Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Slashback Security IT

F-Secure Responds To Criticism of .bank 203

Posted by kdawson from the no-silver-bullets dept.
Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."
This discussion has been archived. No new comments can be posted.

F-Secure Responds To Criticism of .bank More

F-Secure Responds To Criticism of .bank

Comments Filter:

  • Re:Sooo.... (Score:5, Informative)

    by setirw ( 854029 ) on Sunday May 20, 2007 @01:53PM (#19199315) Homepage
    The plan is to create a very expensive TLD?

    Not only expensive, but also exclusive. As with suffixes like .gov, the difficultly of registering .bank would be less about high cost and more about proof of legitimacy (it doesn't hurt that .bank is also expensive). It'd be very hard for a criminal to prove that he represents a major financial institution. After all, you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains. As long as .bank can truly be as exclusive as .gov or .mil, its level of security is by no means "false."

    The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

  • Won't do jack (Score:3, Informative)

    by Opportunist ( 166417 ) on Sunday May 20, 2007 @02:48PM (#19199735)
    I think I used the same subject line for the original suggestion, I use it again: All the "explanations" and answers don't even touch the actual problem at hand.

    The far bigger problem are trojans that hijack the system to siphon login data from the user, either using browser plugins or hooks into the system. No .bank or .whatever TLD will solve this. The amount of people actually naive enough to follow instructions on a fraud mail are in decline. Every bank I know already informs its customers at least 10 times and every time they log in that they will NEVER EVER contact them via email and ask for login data. Almost all data currently stolen is grabbed when users log in to the real bank site and do their online business.

  • And how does that get round a domain cert? (Score:4, Informative)

    by Colin Smith ( 2679 ) on Sunday May 20, 2007 @02:49PM (#19199753)
    It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.

     

Slashdot Top Deals

The flush toilet is the basis of Western civilization. -- Alan Coult

Close