be a problem. Getting all this approved by every financial regulatory system on the planet might be tricky though.

.bank is the wrong name (4, Insightful)

adrianmonk (890071) | more than 6 years ago | (#19030001)

This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.

First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans, which are also not banks.

On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.

Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption that the set "things crooks want to phish for" equals the set "banks". Which is not reality.

A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".

Mod inightful (0)

Anonymous Coward | more than 6 years ago | (#19030065)

This is one of the best posts in the story, thank you.

Duh (3, Insightful)

Mwongozi (176765) | more than 6 years ago | (#19030017)

There's already a foolproof solution. My bank never contacts me by e-mail! So I know that all e-mails claiming to be from my bank are fake.

Quite simple really.

Uncomprehending banks' e-mails (2, Interesting)

wytcld (179112) | more than 6 years ago | (#19030271)

Do you have an online checking or savings account? Both INGdirect.com and HSBCdirect.com persistently send out plain-text e-mails to confirm just about every transaction - with no option to turn these off. I've written various people at both banks explaining why this is a really, really bad idea. They are uncomprehending. The confirmation e-mails don't give full account details, but give plenty of information for someone who manages to intercept them (or crack someone's Hotmail account) to use social engineering to find out the rest.

Mind you, these are two otherwise fine enough banks that I do business with them. But if I didn't control my mail server - and know and trust the admins running my ISP's routers - I'd be taking on a level of risk that borders on idiotic.

Foolproof? Hah! (1)

samuel4242 (630369) | more than 6 years ago | (#19030023)

Imagine that someone saw the domain bank.barclays-bank.offshore.com? Devoted slashdot readers may be able to parse it and recognize that it is only a subdomain of offshore.com but what about the fools? I would suggest that it's impossible for something like this to be foolproof by definition. Why? Anyone who could be fooled would be labeled a fool and thus easily fooled. And nothing can stop them from being separated from their money by phishing schemes like this.

Why not label it something like, " A nice plan to help smart people save some time thinking."

Why would this help? (0)

Anonymous Coward | more than 6 years ago | (#19030031)

I don't see how this would provide any improvement at all. The problem has nothing to do with the URL of the phishing site, because most of the people who fall for these scams don't know what to look for, and aren't savvy enough to spot a fake domain name. The phisher can still copy the bank's page source and re-create an identical page at some other domain (.ru, or whatever), and the customer will still type in their account details without so much as glancing at the address bar.

Anyone who knows what a .bank domain is, and would use that to protect themselves from phishing scams, would already know better than to click on a link inside an email to "verify their details".

A more effective solution would be for banks to phone every single one of their customers as soon as they register an account (just out of courtesy) and make it perfectly clear to them that under NO circumstances will the bank ever send them an email asking for their account details. Just one phone call whenever someone creates an account, and the problem would probably be reduced significantly. It's an education thing, and no security technology can ever prevent someone from throwing their money away if they aren't educated in how to spot a scam.

What a dumb idea. (1)

Rachel Lucid (964267) | more than 6 years ago | (#19030039)

What about SQL injections? Those just use the EXISTING domain, whatever it is, and append their bad code on it. Instant phish without even needing much sheep's clothing.

Re:What a dumb idea. (0)

Anonymous Coward | more than 6 years ago | (#19030261)

WTF? That's either a troll or the most confused objection I've ever seen. Not counting other Slashdot posts of course. SQL injection isn't phishing. They have nothing to do with each other. Zero. Zilch.

it's not like they use their own domains now... (5, Interesting)

jfruhlinger (470035) | more than 6 years ago | (#19030043)

To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.

To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.

To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.

To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.

Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?

No additional security, added cost (4, Insightful)

patio11 (857072) | more than 6 years ago | (#19030111)

Banks spend incredible amounts of effort getting people to use their online properties, since they're the most cost effective way to service retail customers (i.e. natural persons as opposed to businesses, institutions, etc). No bank is going to sink their brand investment in citi.com or bankofamerica.com just to head off a wee bit of fraud. The only thing fraud is to a bank is a cost of doing business, nothing more -- they'll make a dispassionate calculation that fraud is less expensive than launching a new nationwide advertising/customer education campaign and pass on this idea. Its the same way that they've decided that it is more important to be able to receive a credit card decision in 15 seconds than it is to verify the identity of the person submitting the request -- fraud stings, losing potential customers to your easy-to-apply competitors stings more.

Not a problem (1)

Billly Gates (198444) | more than 6 years ago | (#19030149)

Just hack the host file to point bankofamerica.bank to your IP Address. Phishing scheme done.

Also people are used to using .com for sites on the web. So Grandma will still type bankofamerika.com by accident and get the false site even without hacking the host file.

Its not a foolproof solution at all.

Why not make 10 the highest instead of 11? (1)

Mr. Stinky (753712) | more than 6 years ago | (#19030181)

That's great but to quote Spinal Tap, "...but this one goes to eleven..." Making consumers aware of a .bank TLD is just about the same amount of education required as letting them know that their bank will never contact them via email; especially for passwords and private information.

Wont Work (2, Insightful)

Fujisawa Sensei (207127) | more than 6 years ago | (#19030187)

People don't look at domain names now, nor do they check for https. What makes you think this will change things?

With all due respect.... (1)

i_want_you_to_throw_ (559379) | more than 6 years ago | (#19030215)

And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 -- making it prohibitively expensive to most copycats. Banks would love this

We here at the Commmerce Bank of Beverly Hills will not pay $50,000... Milburn Drysdale, President

This is already a solvable problem. (4, Insightful)

Vellmont (569020) | more than 6 years ago | (#19030225)

There's no need for some dumb .bank tld for users to hope to verify authenticity of a bank site. All we need is something akin to an electronic ATM card.

The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:

authenticates the user to the bank (after you enter in a pin).
authenticates the bank to the user.
authenticates a secure connection to the bank has been established.
authenticates each transaction.

for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).

This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.

Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.

Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.

Article apparently not foolproof (1)

psaunders (1069392) | more than 6 years ago | (#19030255)

F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine.
Hey, this story has nothing to do with F-1's Mika Hakkinen! [wikipedia.org]
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...