F-Secure Responds To Criticism of .bank 203
Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."
I'm still not convinced (Score:5, Insightful)
If you're going to spend money on fixing this problem, I think the best place to put it is in user education.
Suppose
At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive
This just seems like it would be a big waste of money for all parties involved.
What the ... ? (Score:5, Insightful)
Who determines what "misleading domain names" means?
And we are talking about criminals making MILLIONS of dollars a year.
Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a
Impossible. (Score:5, Insightful)
Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.
A far better solution would be to go for the simpler approach.
For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".
There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).
And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.
"The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".
Re:User's software... (Score:5, Insightful)
It gives the user false a sense of security thinking that typing www.citi.bank into their browser will take them to a secure site that has been vetted when it actuality it takes them to a fake site.
There is simply no way to ensure that the Internet is safe for users unless you spend time and resources to educate those users in methods that they themselves can use to determine if they are talking to a scam site or not.
Re:Impossible. (Score:3, Insightful)
Re:I'm suprised (Score:5, Insightful)
Not every solution can solve every problem, but adding the
Re:Sooo.... (Score:3, Insightful)
The thing which concerns me is the question of how they would prevent DNS attacks aimed at redirecting traffic to those sites to a filter site. Certificates help as well as the ability to keep people from randomly registering with a
When some banks are rumored to not even have the login page secured, it seems odd to think that this kind of security would fix that. The banks I use could get some benefit out of it. But probably the best thing would be to remember that online fraud and phishing is a lesser cause of fraud than are fraudulent checks by third party scam artists.
One thing they don't address... (Score:3, Insightful)
Mikko Doesn't Really Answer the "Will it Work" (Score:5, Insightful)
You're right about the "real.bank.example.com" problem, and there are lots of other approaches,
like
There's another class of n00b phishing attacks that use the real.bank name as social engineering - "Dear subscriber, we're changing the name of our website to EXAMPLEBANK.BANK to improve security! Please verify your information on the old website, EXAAMPLEBAANK.com, to make sure your access continues to work!"
Re:...and if a trojan messes with hosts/LMHOSTS? (Score:2, Insightful)
Or, you know, a check of the SSL certificate, which you'll need to do anyway.
Re:Sooo.... (Score:2, Insightful)
Shopping carts, mall websites, payment gateways, -- anything with a payment form on the site... they are all attacked more than "banks" right now. It's easier to skim a lot of small insecure sites than hit one big well-protected one. I learned that from Neuromancer.
Re:What about DNS poisoning? (Score:2, Insightful)
And then you go to that site... and the browser says "your SSL certificate's no good".
You would also need to compromise one of the SSL certificate authorities.
.bullshit (Score:2, Insightful)
Who will be liable when the crime gangs start poisoning DNS and consumers enter details into what they believe is a
F-Secure are a laughing stock, this is a PR exercise that fails to address any of the real points.
Re:I'm still not convinced (Score:3, Insightful)
My biggest issue with the proposal is the cost; and not that it shouldn't charge big banks $50,000 but that it ignores small banks and credit unions. Especially, since it ignores them with a 'they aren't the ones loosing money or big money' statement. If small banks and credit unions can't get access to the
F-Secure mentions Finland, which has a very low rate of phishing due to the fact of its mail confirmations of address. My thoughts are if the
The proof of years in operation as an exchange for relief from cost; seems like a small trade-off for me. I would assume, most phishers' wouldn't be willing to wait 3-5 years and still fork out $10-$15,000 just to engage in a scam. Plus most newly established credit unions and banks fail or succeed (however marginally), within similar time frames of the average business (3-5yrs). Obviously, the verification process would be key, but this would allow small banks and credit unions the same level of security as large banks.
Pfft. (Score:5, Insightful)
now how safe is the
More TLDs are Just Fine (Score:5, Insightful)
Re:Think about that. (Score:3, Insightful)
The last but one time I visited the USA, I ordered some things from Amazon.com. If this plan had been implemented, I would have had to wait until I got home and then received the phone call. This would have been a bit late for me to receive the things sent to me in the USA...
Re:I'm still not convinced (Score:3, Insightful)
Re:Sooo.... (Score:2, Insightful)
Re:Pfft. (Score:2, Insightful)
Wait, you need to actually install that software on my computer? Then how is it different from any other piece of malware that could possibly be installed on my computer? If a computer isn't secure then you shouldn't be using it for online banking in the first place.
Re:Sooo.... (Score:3, Insightful)
Education is the best line of defense against this type of attack. Too bad one of my credit cards (MNBA) insist on sending me HTML emails with "click here to service your account" to confuse matters (while my other banks tell me to never click a link in an email to do such a thing). The worst bit is they don't seem to care - when I questioned the practice 18 months ago I got nowhere
Re:Mikko Doesn't Really Answer the "Will it Work" (Score:3, Insightful)
To improve security, really? Unfortunately, a site having a .bank TLD does not convey any additional information to the user. Let's assume you are a bank customer and thus, a potential phishing victim. You will probably have at most a handful of banks that you do business with. All the addresses of all the online banking sites you ever interact with fit on a sticker that you can put below your screen. What exactly is the additional information you would get from all the addresses ending in .bank?
Re:Mikko Doesn't Really Answer the "Will it Work" (Score:3, Insightful)
I suppose you could build a separate browser that only looks at whitelisted sites and tell people to use it instead of their regular browser when they're doing banking - but if that became at all popular, phishers would start sending out their own special browsers or (more realistically, given the size) emails about the special browser-update download you need to install to use your bank safely, and they wouldn't even need to target it to a specific bank - they could send the mail "from" Microsoft or The Federal Banking Regulatory Agency or whatever, and gullible people would install it. That kind of attack does suffer from diminishing returns - the world will never run out of gullible people, but the gullible people can run out of money