Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

F-Secure Responds To Criticism of .bank

Posted by kdawson on Sun May 20, 2007 12:38 PM
from the no-silver-bullets dept.
Slashback Security IT
Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."
+ -
story

Related Stories

[+] IT: A Foolproof Way To End Bank Account Phishing? 436 comments
tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

F-Secure Responds To Criticism of .bank 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • Quite frankly, the only way to prevent phishing fraud is through user education.

    If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

    Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

    At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

    This just seems like it would be a big waste of money for all parties involved.

    • Impossible. (Score:5, Insightful)

      by khasim (1285) <brandioch.conner@gmail.com> on Sunday May 20 2007, @12:55PM (#19199321)
      Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

      Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

      A far better solution would be to go for the simpler approach.

      For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

      There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

      And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

      "The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

      • Re: (Score:3, Insightful)

        by mark-t (151149)
        But that wouldn't work that well for people who connect to the internet via dialup, and while they are trying to perform this action, their phone line is busy (or gets auto-forwarded to voice mail).
        • So your transaction isn't released until you get off the phone line and take the call from the bank.

          This is a good thing. The system fails in such a manner that your money STAYS with you.

          This gets to the concepts of not doing something if it cannot be secured and verified
          vs
          Making it as easy as possible for the customer even it it makes it easier to criminals to steal the customer's money.

          • Re: (Score:3, Insightful)

            by TheRaven64 (641858)
            It also doesn't work for people who spend any time away from their registered telephone. I dated a girl from the USA for a while, and her credit card company had a similar policy. They called her registered address to confirm that her card, being used in the UK, was not being used fraudulently. Unfortunately, being in the UK, she wasn't near the telephone at her registered address. Fortunately, the bank wrote to her at her parents' address just before cancelling the card, and she was able to call the ba

      • For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

        What I've wanted for years is for my bank to let me specify this for my Mastercard or my Debit card - you go out to dinner, pay with your card and the bank's system calls you and asks you to authorise the payment by pressing a key / entering a password PIN on

    • Or worse... if the security was compromised later, long after the user is accustomed to implicitly trusting the green bar, and their confidential data is given to someone who was not who they thought it was.

      You are right on the money on this issue. Education is the only real solution to the problem, and trying to impose a technological solution to what is ultimately a social problem only makes it that much harder to teach people how to avoid it later because they are that much more used to trusting suppo

    • You are missing the point. The idea is to make this one part of an overall strategy. Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people. Furthermore, user education has limited effectiveness and takes a long period of time. It is unlikely that we would be able to properly educate the majority of people if we had a decade.
      • Except that you are still going to need to educate at least that many people later (more actually, since the population is constantly growing) even *IF* they implement this solution. Delaying education only makes things worse.

        You are right that it would expensive, but it would be orders of magnitude more effective than a technological solution like a trusted top level domain name that in the end accomplishes nothing more than being a placebo.

    • Re: (Score:3, Insightful)

      by allgood2 (226994)
      OK, well I can see a massive difference. It's far easier to train a user to recognize a combo of .bank and a green bar as legitimate, than it is to education them on all the various phishing options, and then having to keep them up to date, since new ones are added all the time.

      My biggest issue with the proposal is the cost; and not that it shouldn't charge big banks $50,000 but that it ignores small banks and credit unions. Especially, since it ignores them with a 'they aren't the ones loosing money or big

      • Re: (Score:3, Insightful)

        by mark-t (151149)
        It's worthwhile to note that bank tellers recognize counterfeits not because they necessarily know what characteristics that particular counterfeit has, but because they handle the real thing all the time, they know what the real thing is supposed to look like, and when something doesn't match what they know, they realize it's a fake. This enables them to even recognize counterfeit bills they may have never seen before. So the idea is that you train people what to look for in the real thing, give them en

  • What the ... ? (Score:5, Insightful)

    by khasim (1285) <brandioch.conner@gmail.com> on Sunday May 20 2007, @12:47PM (#19199269)

    Organized online criminals could afford to buy .bank domains for $50,000.

    Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

    Who determines what "misleading domain names" means?

    And we are talking about criminals making MILLIONS of dollars a year.

    Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.
    • The $50,000 presumably isn't the only authentication mechanism. With a $50,000 registration fee it's possible to perform significant checks on the applicants.
      • Either very few will spend the money to get the domain name, in which case there won't be enough information out to know that .bank was 'safe' ... or was it .safe?

        Or lots of banks will spend the money and that will mean lots of different people will be performing the checks.

        Now, you DO realize that we are talking about "criminals", right? The people who already break the law. So things like bribery and extortion will not be forbidden.

        Just look at the drug trade.
        • Yes, look at the drug trade.

          Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

          Does ANYONE think that that would be a good idea? That it would reduce drug smuggling in any way?

          Or would you just laugh at the person naive enough to suggest it?
          • Fallacious logic. The .bank registrar isn't performing a background check on the individual registering the domain. Instead, it's ensuring that the name being registered will actually represent a major financial institution. It's the same case with other "exclusive" domains: I don't think the .gov or .mil registrar performs a background check on the actual person registering the domain, but rather ensures that army.mil truly represents the United States Army.

            Granted, there are many more financial instit
          • It's an entirely different situation, a domain would only work until they were reported, i.e. the first time someone was ripped off. Then the domain would have to close and the phishers would be out $50,000. They would have to be very sure of returning more than $50k which means most phishing would stop.
             

    • Pfft. (Score:5, Insightful)

      by way2trivial (601132) on Sunday May 20 2007, @01:43PM (#19199693) Homepage Journal
      I'm sorry... how hard is it for me to write software that changes your DNS setting...

      now how safe is the .bank my DNS server sends you to.....

  • "The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with."

    So, uh... build a white list of valid banks. How hard can that be? What are you going to do with that while list, eh? Block everything that isn't on it? This is clearly an idea they haven't throught through, and they felt a little defensive about it after the thrashing they received from Slashdot. Their defense could use help. Maybe a d

  • Will they assign not.a.bank as a redirect to paypal.com?
  • It wouldn't take much to munge up the /etc/hosts or 'doze LMHOSTS file to make a certain ".bank" name redirect to whatever you want...

    While admittedly it would take a compromise of the user's computer to do it, it still points out the one big, fat inherent weakness of a new TLD: The fact that sites aren't specifically identified by DNS name per se, but by a translation mechanism that points to the real site identifier (IP).

    ('course, the "safety toolbar" could then do a WHOIS check and such, but now we'r

  • He didn't address that point. You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

    Even worse, hackers can start poisoning the hosts on individual machines, which makes it even worse. It's already at a known address: %SystemRoot%\system32\drivers\etc. Once they start adding their own entries into the hosts file for Windows users, they are fucked. It will be so easy to point them whereever the hackers want.

    His suggestion solves NOTHING. In fact, it is extremely shortsi
    • Once you have control of their workstation, there's really nothing you can do ONLINE that can be safe.

      That's why you need a SECOND CHANNEL to confirm the transaction.

      Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.

      This won't stop them from re-routing your transactions. If you're trying to send $500 from your bank account, they can re-route it to their account. But they couldn't make any DIFFERENT transactions.

      And the bank could quickly build

    • And how does that get round a domain cert? (Score:4, Informative)

      by Colin Smith (2679) on Sunday May 20 2007, @01:49PM (#19199753)
      It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.

       
  • I know its traditional for slashdotters to NOT RTFA but I'm still surprised how negative people are being about this clearly without having bothered to.

    Name ONE genuinely negative aspect of this to the individual consumer.
    I can't think of one but I'm not so egotistical as to think there might not be one, but there are certainly lots of positive aspects.

    You won't be paying for this, the banks will, why do you care.

    As TFA states there are .aero for aviation, and .museum, so why not .bank to actually help prot

    • Re:I'm suprised (Score:5, Insightful)

      by denebian devil (944045) on Sunday May 20 2007, @01:21PM (#19199529)
      I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

      Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?
    • At the risk of sounding like a troll, one constant of the universe is that for _everything_ you'll get at least the following kinds of responses:

      1. things were working perfectly fine in the good old days, changing things and/or making me learn/do new stuff is _evil_. Someone ought to educate users instead, change the whole culture, whatever. (A.k.a., "back in my days we walked to school 2 miles through the snow, up hill both ways, and we _liked_ it" nostalgia.)

      2. It's a conspiracy and/or it will be bought a
  • I don't understand the purpose of having $50,000 registration. The banks are officially recognized by their states. Wouldn't it be sufficient to get an approval from the state? I understand this may require little more paperwork but it will protect the small banks from expansive registration.

    As the article mentioned this is not a silver bullet. For example, this won't solve DNS hijacking. Recently, I have observed such an attack. The victim told me that the bank site he was looking asked for national ID
  • I see big business for North Korea selling the domain name "ba.nk".

    This in no way will "fix" the problem. It would however make sure that smaller banks can't get a look in which will help to enforce the monopoly of the large ones... and make a fuck of a lot of money for the people who get to pocket that 50k.

    What would be a far better resource would be a firefox plug-in which highlights the part of the name which is the website, so "itsyourbank.obviouslyphishing.co.uk" would highlight the relevant par
    • ba.nk wouldn't fool browser security updates/certs designed to be damn sure the domain stops at blah.bank and not blah.bank.com or anything as TFA implies.
  • You can usually gauge the strength of someone's position in a debate by how quickly they bring out the strawmen to knock down. The first two items in their "rebuttal" ("New top-level domain will not solve the phishing problem once and for all, so it's not even worth considering." and "But .com works just fine!") are pretty transparent misrepresentations/exaggerations of the arguments made against their proposal.
  • What are the consequences if somebody malicious does manage to register a misleading .bank domain name? What happens if a .bank or .safe site is hacked? Will they reimburse fraud victims and provide credit monitoring services, or just say, "oops"?
  • Uhm...

    Uhm...

    My lawyer says my comment is NO COMMENT.

  • One thing they don't address... (Score:3, Insightful)

    by niceone (992278) * on Sunday May 20 2007, @01:24PM (#19199557) Journal
    ...is phishing sites that are not banks. Just look at all the phishing of myspace passwords for an example. This is bound to increase in the future as more of our lives move online. So, people need to be able to recognise phishing in many more cases than .bank will handle.

  • What does this do to address URL display bugs? (Score:3, Interesting)

    by SuperBanana (662181) on Sunday May 20 2007, @01:28PM (#19199585)

    Nothing in this addresses links that show up in email clients or browsers as say, www.yourbankyouknowandlove.com instead of where they really take you- an IP address of some random server run by the phisher.

    If email clients were fixed to show the REAL url on mouseover, people wouldn't click the links in the first place. If browsers (well, mostly IE) were fixed such that you couldn't obfuscate the *real* URL, people would realize quickly what was going on.

    Working with a lot of office people, they're all sharp enough to pick up on stuff like this pretty quickly (we use all macs, so we have neither problem- Safari and Apple Mail aren't "spoofed.")

  • The Banks Don't Help Themselves (Score:4, Interesting)

    by s7uar7 (746699) on Sunday May 20 2007, @01:46PM (#19199719) Homepage
    My current account is with NatWest, website www.natwest.com, who's online banking is on www.nwolb.com. My main credit card is with Tesco (www.tesco.com). Their financial site is www.tescofinance.com and their online banking site is cardsonline-consumer.com.

    Is it any wonder people end up falling for phishing site?

  • Won't do jack (Score:3, Informative)

    by Opportunist (166417) on Sunday May 20 2007, @01:48PM (#19199735)
    I think I used the same subject line for the original suggestion, I use it again: All the "explanations" and answers don't even touch the actual problem at hand.

    The far bigger problem are trojans that hijack the system to siphon login data from the user, either using browser plugins or hooks into the system. No .bank or .whatever TLD will solve this. The amount of people actually naive enough to follow instructions on a fraud mail are in decline. Every bank I know already informs its customers at least 10 times and every time they log in that they will NEVER EVER contact them via email and ask for login data. Almost all data currently stolen is grabbed when users log in to the real bank site and do their online business.

  • They missed the 2 biggest flaws... (Score:3, Interesting)

    by KillerCow (213458) on Sunday May 20 2007, @01:58PM (#19199793)
    The "point-by-point" response did not address DNS poisoning or l/p obsfucation ( www.citi.bank/youraccount/index.html@fraud.org ).

    • Re:Sooo.... (Score:5, Informative)

      by setirw (854029) on Sunday May 20 2007, @12:53PM (#19199315) Homepage
      The plan is to create a very expensive TLD?

      Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

      The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

      • Re:Sooo.... (Score:4, Interesting)

        by Colin Smith (2679) on Sunday May 20 2007, @01:08PM (#19199423)

        The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.
        Not a big problem. The browsers can help there. Those with half a brain will get it, those without are a lost cause anyway. You can't run the world on the basis that it has to be safe for the 5 Watt bulbs.

         

      • The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

        But we can trust that if this becomes a standard, browser makers will take advantage of it to make life easier to users, or at least to some users. Just like Firefox turns the URL bar yellow for SSL sites, and IE7 turns it green (I think), there could be some UI cue telling the user tha

        • Re: (Score:3, Insightful)

          by leenks (906881)
          So the malware now targets the browser and changes the behavior for yourbank.com-html.129381E07271B84121G34121.omgpwn 3 d.com.br so that it looks legitimate.

          Education is the best line of defense against this type of attack. Too bad one of my credit cards (MNBA) insist on sending me HTML emails with "click here to service your account" to confuse matters (while my other banks tell me to never click a link in an email to do such a thing). The worst bit is they don't seem to care - when I questioned the practic

      • Re: (Score:3, Insightful)

        by hedwards (940851)
        Expensive isn't necessarily an issue. While 50k seems unreasonable to me. A fee high enough for them to really check and actually do the verification in person would potentially be within the costs of doing business for larger banks. The problem is with smaller banks trying to compete, especially credit unions.

        The thing which concerns me is the question of how they would prevent DNS attacks aimed at redirecting traffic to those sites to a filter site. Certificates help as well as the ability to keep people
      • I'm disappointed - Mikko's answers pretty much gloss over the real question, which is "Will it work?", ignoring all the technical arguments, and only answering the easy questions. Mikko does talk about how this won't fix the fact that people are stupid, but says it will make software able to work better. I don't see it - if your software lets you click on exAAmplebAAnk.com when you're trying to reach examplebank.com, it'll let you do that when you're trying to reach examplebank.bank, because it only knows what the link says and whether you clicked on it, not what you *thought* the link said.


        You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
        like

        • http://real.bank@example.com/
        • real.bank.obfuscating-non-ASCII-characters
        • real.bank.3242134832143214.com
        • link text that doesn't match href like real.bank [example.com]
        • links that display an image of "real.bank"
        • Javascript/ActiveX/Flash attacks that does pretty much the same thing, displaying "real.bank" so it looks like a link but making it go to the attacker's site.
        And that doesn't even get into DNS poisoning or hosts-file attacks (though usually by the time an attacker can use hosts-file on you you're totally pwned.)


        There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"

            • Re: (Score:3, Insightful)

              by Sven Tuerpe (265795)

              The point isn't to make it expensive, it's to improve security.

              To improve security, really? Unfortunately, a site having a .bank TLD does not convey any additional information to the user. Let's assume you are a bank customer and thus, a potential phishing victim. You will probably have at most a handful of banks that you do business with. All the addresses of all the online banking sites you ever interact with fit on a sticker that you can put below your screen. What exactly is the additional informat

          • Re: (Score:3, Insightful)

            by billstewart (78916)
            Browsers with Whitelists? Nonsense - Mikko did wave his hand in that direction, but it's such a bogus concept that I'm surprised he even tried that. Blacklists, sure, you can do that, but the main point of a browser is to be able to look at anything on the Internet, so effectively *everything* is whitelisted unless it's blacklisted.

            I suppose you could build a separate browser that only looks at whitelisted sites and tell people to use it instead of their regular browser when they're doing banking - but if

      • Re:Sooo.... (Score:5, Interesting)

        by Znork (31774) on Sunday May 20 2007, @01:48PM (#19199729)
        "you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"

        Nah, they use real .gov domains instead.

        Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would .bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...

        The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.

        Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register .bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').

        Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.

    • Re:User's software... (Score:5, Insightful)

      by zappepcs (820751) on Sunday May 20 2007, @01:04PM (#19199385) Journal
      Exactly how does this protect a user if a worm maps www.citi.bank to and IP address for www.citi.bank.p0wned.com in their host table?

      It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.

      There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.

    • More TLDs are Just Fine (Score:5, Insightful)

      by billstewart (78916) on Sunday May 20 2007, @01:45PM (#19199707) Journal
      Just because ICANN's been dragging their feet on setting up new TLDs because it wants to guarantee that it can make money off the process doesn't mean that we shouldn't have them or that the DNS system can't easily support them. It might dilute the brand value of ".com", which would annoy ICANN, but a few dozen or a few hundred more names wouldn't break anything useful. (A few thousand might, and a few million would, though.)

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.