F-Secure Responds To Criticism of .bank

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

I'm still not convinced

[j0nb0y]

Quite frankly, the only way to prevent phishing fraud is through user education.

If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

This just seems like it would be a big waste of money for all parties involved.

Impossible.

[khasim]

Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

A far better solution would be to go for the simpler approach.

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

Re:

[mark-t]

But that wouldn't work that well for people who connect to the internet via dialup, and while they are trying to perform this action, their phone line is busy (or gets auto-forwarded to voice mail).

Think about that.

[khasim]

So your transaction isn't released until you get off the phone line and take the call from the bank.

This is a good thing. The system fails in such a manner that your money STAYS with you.

This gets to the concepts of not doing something if it cannot be secured and verified
vs
Making it as easy as possible for the customer even it it makes it easier to criminals to steal the customer's money.

Re:

[TheRaven64]

It also doesn't work for people who spend any time away from their registered telephone. I dated a girl from the USA for a while, and her credit card company had a similar policy. They called her registered address to confirm that her card, being used in the UK, was not being used fraudulently. Unfortunately, being in the UK, she wasn't near the telephone at her registered address. Fortunately, the bank wrote to her at her parents' address just before cancelling the card, and she was able to call the ba

Re:

[drawfour]

If you know you're going to be away from your registered phone number for a while, you can always pre-emptively call your bank/CC company and tell them. If such a verification program were in place, it should be easy to add things like this. Call from your registered phone to their number and give them a new number where you will be reachable, and for how long, where, etc...

My CC company (Wells Fargo Mastercard) likes to call me when they see charges that are different from my usual purchasing pattern.

Re:

[pdbaby]

For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

What I've wanted for years is for my bank to let me specify this for my Mastercard or my Debit card - you go out to dinner, pay with your card and the bank's system calls you and asks you to authorise the payment by pressing a key / entering a password PIN on

Re:

[mark-t]

Or worse... if the security was compromised later, long after the user is accustomed to implicitly trusting the green bar, and their confidential data is given to someone who was not who they thought it was.

You are right on the money on this issue. Education is the only real solution to the problem, and trying to impose a technological solution to what is ultimately a social problem only makes it that much harder to teach people how to avoid it later because they are that much more used to trusting suppo

Re:

[pcgamez]

You are missing the point. The idea is to make this one part of an overall strategy. Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people. Furthermore, user education has limited effectiveness and takes a long period of time. It is unlikely that we would be able to properly educate the majority of people if we had a decade.

Re:

[mark-t]

Except that you are still going to need to educate at least that many people later (more actually, since the population is constantly growing) even *IF* they implement this solution. Delaying education only makes things worse.

You are right that it would expensive, but it would be orders of magnitude more effective than a technological solution like a trusted top level domain name that in the end accomplishes nothing more than being a placebo.

Re:

[Khyber]

"Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people."

Expensive? I can educate a couple bilion people cheaply - make a text website that simply says "Keep your account secure - don't bank online, get off your lazy ass, and learn how to write checks and mail them." and point them to that site.

Problem solved.

Re:

[allgood2]

OK, well I can see a massive difference. It's far easier to train a user to recognize a combo of .bank and a green bar as legitimate, than it is to education them on all the various phishing options, and then having to keep them up to date, since new ones are added all the time.

My biggest issue with the proposal is the cost; and not that it shouldn't charge big banks $50,000 but that it ignores small banks and credit unions. Especially, since it ignores them with a 'they aren't the ones loosing money or big

Re:

[j0nb0y]

Anti phishing education is actually quite simple right now.

What's the URL of your bank?

Before you type in your login/bank information, check to make sure that the URL in the URL toolbar is the URL of your bank. If it isn't, then this is most likely a phishing scam, and you shouldn't enter any information.

All banks have to do is put this information on a nice one sheet insert, and put it in with the account statements that they mail out monthly anyway.

Re:

[dabraun]

Before you type in your login/bank information, check to make sure that the URL in the URL toolbar is the URL of your bank. If it isn't, then this is most likely a phishing scam, and you shouldn't enter any information.

Then you get companies like citibank which insists on putting their online credit card access under "citicards.com". How about educating the banks themselves? Get it through their head that they need ONE site with ONE name which is their OFFICIAL name that their customers know.

Then build a

Re:

[allgood2]

Not just Citibank, what about fairly large institutions like Associated Bank or Household Bank. Household Bank is fine when your banking, but to look up my credit card data, I have to go to HSBC or hsbccreditcard.com. I need a crib sheet just to keep up with the variations of names related to my credit card; and that doesn't even count when a bank decides it needs to distinguish urls for business or personal accounts, checking and savings, etc., etc. Most banks have a litany of urls associated with them. I

Re:

[mark-t]

It's worthwhile to note that bank tellers recognize counterfeits not because they necessarily know what characteristics that particular counterfeit has, but because they handle the real thing all the time, they know what the real thing is supposed to look like, and when something doesn't match what they know, they realize it's a fake. This enables them to even recognize counterfeit bills they may have never seen before. So the idea is that you train people what to look for in the real thing, give them en

What the ... ?

[khasim]

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Who determines what "misleading domain names" means?

And we are talking about criminals making MILLIONS of dollars a year.

Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.

Re:

[Colin Smith]

The $50,000 presumably isn't the only authentication mechanism. With a $50,000 registration fee it's possible to perform significant checks on the applicants.

It doesn't matter.

[khasim]

Either very few will spend the money to get the domain name, in which case there won't be enough information out to know that .bank was 'safe' ... or was it .safe?

Or lots of banks will spend the money and that will mean lots of different people will be performing the checks.

Now, you DO realize that we are talking about "criminals", right? The people who already break the law. So things like bribery and extortion will not be forbidden.

Just look at the drug trade.

I should have gone with that one first.

[khasim]

Yes, look at the drug trade.

Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

Does ANYONE think that that would be a good idea? That it would reduce drug smuggling in any way?

Or would you just laugh at the person naive enough to suggest it?

Re:

[setirw]

Fallacious logic. The .bank registrar isn't performing a background check on the individual registering the domain. Instead, it's ensuring that the name being registered will actually represent a major financial institution. It's the same case with other "exclusive" domains: I don't think the .gov or .mil registrar performs a background check on the actual person registering the domain, but rather ensures that army.mil truly represents the United States Army.

Granted, there are many more financial instit

Re:

[Colin Smith]

It's an entirely different situation, a domain would only work until they were reported, i.e. the first time someone was ripped off. Then the domain would have to close and the phishers would be out $50,000. They would have to be very sure of returning more than $50k which means most phishing would stop.
 

Re:

[vux984]

Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

Right lets keep going with that, because your analagy is flawed, and this will fix it up:

Now suppose that seal had a serial number as part of its design, and it was displayed prominently. (because each domain name is different)

Next suppose that

Yes.

[khasim]

So would you spend $50k on the seal, knowing that anyone who sees you standing on the street with it can report you?

Sure. Why not?

Should it pose a problem, your criminal friends can spend their spare time reporting every other seal. The cops won't know the legitimate complaints from the fraudulent ones.

And all you need is enough time to turn that $50K investment into $5,000K.

This is not about establishing a permanent presence. This is about cashing out a LOT of money as QUICKLY as possible by exploiting the

And you verify that ... how?

[khasim]

And if the original party is *actually* trustworthy, then yes, I think it would be a decent idea.

Ah, but if the people putting the seals on the trucks were "*actually* trustworthy" then they would be "a decent idea" with regards to drug smuggling.

Do you see the point?

SOMEONE has to approve the seal. A person. And people can be bought. You will NOT know if that person was "*actually* trustworthy" or not.

Particularly when that seal would mean that EVERYONE in the world KNEW that it was safe to use that site.

Anybody can start a tax-haven bank

[billstewart]

There are a number of countries that have extensive private banking systems, generally connected with tax-haven free trade environments. You want to start a bank in the Caribbean? It'll cost you more than starting a corporation, and you might need a local partner to sponsor you, but that's well within the range of anybody who's willing to fork over $50K for a bank domain name.

The harder part is getting a *useful* bank domain name - you're probably not going to get chase-manhattan-grand-cayman-branch.bank

Re:

[vux984]

Spending $50K to make $5,000K is a GREAT deal.

If that were true. Do you have any evidence to support the claim that one phishing site is likely to return 5000k?

How long does the average phishing site stay active before people figure it out, and it gets shutdown?
Phishers, from my understanding of it, plow through junk domains, I'm not even sure they go a full day before getting knocked offline, and probably only hours before they a get added to the list of known phish sites and get blocked by 'anti-phish' so

Pfft.

[way2trivial]

I'm sorry... how hard is it for me to write software that changes your DNS setting...

now how safe is the .bank my DNS server sends you to.....

Re:

[Anonymous Coward]

Okay, change my DNS settings then.

Wait, you need to actually install that software on my computer? Then how is it different from any other piece of malware that could possibly be installed on my computer? If a computer isn't secure then you shouldn't be using it for online banking in the first place.

MOD PARENT UP

[DarkJC]

The GP isn't insightful, it's an obvious commentary that has nothing to do with the problem at hand. The parent is right, if your computer is already compromised you're well past the phishing stage.

Re:

[Sven Tuerpe]

And we are talking about criminals making MILLIONS of dollars a year.

They might stop immediately as they notice that selling .bank domains yields much higher profits.

V1@gr@

[Gary W. Longsine]

"The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with."

So, uh... build a white list of valid banks. How hard can that be? What are you going to do with that while list, eh? Block everything that isn't on it? This is clearly an idea they haven't throught through, and they felt a little defensive about it after the thrashing they received from Slashdot. Their defense could use help. Maybe a d

Hmmm

[Realistic_Dragon]

Will they assign not.a.bank as a redirect to paypal.com?

...and if a trojan messes with hosts/LMHOSTS?

[Penguinisto]

It wouldn't take much to munge up the /etc/hosts or 'doze LMHOSTS file to make a certain ".bank" name redirect to whatever you want...

While admittedly it would take a compromise of the user's computer to do it, it still points out the one big, fat inherent weakness of a new TLD: The fact that sites aren't specifically identified by DNS name per se, but by a translation mechanism that points to the real site identifier (IP).

('course, the "safety toolbar" could then do a WHOIS check and such, but now we'r

Re:

[EvanED]

course, the "safety toolbar" could then do a WHOIS check and such, but now we're just adding layers of complexity.

Or, you know, a check of the SSL certificate, which you'll need to do anyway.

It would still be an invalid domain

[Colin Smith]

DNS can be authenticated. Without a valid .bank domain certificate it isn't a valid domain and the browser would be correct to mention such. The only way to get a .bank certificate would be to have a real .bank domain.

 

What about DNS poisoning?

[CPE1704TKS]

He didn't address that point. You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

Even worse, hackers can start poisoning the hosts on individual machines, which makes it even worse. It's already at a known address: %SystemRoot%\system32\drivers\etc. Once they start adding their own entries into the hosts file for Windows users, they are fucked. It will be so easy to point them whereever the hackers want.

His suggestion solves NOTHING. In fact, it is extremely shortsi

Once you crack the workstation, it's over.

[khasim]

Once you have control of their workstation, there's really nothing you can do ONLINE that can be safe.

That's why you need a SECOND CHANNEL to confirm the transaction.

Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.

This won't stop them from re-routing your transactions. If you're trying to send $500 from your bank account, they can re-route it to their account. But they couldn't make any DIFFERENT transactions.

And the bank could quickly build

Re:

[jonwil]

The best idea I have seen is the idea of a little calculator type device that you plug the transaction details (amount and account number into) and get a hash back that you feed to the bank. That way, unless the hacker is able to steal the number inside the little calculator, they can't steal any money. Solves phishing, hosts file attacks, trojan horses, keyloggers and rootkits.

Re:

[EvanED]

You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

And then you go to that site... and the browser says "your SSL certificate's no good".

You would also need to compromise one of the SSL certificate authorities.

And how does that get round a domain cert?

[Colin Smith]

It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.

 

I'm suprised

[yakumo.unr]

I know its traditional for slashdotters to NOT RTFA but I'm still surprised how negative people are being about this clearly without having bothered to.

Name ONE genuinely negative aspect of this to the individual consumer.
I can't think of one but I'm not so egotistical as to think there might not be one, but there are certainly lots of positive aspects.

You won't be paying for this, the banks will, why do you care.

As TFA states there are .aero for aviation, and .museum, so why not .bank to actually help prot

Re:I'm suprised

[denebian devil]

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?

Re:

[Sven Tuerpe]

I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

They are trying to be polite. For those who fail to understand the point, let me express it this way: The entire .bank proposal is utter bullshit. The real problem of phsihing and related attacks (namely pharming and Trojans) is pretty simple: doing business over a compromised channel. We do hav

Re:

[Ilgaz]

I have read/commented on first story and after reading this one and comments, I'd say everyone to check http://www.phishtank.com/ [phishtank.com] and enjoy that mess they are defending.

The problem is OCPD

[Moraelin]

At the risk of sounding like a troll, one constant of the universe is that for _everything_ you'll get at least the following kinds of responses:

1. things were working perfectly fine in the good old days, changing things and/or making me learn/do new stuff is _evil_. Someone ought to educate users instead, change the whole culture, whatever. (A.k.a., "back in my days we walked to school 2 miles through the snow, up hill both ways, and we _liked_ it" nostalgia.)

2. It's a conspiracy and/or it will be bought a

Re:

[yakumo.unr]

Oh come on now, if your local systems compromised your totally screwed whatever.

That's like arguing for not bothering with locks on vaults/tills because bank staff with enough security clearance could pocket wads of cash on the sly if they're careful enough anyway.

Just because there are insurmountable flaws, doesn't mean you shouldn't do everything you possibly can to cover the others to help limit the damage as best you can.

What about DNS hijacking?

[9gezegen]

I don't understand the purpose of having $50,000 registration. The banks are officially recognized by their states. Wouldn't it be sufficient to get an approval from the state? I understand this may require little more paperwork but it will protect the small banks from expansive registration.

As the article mentioned this is not a silver bullet. For example, this won't solve DNS hijacking. Recently, I have observed such an attack. The victim told me that the bank site he was looking asked for national ID

Re:

[someone300]

These seem to be the main issues here: Banks and other forms of attack such as DNS hijacking.

F-secure's comment on this not being an issue for small banks/credit unions doesn't make sense. I assume that if this .bank domain was approved, there'd be a mass marketing push for "Only use .bank addresses for online banking", and quite obviously this is going to make people wary of small banks and credit unions who are forced to do ebanking with .com addresses, and consequently make people less likely to use them

Re:

[DaleGlass]

My guess is that the $50K would be because running a TLD takes resources, and since .bank would be a very exclusive one, the cash to run it would have to come out of somewhere. If it cost $10 a year then the cash for funding it would have to come from somewhere else, but the $50K are probably enough to cover the infrastructure and personnel.

hmmm

[joe 155]

I see big business for North Korea selling the domain name "ba.nk".

This in no way will "fix" the problem. It would however make sure that smaller banks can't get a look in which will help to enforce the monopoly of the large ones... and make a fuck of a lot of money for the people who get to pocket that 50k.

What would be a far better resource would be a firefox plug-in which highlights the part of the name which is the website, so "itsyourbank.obviouslyphishing.co.uk" would highlight the relevant par

Re:

[yakumo.unr]

ba.nk wouldn't fool browser security updates/certs designed to be damn sure the domain stops at blah.bank and not blah.bank.com or anything as TFA implies.

Straw men

[tverbeek]

You can usually gauge the strength of someone's position in a debate by how quickly they bring out the strawmen to knock down. The first two items in their "rebuttal" ("New top-level domain will not solve the phishing problem once and for all, so it's not even worth considering." and "But .com works just fine!") are pretty transparent misrepresentations/exaggerations of the arguments made against their proposal.

Re:

[tverbeek]

A simplification or label to replace many pages full of text is not really a straw man.

It is is when you phrase it to make the opposing viewpoint sound particularly idiotic.

What are the consequences when a bad guy gets in?

[CTho9305]

What are the consequences if somebody malicious does manage to register a misleading .bank domain name? What happens if a .bank or .safe site is hacked? Will they reimburse fraud victims and provide credit monitoring services, or just say, "oops"?

There are no rogue sites on .gov domain names

[Chas]

Uhm...

Uhm...

My lawyer says my comment is NO COMMENT.

Re:

[setirw]

There are no rogue sites on .gov domain names

I beg to differ. [whitehouse.gov]

Re:

[TheRaven64]

Haha! You slahsdotted the White House!

Watch out for homeland security...

One thing they don't address...

[niceone]

...is phishing sites that are not banks. Just look at all the phishing of myspace passwords for an example. This is bound to increase in the future as more of our lives move online. So, people need to be able to recognise phishing in many more cases than .bank will handle.

What does this do to address URL display bugs?

[SuperBanana]

Nothing in this addresses links that show up in email clients or browsers as say, www.yourbankyouknowandlove.com instead of where they really take you- an IP address of some random server run by the phisher.

If email clients were fixed to show the REAL url on mouseover, people wouldn't click the links in the first place. If browsers (well, mostly IE) were fixed such that you couldn't obfuscate the *real* URL, people would realize quickly what was going on.

Working with a lot of office people, they're all sharp enough to pick up on stuff like this pretty quickly (we use all macs, so we have neither problem- Safari and Apple Mail aren't "spoofed.")

.bullshit

[Anonymous Coward]

I think that F-Secure might be more interested in .savingFace than anything else. .bank is a stupid idea proposed by someone who has no understanding of DNS.

Who will be liable when the crime gangs start poisoning DNS and consumers enter details into what they believe is a .bank domain? Will F-Secure be liable for coming up with such a stupid idea?

F-Secure are a laughing stock, this is a PR exercise that fails to address any of the real points.

If a Nigerian or Russian bank can get hold...

[thewils]

...of one of these domain names, then it really isn't going to be secure now, is it?

Re:

[villoks]

It really doesn't matter as long as the the domain names are not confusing with the real bank names. Or would you enter your pincode to Citybank to website, which address is www.royalscambankofnigeria.bank? In addition, with 50k registration fee there's enough resources to make very extensive checks to root out the obvious misleading domains - right?

The Banks Don't Help Themselves

[s7uar7]

My current account is with NatWest, website www.natwest.com, who's online banking is on www.nwolb.com. My main credit card is with Tesco (www.tesco.com). Their financial site is www.tescofinance.com and their online banking site is cardsonline-consumer.com.

Is it any wonder people end up falling for phishing site?

Re:

[GigsVT]

Hah, even worse when companies farm out surveys to some random bulk mailing outfit, so you get an email that claims to be from the place that's actually from some bulk mailing service, sometimes even asking you to log in using your normally credentials on another site (less often with banks though).

Won't do jack

[Opportunist]

I think I used the same subject line for the original suggestion, I use it again: All the "explanations" and answers don't even touch the actual problem at hand.

The far bigger problem are trojans that hijack the system to siphon login data from the user, either using browser plugins or hooks into the system. No .bank or .whatever TLD will solve this. The amount of people actually naive enough to follow instructions on a fraud mail are in decline. Every bank I know already informs its customers at least 10 times and every time they log in that they will NEVER EVER contact them via email and ask for login data. Almost all data currently stolen is grabbed when users log in to the real bank site and do their online business.

They missed the 2 biggest flaws...

[KillerCow]

The "point-by-point" response did not address DNS poisoning or l/p obsfucation ( www.citi.bank/youraccount/index.html@fraud.org ).

Re:

[bluephone]

user@domain.org doesn't work in IE anymore, and Firefox prompts you whit a big honking warning.

PGP...

[Bert64]

I still wonder, why are the email messages from ebay/paypal/banks/etc not PGP signed?
If these companies used trusted public keys, which you download from their website or receive when you sign up..
Any phishing mail would be immediately visible as a scam, and easily deleted. Upstream filters could easily do this too.

What's a bank?

[Animats]

Even in the financial services industry, there's disagreement over what a "bank" is. Consider

• PayPal. [paypal.com] Probably ought to be regulated as a bank, but is not.
• Western Union [westernunion.com], a regulated money transfer service.
• ETrade [etrade.com] Etrade is a brokerage house, but owns a bank on the side. Both operate under the "etrade.com" domain.
• Bank of America [bankofamerica.com] is a major bank which owns a brokerage house on the side, the reverse of ETrade.
• L. F Rothschild. [lfrothschild.com] Once one of the old-line banking houses of Europe, after about three merg

Re:

[cdrguru]

All of them, if they register and are found to be legitimate.

If you have a business that has nothing to do with banking or money and want a .bank domain, you should be able to get one - if you register and pass their requirements. This is why the article makes specific reference to .bank not being the ideal TLD but just one possibility. The idea is that you have a TLD that means the business that registered it has passed a bunch of requirements for being legitimate. Something that your friendly bunch of

The Real Reason F-Secure Is Pushing This

[tqbf]

Dave G. covered this on our blog [matasano.com] last month. There's backstory to this.

As Mikko acknowledges, the real purpose of ".bank" is not to make it easier for end-users to recognize fake sites. A new TLD does almost nothing to ameliorate that problem; end-users don't know what TLDs are, or what the slash character in a URL means. And before you yelp that end-users should learn that stuff, ask yourself: do you understand how the NANP phone number scheme works, or what the 3-digit exchange number in the middle of yo

I like Citibank's idea

[qazwart]

Maybe it's Bank of America...

Anyway, they let you choose a color and background pattern (or even your own picture). When you visit their website, it displays that picture and color. This is extremely difficult for phishing sites to emulate. They may be able to match the main webpage, but they won't be able to match the background and color since only the real website has this information.

It's easy to train users: Just tell them that all the bank's pages will display their background and color and no others.

Re:

[Sven Tuerpe]

Anyway, they let you choose a color and background pattern (or even your own picture). When you visit their website, it displays that picture and color. This is extremely difficult for phishing sites to emulate.

It's pretty simple, actually. All the phishing site has to do is to fetch the color and picture from the real bank site, pretending to be the user.

Re:

[jonwil]

How is that solution resistant to man-in-the-middle attacks?
Picture this:
Phisher copies main page. Unsuspecting user logs into fake bank page. Fake bank page passes username and password on to real bank page. User is now on real bank site only fake bank page now has their username and password.

how stupid are they?

[Mycroft_514]

We still have 50 million or more computers out there running Win 98SE, and how many have not upgraded to IE7 yet? (hell, I even still have a Win95 machine here! And a DOS 3.3 one, niether of which is used much, but there).

(I raise my hand for 4 computers for IE7 alone, as corporate has outlawed that yet on machines that connect to that network).

Yet you expect all 300 million users out there to immediately update their browsers?

Foolish foolish thinking on your part.

barclays.bank.uk.reg

[Garry Anderson]

Corrupt ICANN and the authorities have always known the answer for authenticating registered trademarks e.g. barclays.bank.uk.reg

So user could enter this URL directly or barclays.co.uk could be redirected to this as certificate of authentication.

Obviously, this would work for all other trademarks in other goods or service (called classification) e.g. apple.computer.us.reg

Please visit http://wipo.org.uk/ [wipo.org.uk] - not connected with the crooks at UN's WIPO.org ;)

Only Big Banks are losing money?

[eunos94]

Uh...they obviously aren't in the financial services industry. Phishing is happening at EVERY level of the spectrum. From the $50 million credit union, to the trillion dollare international conglomerate. They ALL face it. I can see a system of subsidizing for smaller organizations, but I'm just not buying that Citibank will pay to fund the domain of Iowa State Community Credit Union.

PayPal.bank?

[Doc Ruby]

Is PayPal a "bank"? No, it's an unregulated global internet banking monopoly, but it's not a "bank" (or it would be regulated as one). Should it get a PayPal.bank domain for people to trust?

What if it did? Should some competing Internet (or real world) payment system that's not regulated as a bank get a .bank domain? If it's not regulated as a bank, why should anyone trust it? Because it's got a .bank domain?

This whole thing is stupid. Real banks are trusted because they are insured, by the FDIC, FSLIC and/

Re:Sooo....

[setirw]

The plan is to create a very expensive TLD?

Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

Re:Sooo....

[Colin Smith]

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

Not a big problem. The browsers can help there. Those with half a brain will get it, those without are a lost cause anyway. You can't run the world on the basis that it has to be safe for the 5 Watt bulbs.

 

Re:

[jorgevillalobos]

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

But we can trust that if this becomes a standard, browser makers will take advantage of it to make life easier to users, or at least to some users. Just like Firefox turns the URL bar yellow for SSL sites, and IE7 turns it green (I think), there could be some UI cue telling the user tha

Re:

[leenks]

So the malware now targets the browser and changes the behavior for yourbank.com-html.129381E07271B84121G34121.omgpwn 3 d.com.br so that it looks legitimate.

Education is the best line of defense against this type of attack. Too bad one of my credit cards (MNBA) insist on sending me HTML emails with "click here to service your account" to confuse matters (while my other banks tell me to never click a link in an email to do such a thing). The worst bit is they don't seem to care - when I questioned the practic

Re:

[MrWarMage]

In case you have never done tech support over the phone, you should know that you've got a 50/50 chance of the user being able to locate the "Address Bar" no matter how clearly you explain its location. Lots of users simply clicky-clicky and just don't pay attention to the target at any point. Moreover, in all the flavors of windows of which I'm aware (which I'm afraid you must still consider as a viable design constraint), the Listbox control does not allow extended properties (color, bold, background) fo

Re:

[hedwards]

Expensive isn't necessarily an issue. While 50k seems unreasonable to me. A fee high enough for them to really check and actually do the verification in person would potentially be within the costs of doing business for larger banks. The problem is with smaller banks trying to compete, especially credit unions.

The thing which concerns me is the question of how they would prevent DNS attacks aimed at redirecting traffic to those sites to a filter site. Certificates help as well as the ability to keep people

Mikko Doesn't Really Answer the "Will it Work"

[billstewart]

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions. Mikko does talk about how this won't fix the fact that people are stupid, but says it will make software able to work better. I don't see it - if your software lets you click on exAAmplebAAnk.com when you're trying to reach examplebank.com, it'll let you do that when you're trying to reach examplebank.bank, because it only knows what the link says and whether you clicked on it, not what you *thought* the link said.

You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like

• http://real.bank@example.com/
• real.bank.obfuscating-non-ASCII-characters
• real.bank.3242134832143214.com
• link text that doesn't match href like real.bank [example.com]
• links that display an image of "real.bank"
• Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.

And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)

There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

Re:

[hkmwbz]

He does answer it, by pointing to browsers working with whitelists. This would of course require the cooperation of browser vendors, but they seem as eager as everyone else to combat phishing. Microsoft, Opera, Mozilla and Apple even sat down together to agree on how to do stuff.

Re:

[billstewart]

Browsers with Whitelists? Nonsense - Mikko did wave his hand in that direction, but it's such a bogus concept that I'm surprised he even tried that. Blacklists, sure, you can do that, but the main point of a browser is to be able to look at anything on the Internet, so effectively *everything* is whitelisted unless it's blacklisted.

I suppose you could build a separate browser that only looks at whitelisted sites and tell people to use it instead of their regular browser when they're doing banking - but if

Re:

[Sven Tuerpe]

I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions.

Of course it will work, if you take it for what it really is: a cleverly designed domain registrar business model. As a business model, it is surprisingly similar to how phishing works. Approach many for little money, break even on a very small number of respondents. At a price of ... how much? 50,000? per domain it is s safe

Re:

[jacksonj04]

The point isn't to make it expensive, it's to improve security. Financial institutions generally can do things like cough up $50,000, with a $5,000 per annum renewal charge, probably including an SSL cert. Petty phishing gangs can't, and even if they could then they would have to prove they were a registered financial institution.

Re:

[Sven Tuerpe]

The point isn't to make it expensive, it's to improve security.

To improve security, really? Unfortunately, a site having a .bank TLD does not convey any additional information to the user. Let's assume you are a bank customer and thus, a potential phishing victim. You will probably have at most a handful of banks that you do business with. All the addresses of all the online banking sites you ever interact with fit on a sticker that you can put below your screen. What exactly is the additional informat

Re:

[scribblej]

What about places that handle "money" and need to be secure but aren't banks?

Shopping carts, mall websites, payment gateways, -- anything with a payment form on the site... they are all attacked more than "banks" right now. It's easier to skim a lot of small insecure sites than hit one big well-protected one. I learned that from Neuromancer.

Re:

[TheRaven64]

After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains.

I used to know someone who had a .gov.uk domain. He didn't use it much; he got it set up for testing purposes when he was doing some contract work for a government agency and never got around to telling them that it was no longer needed. Apparently getting it set up in the first place only required one telephone call, and didn't involve any additional checks.

Re:Sooo....

[Znork]

"you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"

Nah, they use real .gov domains instead.

Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would .bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...

The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.

Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register .bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').

Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.

Re:

[TubeSteak]

Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive)... As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

Proof of legitimacy & exclusivity...
TFA mentions State tlds like .bank.uk
So do only USA banks get to have a .bank url?

Or, can I setup a dummy bank in the Cayman Islands, pay $50K and

Re:User's software...

[zappepcs]

Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.

There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.

Re:

[hkmwbz]

Not every browser, just the major ones. And Apple, Opera, Mozilla and Microsoft are already talking together about anti-phishing measures.

Re:

[Opportunist]

As soon as we get .loo I'm outta here!

More TLDs are Just Fine

[billstewart]

Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)

Re:

[smallfries]

Why would that be a bad thing?

The whole point of a hierarchical naming scheme was to spread the load around and remove a centralised point from the network. At the moment 99% of websites are .com and the extension has become meaningless. If URLs were actually split into domains that made sense it would be easier for people to remember web addresses...