×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

203 comments

More... (-1)

linolium (713219) | more than 6 years ago | (#19199247)

And next we'll have .store, .house, .tvshow, .website...

Re:More... (0)

bvankuik (203077) | more than 6 years ago | (#19199685)

I am not afraid of those but what I don't get is: if .bank is created then why not .fiscal and .med(ical). Are banks the most important thing in a man his life?

More TLDs are Just Fine (4, Insightful)

billstewart (78916) | more than 6 years ago | (#19199707)

Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)

Re:More... (1)

smallfries (601545) | more than 6 years ago | (#19199967)

Why would that be a bad thing?

The whole point of a hierarchical naming scheme was to spread the load around and remove a centralised point from the network. At the moment 99% of websites are .com and the extension has become meaningless. If URLs were actually split into domains that made sense it would be easier for people to remember web addresses...

Look who's talking (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#19199255)

It should be noted that this came from f-secure, one of the absolute crappiest antivirus software setups that I have had to use (and ive used mcafee and norton).

OMGWTFOTL (-1, Troll)

Anonymous Coward | more than 6 years ago | (#19199257)


I love her so much that I knock her out. I have absolutely no idea what I'm doing. I feel so trapped and cornered that I'm losing my mind.
I run down the corridor as fast as my legs can take me, vomiting blood as I go.
After that, I don't remember anything of what happened.
I have no memory of it at all.
All I know is that when I come to, I find myself charging into a US Army base, buck naked, with a katana.
I cut down the first soldier I see, trembling with some indescribable emotion, yelling out every curse and swear word I know.
My consciousness fades again, and the next thing I know I've got two severed heads in one hand, and a katana dyed red with blood in the other.
I've been painted by several searchlights, and there's a bunch of U.S. soldiers with assault rifles, grenades, shotguns, machineguns, howitzers, and tanks surrounding my perimeter.
It's a perfect stage on which to die.
This scene reminds me of the famous words of the movie director, Orson Welles. ... ask not what you can do for your country. Ask what's for lunch.
Then I realize that if there were ever a pro wrestler who used drunkenness as his gimmick, then surely his finishing move would be a Drunkensteiner from the top rope.
And so I cry out:
"Behold! This is the spirit of the kamikaze!"
I lunge as I raise my katana over my head.
"Long live the Emperor!"
Innumerable bullets from a machine gun mow me down.
It's an oddly satisfying sensation. ...

How best to hand down Gorbachev's revelation to the future generations, dawg?
I don't care HOW historians feel, but I'll NEVER be forgettin' that moment when he got fired up by a 50-cent discount coupon!
Anyway, Osaka Bancho here, suckah. For a cornered Japanese man, maybe kamikaze IS the best option, eh, homes?
Good call, good call. That all-out attack, man, that was THE SHIT.
But, uh, dawg? Yer pretty weak if ya go berserk just from some girl confesin' to 'ya.

Sooo.... (0, Troll)

borizz (1023175) | more than 6 years ago | (#19199263)

The plan is to create a very expensive TLD?

What does that help? All it does is raise the barrier of entry for criminals and it provides a false feeling of security to average people (who will think: "Hey! It's .bank, so it's good!").

Re:Sooo.... (5, Informative)

setirw (854029) | more than 6 years ago | (#19199315)

The plan is to create a very expensive TLD?

Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

Re:Sooo.... (3, Interesting)

Colin Smith (2679) | more than 6 years ago | (#19199423)

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.
Not a big problem. The browsers can help there. Those with half a brain will get it, those without are a lost cause anyway. You can't run the world on the basis that it has to be safe for the 5 Watt bulbs.

 

Re:Sooo.... (3, Interesting)

jorgevillalobos (1044924) | more than 6 years ago | (#19199489)

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

But we can trust that if this becomes a standard, browser makers will take advantage of it to make life easier to users, or at least to some users. Just like Firefox turns the URL bar yellow for SSL sites, and IE7 turns it green (I think), there could be some UI cue telling the user that he's visiting a real .bank website. Whether users will pay attention to this and realize that the lack of this cue means potential trouble, well, that's a different story.

I think .bank would add an extra layer of online banking security, and that's a big plus IMO.

Re:Sooo.... (2, Insightful)

hedwards (940851) | more than 6 years ago | (#19199547)

Expensive isn't necessarily an issue. While 50k seems unreasonable to me. A fee high enough for them to really check and actually do the verification in person would potentially be within the costs of doing business for larger banks. The problem is with smaller banks trying to compete, especially credit unions.

The thing which concerns me is the question of how they would prevent DNS attacks aimed at redirecting traffic to those sites to a filter site. Certificates help as well as the ability to keep people from randomly registering with a .bank TLD, but if the DNS servers aren't able to necessarily guarantee that the browser really is where it should be and that there hasn't been any injections going on, it is just an expensive yacht club type of amenity.

When some banks are rumored to not even have the login page secured, it seems odd to think that this kind of security would fix that. The banks I use could get some benefit out of it. But probably the best thing would be to remember that online fraud and phishing is a lesser cause of fraud than are fraudulent checks by third party scam artists.

Mikko Doesn't Really Answer the "Will it Work" (5, Insightful)

billstewart (78916) | more than 6 years ago | (#19199587)

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions. Mikko does talk about how this won't fix the fact that people are stupid, but says it will make software able to work better. I don't see it - if your software lets you click on exAAmplebAAnk.com when you're trying to reach examplebank.com, it'll let you do that when you're trying to reach examplebank.bank, because it only knows what the link says and whether you clicked on it, not what you *thought* the link said.


You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like

  • http://real.bank@example.com/
  • real.bank.obfuscating-non-ASCII-characters
  • real.bank.3242134832143214.com
  • link text that doesn't match href like real.bank [example.com]
  • links that display an image of "real.bank"
  • Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.
And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)


There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

Re:Sooo.... (1, Insightful)

scribblej (195445) | more than 6 years ago | (#19199619)

What about places that handle "money" and need to be secure but aren't banks?

Shopping carts, mall websites, payment gateways, -- anything with a payment form on the site... they are all attacked more than "banks" right now. It's easier to skim a lot of small insecure sites than hit one big well-protected one. I learned that from Neuromancer.

Re:Sooo.... (1)

TheRaven64 (641858) | more than 6 years ago | (#19199663)

After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains.
I used to know someone who had a .gov.uk domain. He didn't use it much; he got it set up for testing purposes when he was doing some contract work for a government agency and never got around to telling them that it was no longer needed. Apparently getting it set up in the first place only required one telephone call, and didn't involve any additional checks.

Re:Sooo.... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#19199673)

Presumably, England's policy regulating .gov.uk registration is substantially different from the U.S.'s, where there do not exist any .gov sites that do not actually represent government agencies.

Re:Sooo.... (4, Interesting)

Znork (31774) | more than 6 years ago | (#19199729)

"you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"

Nah, they use real .gov domains instead.

Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would .bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...

The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.

Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register .bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').

Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.

Re:Sooo.... (1)

TubeSteak (669689) | more than 6 years ago | (#19199787)

Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive)... As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."
Proof of legitimacy & exclusivity...
TFA mentions State tlds like .bank.uk
So do only USA banks get to have a .bank url?

Or, can I setup a dummy bank in the Cayman Islands, pay $50K and have my own personal website @ TubeSteak.bank?

For whatever reason, the people at F-Secure (and you) don't seem to think that criminals capable of corrupting governments and laundering billions in [currency] per year will be able to setup (on paper) a legitimate looking bank.

I'd suggest that the bigger crime rings would benefit from a $50,000 registration fee, since it would squeeze all the small scammers out of the "looks legit" marketplace.

Re:Sooo.... (1)

mad_robot (960268) | more than 6 years ago | (#19199487)

When your site at www.paypal-user-login.bank gets rumbled and you have to switch to www.paypal-confirm-details.bank, it's going to cost you a lot of money. What do you reckon the useful lifetime of these phishing sites is? A few days perhaps? A couple of weeks at most? This is going to put a serious hole in your business model.

Of course you could always fall back on other techniques (e.g. www.paypal.bank.09F911029D74E35BD84156C5635688C0.p hish.com). But the .bank TLD would at least be a start.

I'm still not convinced (4, Insightful)

j0nb0y (107699) | more than 6 years ago | (#19199267)

Quite frankly, the only way to prevent phishing fraud is through user education.

If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

This just seems like it would be a big waste of money for all parties involved.

Impossible. (4, Insightful)

khasim (1285) | more than 6 years ago | (#19199321)

Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

A far better solution would be to go for the simpler approach.

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

Re:Impossible. (2, Insightful)

mark-t (151149) | more than 6 years ago | (#19199451)

But that wouldn't work that well for people who connect to the internet via dialup, and while they are trying to perform this action, their phone line is busy (or gets auto-forwarded to voice mail).

Think about that. (1)

khasim (1285) | more than 6 years ago | (#19199499)

So your transaction isn't released until you get off the phone line and take the call from the bank.

This is a good thing. The system fails in such a manner that your money STAYS with you.

This gets to the concepts of not doing something if it cannot be secured and verified
vs
Making it as easy as possible for the customer even it it makes it easier to criminals to steal the customer's money.

Re:Think about that. (2, Insightful)

TheRaven64 (641858) | more than 6 years ago | (#19199717)

It also doesn't work for people who spend any time away from their registered telephone. I dated a girl from the USA for a while, and her credit card company had a similar policy. They called her registered address to confirm that her card, being used in the UK, was not being used fraudulently. Unfortunately, being in the UK, she wasn't near the telephone at her registered address. Fortunately, the bank wrote to her at her parents' address just before cancelling the card, and she was able to call the bank (an expensive international call) and persuade them that it was her, and they shouldn't cancel the only way she had of accessing her main account for the next few months...

The last but one time I visited the USA, I ordered some things from Amazon.com. If this plan had been implemented, I would have had to wait until I got home and then received the phone call. This would have been a bit late for me to receive the things sent to me in the USA...

Re:Think about that. (1)

drawfour (791912) | more than 6 years ago | (#19199903)

If you know you're going to be away from your registered phone number for a while, you can always pre-emptively call your bank/CC company and tell them. If such a verification program were in place, it should be easy to add things like this. Call from your registered phone to their number and give them a new number where you will be reachable, and for how long, where, etc...

My CC company (Wells Fargo Mastercard) likes to call me when they see charges that are different from my usual purchasing pattern. They get confirmation on the last 5 or so charges to make sure they aren't fraudulent. I wonder what would happen if their fraud detection kicked in and I wasn't available at that phone number. I assume that after a few days of not validating the charges, they would deny future charges to that card. They do have an international collect number that I can call if my card gets denied and I'm overseas, and an 800 number for inside the US.

Re:Impossible. (1)

pdbaby (609052) | more than 6 years ago | (#19199485)

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

What I've wanted for years is for my bank to let me specify this for my Mastercard or my Debit card - you go out to dinner, pay with your card and the bank's system calls you and asks you to authorise the payment by pressing a key / entering a password PIN on the phone. How difficult can that be to implement? How much basic fraud would it prevent?

I wonder if it would reduce fraud enough that it's profitable for the bank to do it without charging the consumer for the privilege.

Re:Impossible. (1)

maxume (22995) | more than 6 years ago | (#19199855)

When fraud happens, the bank says 'Neener-neener' and makes the business eat the cost of the fraud. So they won't offer such a thing for free, without changing other stuff.

Re:I'm still not convinced (1)

mark-t (151149) | more than 6 years ago | (#19199433)

Or worse... if the security was compromised later, long after the user is accustomed to implicitly trusting the green bar, and their confidential data is given to someone who was not who they thought it was.

You are right on the money on this issue. Education is the only real solution to the problem, and trying to impose a technological solution to what is ultimately a social problem only makes it that much harder to teach people how to avoid it later because they are that much more used to trusting supposedly "secure" systems.

Re:I'm still not convinced (1)

pcgamez (40751) | more than 6 years ago | (#19199503)

You are missing the point. The idea is to make this one part of an overall strategy. Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people. Furthermore, user education has limited effectiveness and takes a long period of time. It is unlikely that we would be able to properly educate the majority of people if we had a decade.

Re:I'm still not convinced (1)

mark-t (151149) | more than 6 years ago | (#19199583)

Except that you are still going to need to educate at least that many people later (more actually, since the population is constantly growing) even *IF* they implement this solution. Delaying education only makes things worse.

You are right that it would expensive, but it would be orders of magnitude more effective than a technological solution like a trusted top level domain name that in the end accomplishes nothing more than being a placebo.

Re:I'm still not convinced (1)

Khyber (864651) | more than 6 years ago | (#19199775)

"Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people."

Expensive? I can educate a couple bilion people cheaply - make a text website that simply says "Keep your account secure - don't bank online, get off your lazy ass, and learn how to write checks and mail them." and point them to that site.

Problem solved.

Re:I'm still not convinced (2, Insightful)

allgood2 (226994) | more than 6 years ago | (#19199671)

OK, well I can see a massive difference. It's far easier to train a user to recognize a combo of .bank and a green bar as legitimate, than it is to education them on all the various phishing options, and then having to keep them up to date, since new ones are added all the time.

My biggest issue with the proposal is the cost; and not that it shouldn't charge big banks $50,000 but that it ignores small banks and credit unions. Especially, since it ignores them with a 'they aren't the ones loosing money or big money' statement. If small banks and credit unions can't get access to the .bank domain, then as far as I can see, your just switching the scammers and phishers from targeting large banks to targeting small banks and credit union. It's a we don't care argument; which weakens the entire effort.

F-Secure mentions Finland, which has a very low rate of phishing due to the fact of its mail confirmations of address. My thoughts are if the .bank domain were to succeed it needs to include small banks and credit unions; which means there needs to be some sort of exception to the fees. Possible a $10,000 domain name purchased combined with physical proof credit union or small bank status, and a certain number of years in operation.

The proof of years in operation as an exchange for relief from cost; seems like a small trade-off for me. I would assume, most phishers' wouldn't be willing to wait 3-5 years and still fork out $10-$15,000 just to engage in a scam. Plus most newly established credit unions and banks fail or succeed (however marginally), within similar time frames of the average business (3-5yrs). Obviously, the verification process would be key, but this would allow small banks and credit unions the same level of security as large banks.

Re:I'm still not convinced (1)

j0nb0y (107699) | more than 6 years ago | (#19199895)

Anti phishing education is actually quite simple right now.

What's the URL of your bank?

Before you type in your login/bank information, check to make sure that the URL in the URL toolbar is the URL of your bank. If it isn't, then this is most likely a phishing scam, and you shouldn't enter any information.

All banks have to do is put this information on a nice one sheet insert, and put it in with the account statements that they mail out monthly anyway.

Re:I'm still not convinced (1)

dabraun (626287) | more than 6 years ago | (#19199989)

Before you type in your login/bank information, check to make sure that the URL in the URL toolbar is the URL of your bank. If it isn't, then this is most likely a phishing scam, and you shouldn't enter any information.

Then you get companies like citibank which insists on putting their online credit card access under "citicards.com". How about educating the banks themselves? Get it through their head that they need ONE site with ONE name which is their OFFICIAL name that their customers know.

Then build a setup where a given domain can be "locked down" to be https only, have browsers not even allow sites on this list to be accessed via http. Gobble up all reasonable variants (.com, .org, .net etc) by either having them all registered or blocking all but the official one.

Re:I'm still not convinced (1)

veganboyjosh (896761) | more than 6 years ago | (#19200087)

Cos you read those through and through? Granted, a one sheet thing would be more widely read than a whole folded small print booklet/pamphlet, most people I think just get the statement, and toss the rest.

Re:I'm still not convinced (2, Insightful)

mark-t (151149) | more than 6 years ago | (#19199939)

It's worthwhile to note that bank tellers recognize counterfeits not because they necessarily know what characteristics that particular counterfeit has, but because they handle the real thing all the time, they know what the real thing is supposed to look like, and when something doesn't match what they know, they realize it's a fake. This enables them to even recognize counterfeit bills they may have never seen before. So the idea is that you train people what to look for in the real thing, give them enough exposure to it, and when something bogus comes along, they should be able to see it for what it is because it won't match up.

Re:I'm still not convinced (0, Troll)

Cheapy (809643) | more than 6 years ago | (#19200089)

How about this. We attach UZIs to every computer sold. If this URL isn't "green" and the user clicks on it, the UZI will shoot. A lot. And hopefully take out the user. The phishing scam didn't work and the stupid user is dead!

Darwin would love it!

What the ... ? (4, Insightful)

khasim (1285) | more than 6 years ago | (#19199269)

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Who determines what "misleading domain names" means?

And we are talking about criminals making MILLIONS of dollars a year.

Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.

Re:What the ... ? (1)

Colin Smith (2679) | more than 6 years ago | (#19199327)

The $50,000 presumably isn't the only authentication mechanism. With a $50,000 registration fee it's possible to perform significant checks on the applicants.

It doesn't matter. (1)

khasim (1285) | more than 6 years ago | (#19199375)

Either very few will spend the money to get the domain name, in which case there won't be enough information out to know that .bank was 'safe' ... or was it .safe?

Or lots of banks will spend the money and that will mean lots of different people will be performing the checks.

Now, you DO realize that we are talking about "criminals", right? The people who already break the law. So things like bribery and extortion will not be forbidden.

Just look at the drug trade.

I should have gone with that one first. (1)

khasim (1285) | more than 6 years ago | (#19199411)

Yes, look at the drug trade.

Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

Does ANYONE think that that would be a good idea? That it would reduce drug smuggling in any way?

Or would you just laugh at the person naive enough to suggest it?

Re:I should have gone with that one first. (1)

setirw (854029) | more than 6 years ago | (#19199537)

Fallacious logic. The .bank registrar isn't performing a background check on the individual registering the domain. Instead, it's ensuring that the name being registered will actually represent a major financial institution. It's the same case with other "exclusive" domains: I don't think the .gov or .mil registrar performs a background check on the actual person registering the domain, but rather ensures that army.mil truly represents the United States Army.

Granted, there are many more financial institutions than government agencies, but it's possible to ensure that every .bank domain registered actually represents its respectively financial institution. The criminal deterrent isn't the $50,000, but rather the difficulty of proving that the domain represents what it claims to. I don't think the average phisher with $50,000 has any remote chance of convincing a discriminating registrar that he actually represents J.P. Morgan Chase. Returning to your analogy, it's a lot easier for a drug runner with $50,000 to falsify his own personal background than to convince DEA agents that he represents a pharmaceutical that transports painkillers, since the latter presumably requires statements from executives in the pharmaceutical stating that the transportation is legitimate.

Re:I should have gone with that one first. (1)

EvanED (569694) | more than 6 years ago | (#19199553)

Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

It's more that the seal was put on by a theoretically trusted party and is virtually tamperproof. So it's not so much trusting that the person who put it on is lying, it's trusting that they were already checked out before and haven't changed the contents of their van.

And if the original party is *actually* trustworthy, then yes, I think it would be a decent idea.

And you verify that ... how? (1)

khasim (1285) | more than 6 years ago | (#19199645)

And if the original party is *actually* trustworthy, then yes, I think it would be a decent idea.

Ah, but if the people putting the seals on the trucks were "*actually* trustworthy" then they would be "a decent idea" with regards to drug smuggling.

Do you see the point?

SOMEONE has to approve the seal. A person. And people can be bought. You will NOT know if that person was "*actually* trustworthy" or not.

Particularly when that seal would mean that EVERYONE in the world KNEW that it was safe to use that site.

Re:I should have gone with that one first. (1)

Colin Smith (2679) | more than 6 years ago | (#19199615)

It's an entirely different situation, a domain would only work until they were reported, i.e. the first time someone was ripped off. Then the domain would have to close and the phishers would be out $50,000. They would have to be very sure of returning more than $50k which means most phishing would stop.
 

Re:I should have gone with that one first. (1)

vux984 (928602) | more than 6 years ago | (#19199701)

Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

Right lets keep going with that, because your analagy is flawed, and this will fix it up:

Now suppose that seal had a serial number as part of its design, and it was displayed prominently. (because each domain name is different)

Next suppose that the this seal was actually worn by the street pusher behind the 7-11 to avoid law enforcement harrassment (you know the guys who deal directly with the general public - because that's who these phish sites deal with).

Except he's not behind the 7-11 he's standing up front and center where EVERYONE can see him. (Phishers spam everybody not just suckers.)

All it takes is one guy to report that he's a drug dealer. And now he's an easy target for the cops because he's got a big seal on his car, and they've already done a background check on him so they know where he lives, who he associates with, etc, etc.

So would you spend $50k on the seal, knowing that anyone who sees you standing on the street with it can report you?

Yes. (1)

khasim (1285) | more than 6 years ago | (#19199975)

So would you spend $50k on the seal, knowing that anyone who sees you standing on the street with it can report you?

Sure. Why not?

Should it pose a problem, your criminal friends can spend their spare time reporting every other seal. The cops won't know the legitimate complaints from the fraudulent ones.

And all you need is enough time to turn that $50K investment into $5,000K.

This is not about establishing a permanent presence. This is about cashing out a LOT of money as QUICKLY as possible by exploiting the knowledge that since you have that seal, you are safe. You will be operating in BULK.

Eventually it will be closed down. And you will already have used the profits to purchase another one.

Re:What the ... ? (0)

Anonymous Coward | more than 6 years ago | (#19199481)

To get the domain you have to be a real bank in the US. Verifying such entities should be pretty simple. They are tightly regulated after all.

A misleading domain name is one that is easy to mistake for another one, or doesn't reflect the name of the bank to which the domain is registered. Conventional trademark law will probably cover 90% of the issues here.

Anybody can start a tax-haven bank (1)

billstewart (78916) | more than 6 years ago | (#19199643)

There are a number of countries that have extensive private banking systems, generally connected with tax-haven free trade environments. You want to start a bank in the Caribbean? It'll cost you more than starting a corporation, and you might need a local partner to sponsor you, but that's well within the range of anybody who's willing to fork over $50K for a bank domain name.


The harder part is getting a *useful* bank domain name - you're probably not going to get chase-manhattan-grand-cayman-branch.bank even if you can prove that you own the real Don Corleone Bank registered in Grand Cayman. (N.B. I don't remember if Grand Cayman lets you start banks easily, or only corporations these days - you can do your own research :-) But if you're creative, you'll find something.

Re:What the ... ? (1)

vux984 (928602) | more than 6 years ago | (#19199647)

Spending $50K to make $5,000K is a GREAT deal.

If that were true. Do you have any evidence to support the claim that one phishing site is likely to return 5000k?

How long does the average phishing site stay active before people figure it out, and it gets shutdown?
Phishers, from my understanding of it, plow through junk domains, I'm not even sure they go a full day before getting knocked offline, and probably only hours before they a get added to the list of known phish sites and get blocked by 'anti-phish' software.

If criminals have to setup 500 50k sites to make $5,000k, will.. that's not going to make anybody rich. They simply aren't going to do it. Even if they can bribe people to get the domains they'll get blacklisted or delisted so quickly it just won't be worth the expense and hassle of setting them up.

Pfft. (4, Insightful)

way2trivial (601132) | more than 6 years ago | (#19199693)

I'm sorry... how hard is it for me to write software that changes your DNS setting...

now how safe is the .bank my DNS server sends you to.....

User's software... (1)

iknownuttin (1099999) | more than 6 years ago | (#19199291)

The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with.

Ok, so he's counting on every browser publisher to put in software that will all work the same and flawlessly? And he's counting on everyone (banks, software vendors, etc...) to come together with a standard that all will accept to make things more secure? And of course, the bank will just do this to save themselves money.

All of the losses that banks incur are just passed on to the consumer: the banks are not losing money. They really don't suffer any consequences that I've seen from these phishing problems. Or let me put it this way, exactly what will get the big mega banks on board for this? Because, if it were really a problem for them, they would have done something a long time ago. As it is, it's just a big pain in the ass for the victims and the victims only, banks just apologize "for the inconvenience" and move along - business as usual.

Re:User's software... (4, Insightful)

zappepcs (820751) | more than 6 years ago | (#19199385)

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.

There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.

Re:User's software... (1)

EvanED (569694) | more than 6 years ago | (#19199599)

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

There are two levels of answers:

1.) They're aiming at protecting phishing, not all malicious activity. I email you [not you specifically, generic you] something that says "ur account wi11 expir3 n 3 days" and you click on the link and enter your information into the page that loads. There isn't any room in there for me to remap your hosts file.

2.) If I do have the access to remap your hosts file, there are easier ways to figure out what your password is then having it sent through my website. Like, install a keylogger and wait 'till you just go to your bank outright.

3.) Combined with SSL certificates, the browser could positively identify that you are talking to the computer that is *actually* at citi.bank. This is already done somewhat with .com domains, but .bank you then get the added assurance (in theory) that citi.bank actually belongs to citibank.

V1@gr@ (1)

Gary W. Longsine (124661) | more than 6 years ago | (#19199303)

"The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with."
So, uh... build a white list of valid banks. How hard can that be? What are you going to do with that while list, eh? Block everything that isn't on it? This is clearly an idea they haven't throught through, and they felt a little defensive about it after the thrashing they received from Slashdot. Their defense could use help. Maybe a dose of V1@gr@?

FUD Factory (-1, Troll)

Werrismys (764601) | more than 6 years ago | (#19199305)

F-Secure is a FUD Factory that creates terrible anti-whatever placebo products (along with some really working proxy products). Instead of fixing their consumer and workstation level products they just buy more search engines and slow the process down even more and eat even more winblowz system resources. Avoid.

...and if a trojan messes with hosts/LMHOSTS? (1)

Penguinisto (415985) | more than 6 years ago | (#19199367)

It wouldn't take much to munge up the /etc/hosts or 'doze LMHOSTS file to make a certain ".bank" name redirect to whatever you want...

While admittedly it would take a compromise of the user's computer to do it, it still points out the one big, fat inherent weakness of a new TLD: The fact that sites aren't specifically identified by DNS name per se, but by a translation mechanism that points to the real site identifier (IP).

('course, the "safety toolbar" could then do a WHOIS check and such, but now we're just adding layers of complexity... and where would that end?)

/P

Re:...and if a trojan messes with hosts/LMHOSTS? (0)

Anonymous Coward | more than 6 years ago | (#19199413)

But that's always a risk regardless of TLD. It's not an argument against . bank since it doesn't detract from the benefits of it.

And...? (1)

sid0 (1062444) | more than 6 years ago | (#19199477)

This risk is still there with current domains. In fact, it should be easier with the .bank TLD -- just make sure that there are *no* .bank entries in the hosts file.

As TFA has stated, this is not a silver bullet. It won't magically solve all the problems with phishing. However, this, along with user education, can ameliorate the situation. For example, a newbie can be told to make sure that the word "bank" appears before the first slash, and so on. Not perfect, but definitely better than the current system.

Count me in as a supporter.

Re:...and if a trojan messes with hosts/LMHOSTS? (2, Insightful)

EvanED (569694) | more than 6 years ago | (#19199617)

course, the "safety toolbar" could then do a WHOIS check and such, but now we're just adding layers of complexity.

Or, you know, a check of the SSL certificate, which you'll need to do anyway.

It would still be an invalid domain (1)

Colin Smith (2679) | more than 6 years ago | (#19199669)

DNS can be authenticated. Without a valid .bank domain certificate it isn't a valid domain and the browser would be correct to mention such. The only way to get a .bank certificate would be to have a real .bank domain.

 

What about DNS poisoning? (1)

CPE1704TKS (995414) | more than 6 years ago | (#19199373)

He didn't address that point. You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

Even worse, hackers can start poisoning the hosts on individual machines, which makes it even worse. It's already at a known address: %SystemRoot%\system32\drivers\etc. Once they start adding their own entries into the hosts file for Windows users, they are fucked. It will be so easy to point them whereever the hackers want.

His suggestion solves NOTHING. In fact, it is extremely shortsighted and amateurish for a so-called CTO of a security company, and makes me question how good his company is if the CTO can't even get this right.

Once you crack the workstation, it's over. (2, Interesting)

khasim (1285) | more than 6 years ago | (#19199457)

Once you have control of their workstation, there's really nothing you can do ONLINE that can be safe.

That's why you need a SECOND CHANNEL to confirm the transaction.

Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.

This won't stop them from re-routing your transactions. If you're trying to send $500 from your bank account, they can re-route it to their account. But they couldn't make any DIFFERENT transactions.

And the bank could quickly build up a list of known fraudulent addresses.

Re:What about DNS poisoning? (2, Insightful)

EvanED (569694) | more than 6 years ago | (#19199629)

You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

And then you go to that site... and the browser says "your SSL certificate's no good".

You would also need to compromise one of the SSL certificate authorities.

And how does that get round a domain cert? (3, Informative)

Colin Smith (2679) | more than 6 years ago | (#19199753)

It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.

 

I'm suprised (1)

yakumo.unr (833476) | more than 6 years ago | (#19199405)

I know its traditional for slashdotters to NOT RTFA but I'm still surprised how negative people are being about this clearly without having bothered to.

Name ONE genuinely negative aspect of this to the individual consumer.
I can't think of one but I'm not so egotistical as to think there might not be one, but there are certainly lots of positive aspects.

You won't be paying for this, the banks will, why do you care.

As TFA states there are .aero for aviation, and .museum, so why not .bank to actually help protect your, and other peoples money for gods sakes, isn't that more important to you?

Reductions in fraud on-line would also limit banks excuses for high fees to counter their losses.

And it's NOT just a very expensive TLD, it's one where the organisation in question would have to prove absolutely and legally that they are a fitting organization for the TLD, as TFA states as an example you just don't get fake .gov sites.
If someone did somehow sneak through they would be shut down very quickly and easily, compared to constantly re-locating .com .org .net sites.

Re:I'm suprised (4, Insightful)

denebian devil (944045) | more than 6 years ago | (#19199529)

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?

Re:I'm suprised (0)

Anonymous Coward | more than 6 years ago | (#19199689)

Agreed. And by the looks of it, there are a handful of users (*cough* khasim *cough*) here that seem to take this very personally. As though the .bank domain would somehow hurt them. I don't get it.

Fuck off (0)

Anonymous Coward | more than 6 years ago | (#19199865)

There are many people here who understand that a new TLD solves nothing. Don't be suckered by the snake-oil seller, they probably have some proprietary DNS product in the pipeline to fix a problem that they first need to create. Nobody with a clue about security is buying their bullshit!

Drop your veiled accusations and get a clue!

Re:I'm suprised (0)

Anonymous Coward | more than 6 years ago | (#19199781)

> Name ONE genuinely negative aspect of this to the individual consumer.

The consumer would grow to implicitly trust the .bank TLD. This could result in them being less alert when subject to DNS poisoning.

And so on...

> TFA states as an example you just don't get fake .gov sites.

echo "127.0.0.1 whitehouse.gov" >> /etc/hosts

You and F-Secure are too stupid to have a valid opinion on security.

Re:I'm suprised (0)

Anonymous Coward | more than 6 years ago | (#19199837)

Sorry, those are not arguments against a special TLD.
They are problems that exist now and a new TLD doesn't solve. But he explicitly says that he is not claiming a new TLD would solve all problems. Nothing solves all problems. That's not a reason against soling some of them.

Learn some logic before accusing others of being stupid.

Re:I'm suprised (0)

Anonymous Coward | more than 6 years ago | (#19199931)

> Sorry, those are not arguments against a special TLD.

No, they are arguments against abuse of the DNS.

> They are problems that exist now and a new TLD doesn't solve

Then what's the point? But no, users do not implicitly trust .com as they would .bank - that's the entire argument F-Secure are making.

> Learn some logic before accusing others of being stupid.

RTFA!

Re:I'm suprised (1)

Ilgaz (86384) | more than 6 years ago | (#19199947)

I have read/commented on first story and after reading this one and comments, I'd say everyone to check http://www.phishtank.com/ [phishtank.com] and enjoy that mess they are defending.

Re:I'm suprised (0)

Anonymous Coward | more than 6 years ago | (#19200037)

Noone is defending phishing, they're just saying that the due to the technical nature of DNS, the .bank TLD proposal is utter nonsense.

The security of the .bank TLD that doesn't yet exist would rely solely on EV SSL certs that do. Quoting TFA:

it would authenticate the domain as trusted by the name alone.
...and this is supposed to be a security company? Pffft!

What about DNS hijacking? (2, Interesting)

9gezegen (824655) | more than 6 years ago | (#19199415)

I don't understand the purpose of having $50,000 registration. The banks are officially recognized by their states. Wouldn't it be sufficient to get an approval from the state? I understand this may require little more paperwork but it will protect the small banks from expansive registration.

As the article mentioned this is not a silver bullet. For example, this won't solve DNS hijacking. Recently, I have observed such an attack. The victim told me that the bank site he was looking asked for national ID number even though the bank officially announced that they would never ask that information at their website. He further told me that the webpage looked little different on his computer compared to his friend's powermac. I was skeptical since I thought if you type a name, you should get the correct IP of the bank. Note that I don't use windows but I'm an expert on linux. So for me, DNS hijacking meant that the DNS server the computer talking was giving the wrong IP. Anyway, I checked the ip of the bank in his computer and did a reverse ip lookup on the web. The first red flag was that the IP was mapped to a dynamic name, further more IP was different when I looked at it on powermac. Luckily for him, spyware doctor was on the computer, so with little hope I run it. It gave warnings on some entries in hosts file. Apparently windows also have some kind of /etc/hosts file. The attacker (probably using some windows vulnerability) successfully added 20-30 bank names to hosts files, all of which mapped to his machine. On his machine, he probably have copies of the entrance pages for each bank. Anyway, this kind of attack (which I understand it is very common) will not be solved with TLD .bank.

Re:What about DNS hijacking? (1)

someone300 (891284) | more than 6 years ago | (#19199665)

These seem to be the main issues here: Banks and other forms of attack such as DNS hijacking.

F-secure's comment on this not being an issue for small banks/credit unions doesn't make sense. I assume that if this .bank domain was approved, there'd be a mass marketing push for "Only use .bank addresses for online banking", and quite obviously this is going to make people wary of small banks and credit unions who are forced to do ebanking with .com addresses, and consequently make people less likely to use them. As you stated, this $50k registration seems to be pointless. The fact that small banks aren't losing money from phishing isn't the issue here, and then consider that a phisher isn't going to go through the trouble of setting up a fake .bank URL, they're going to look for the weaker targets, i.e. the banks still needing to use .com addresses.

Man in the middle attacks and DNS hijacks are still quite possible, at least until DNS is implemented securely, that is. As soon as these .bank domains are hijacked (there are plenty of ISP DNS servers vulnerable to poisoning still...), either the public will lose any added trust they had in these domains, or they're going to negatively impact security by giving a false sense of security. People will *still* need to look at security certificates for assurance of identity and that encryption is being used.

Obviously there needs to be some form of solution... they could implement an extension to security certificates that allows the certificate to be flagged as safe for financial transactions; with cooperation with web browsers, there could be some way of displaying this information to the user and possibly warning them if it detects them entering credit card data into a non-finance website. Maybe more effort just needs to be put into making people look for the padlock. That and DNS spoofing and Secure DNS needs more work...

Also, in my opinion, two stage logins and showing the user a personalised picture/theme or something that a phisher couldn't show them is a good idea.

hmmm (1)

joe 155 (937621) | more than 6 years ago | (#19199431)

I see big business for North Korea selling the domain name "ba.nk".

This in no way will "fix" the problem. It would however make sure that smaller banks can't get a look in which will help to enforce the monopoly of the large ones... and make a fuck of a lot of money for the people who get to pocket that 50k.

What would be a far better resource would be a firefox plug-in which highlights the part of the name which is the website, so "itsyourbank.obviouslyphishing.co.uk" would highlight the relevant part for figuring out what the actual domain name is that is registered. I've heard someone mention this before but not really seen anything about it

Re:hmmm (1)

yakumo.unr (833476) | more than 6 years ago | (#19199521)

ba.nk wouldn't fool browser security updates/certs designed to be damn sure the domain stops at blah.bank and not blah.bank.com or anything as TFA implies.

Straw men (1)

tverbeek (457094) | more than 6 years ago | (#19199437)

You can usually gauge the strength of someone's position in a debate by how quickly they bring out the strawmen to knock down. The first two items in their "rebuttal" ("New top-level domain will not solve the phishing problem once and for all, so it's not even worth considering." and "But .com works just fine!") are pretty transparent misrepresentations/exaggerations of the arguments made against their proposal.

Re:Straw men (0)

Anonymous Coward | more than 6 years ago | (#19199899)

I find their suggestion very good, if not for the ultimate word in getting rid of phishing, but for perhaps other things.

They aim to:
    - make the TLD more exclusive (higher costs, "closed group" so to speak), and
    - make the TLD more accountable by demanding rigorous proof of identity of registrar

This would create a TLD where someone claiming to be the person/organisation X would indeed be such, or otherwise the TLD would not be registered to them in the first place.

I don't see why this is such a bad thing.

As for you, why didn't you list the actual points made against the proposal which they failed to address? A simplification or label to replace many pages full of text is not really a straw man.

What are the consequences when a bad guy gets in? (2, Interesting)

CTho9305 (264265) | more than 6 years ago | (#19199455)

What are the consequences if somebody malicious does manage to register a misleading .bank domain name? What happens if a .bank or .safe site is hacked? Will they reimburse fraud victims and provide credit monitoring services, or just say, "oops"?

There are no rogue sites on .gov domain names (1)

Chas (5144) | more than 6 years ago | (#19199491)

Uhm...

Uhm...

My lawyer says my comment is NO COMMENT.

Re:There are no rogue sites on .gov domain names (2, Funny)

setirw (854029) | more than 6 years ago | (#19199579)

There are no rogue sites on .gov domain names

I beg to differ. [whitehouse.gov]

Re:There are no rogue sites on .gov domain names (1)

Tatsh (893946) | more than 6 years ago | (#19199595)

Ugh that site looks like crap on my Firefox. I love how people still do not understand developing to W3C standards (even the government workers).

Re:There are no rogue sites on .gov domain names (1)

TheRaven64 (641858) | more than 6 years ago | (#19199843)

Haha! You slahsdotted the White House!

Watch out for homeland security...

The real solution... (1)

Karganeth (1017580) | more than 6 years ago | (#19199513)

The real solution is to simply test the users ability to spot a phising attack before letting them using an online bank. For example, the test might consist of questions asking "is this the official website or a fake one?" with images etc. If they fail the test, they are not allowed. They must pass the test (this means taking the test however many times) to be given the authorization to use the online bank. And voila, problem solved.

One thing they don't address... (2, Insightful)

niceone (992278) | more than 6 years ago | (#19199557)

...is phishing sites that are not banks. Just look at all the phishing of myspace passwords for an example. This is bound to increase in the future as more of our lives move online. So, people need to be able to recognise phishing in many more cases than .bank will handle.

Re:One thing they don't address... (1)

AndrewM1 (648443) | more than 6 years ago | (#19200091)

It doesn't cost you the entire contents of your bank account if someone figures out your MySpace credentials.

It's simply a matter of going after the most important phishing first... At least, it should be. Neopets, for example, actually gets you to enter your username, then displays a page with some information about your account on it. Only then can you enter your password, after you've confirmed you're talking to the real Neopets homepage. One seriously has to wonder what's up when Neopets has better phishing prevention than your average bank...

and while we are at it (1)

crashelite (882844) | more than 6 years ago | (#19199571)

why dont we also have a .phishing domain so that way the we could find out who is really stupid or not. come on most people that read /. are smarter then the average internet user and also know how stupid people really are. the # of times i have seen a person using limewire or kazaa and are complaining that their network is slow or they have viruses is beyond reason. so would creating a new top level domain REALLY work, would people still be idiots and go to bobsbank.com or bobsbank.bank and would they look and make sure that it is their banking site in the URL or would bobsbank.phishing show up and they would login like they would normally... and also where would this 50k go to? why not just make a agreement that if it is a fraudulent site it would just be shut down and no refund of your 50K... but if they are phishing bank sites would it really mean they are paying for it or would they use some customer that they stole their account to pay for it. oh well the keyloger on the computer will just send the information out sooner or later...

What does this do to address URL display bugs? (2, Interesting)

SuperBanana (662181) | more than 6 years ago | (#19199585)

Nothing in this addresses links that show up in email clients or browsers as say, www.yourbankyouknowandlove.com instead of where they really take you- an IP address of some random server run by the phisher.

If email clients were fixed to show the REAL url on mouseover, people wouldn't click the links in the first place. If browsers (well, mostly IE) were fixed such that you couldn't obfuscate the *real* URL, people would realize quickly what was going on.

Working with a lot of office people, they're all sharp enough to pick up on stuff like this pretty quickly (we use all macs, so we have neither problem- Safari and Apple Mail aren't "spoofed.")

Cutains !=cloak (1)

Stumbles (602007) | more than 6 years ago | (#19199597)

Sounds like to me F-Secure wants to be the fox guarding the hen house. It also sounds like it is a half-assed solution. Why is it the proprietary world always choose half-assed solutions. Oh wait I know, so they can sell you some snake oil down the road.

.bullshit (2, Insightful)

Anonymous Coward | more than 6 years ago | (#19199655)

I think that F-Secure might be more interested in .savingFace than anything else. .bank is a stupid idea proposed by someone who has no understanding of DNS.

Who will be liable when the crime gangs start poisoning DNS and consumers enter details into what they believe is a .bank domain? Will F-Secure be liable for coming up with such a stupid idea?

F-Secure are a laughing stock, this is a PR exercise that fails to address any of the real points.

If a Nigerian or Russian bank can get hold... (1)

thewils (463314) | more than 6 years ago | (#19199711)

...of one of these domain names, then it really isn't going to be secure now, is it?

The Banks Don't Help Themselves (3, Interesting)

s7uar7 (746699) | more than 6 years ago | (#19199719)

My current account is with NatWest, website www.natwest.com, who's online banking is on www.nwolb.com. My main credit card is with Tesco (www.tesco.com). Their financial site is www.tescofinance.com and their online banking site is cardsonline-consumer.com.

Is it any wonder people end up falling for phishing site?

Won't do jack (2, Informative)

Opportunist (166417) | more than 6 years ago | (#19199735)

I think I used the same subject line for the original suggestion, I use it again: All the "explanations" and answers don't even touch the actual problem at hand.

The far bigger problem are trojans that hijack the system to siphon login data from the user, either using browser plugins or hooks into the system. No .bank or .whatever TLD will solve this. The amount of people actually naive enough to follow instructions on a fraud mail are in decline. Every bank I know already informs its customers at least 10 times and every time they log in that they will NEVER EVER contact them via email and ask for login data. Almost all data currently stolen is grabbed when users log in to the real bank site and do their online business.

They missed the 2 biggest flaws... (2, Interesting)

KillerCow (213458) | more than 6 years ago | (#19199793)

The "point-by-point" response did not address DNS poisoning or l/p obsfucation ( www.citi.bank/youraccount/index.html@fraud.org ).

Not Even News-Worthy (1)

bigdavesmith (928732) | more than 6 years ago | (#19199909)

Ok, if this were aol.com I could see how this might be a legit news story, but come on. I like to think we're a step above that. Real geeks don't even bother with DNS, and us 66.35.250.150ers have better things to do than waste our time with a noob story like this.

Hijacking (0)

Bellum Aeternus (891584) | more than 6 years ago | (#19199997)

.bank TLD has some merit. Unlike a lot of current online systems, this one could be well funded enough to actually use humans to decide if an institution is worthy of obtaining a domain with the .bank TLD. Which is a very un-Google way of doing this, so it's probably not cool, but when you have human intervention and those humans are naturally skeptical because it's their job to be so; you tend to get pretty good security. However, some have pointed out that by infecting the host file, hijackers could get around the .bank TLD. Agreed. Why not lock .bank and a few other 'secure' TLD's down to a specific A-block of IPs controlled by some international oversight body (heck, could be American national, but why exclude everybody else?).

Benefits: easy for neophytes to figure out, east for machines to figure out, and difficult to falsify.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...