F-Secure Responds To Criticism of .bank

Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."

What about DNS hijacking?

[9gezegen]

I don't understand the purpose of having $50,000 registration. The banks are officially recognized by their states. Wouldn't it be sufficient to get an approval from the state? I understand this may require little more paperwork but it will protect the small banks from expansive registration.

As the article mentioned this is not a silver bullet. For example, this won't solve DNS hijacking. Recently, I have observed such an attack. The victim told me that the bank site he was looking asked for national ID number even though the bank officially announced that they would never ask that information at their website. He further told me that the webpage looked little different on his computer compared to his friend's powermac. I was skeptical since I thought if you type a name, you should get the correct IP of the bank. Note that I don't use windows but I'm an expert on linux. So for me, DNS hijacking meant that the DNS server the computer talking was giving the wrong IP. Anyway, I checked the ip of the bank in his computer and did a reverse ip lookup on the web. The first red flag was that the IP was mapped to a dynamic name, further more IP was different when I looked at it on powermac. Luckily for him, spyware doctor was on the computer, so with little hope I run it. It gave warnings on some entries in hosts file. Apparently windows also have some kind of /etc/hosts file. The attacker (probably using some windows vulnerability) successfully added 20-30 bank names to hosts files, all of which mapped to his machine. On his machine, he probably have copies of the entrance pages for each bank. Anyway, this kind of attack (which I understand it is very common) will not be solved with TLD .bank.

Re:Sooo....

[Colin Smith]

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

Not a big problem. The browsers can help there. Those with half a brain will get it, those without are a lost cause anyway. You can't run the world on the basis that it has to be safe for the 5 Watt bulbs.

 

What are the consequences when a bad guy gets in?

[CTho9305]

What are the consequences if somebody malicious does manage to register a misleading .bank domain name? What happens if a .bank or .safe site is hacked? Will they reimburse fraud victims and provide credit monitoring services, or just say, "oops"?

Once you crack the workstation, it's over.

[khasim]

Once you have control of their workstation, there's really nothing you can do ONLINE that can be safe.

That's why you need a SECOND CHANNEL to confirm the transaction.

Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.

This won't stop them from re-routing your transactions. If you're trying to send $500 from your bank account, they can re-route it to their account. But they couldn't make any DIFFERENT transactions.

And the bank could quickly build up a list of known fraudulent addresses.

Re:Sooo....

[jorgevillalobos]

The only problem I see with .bank is its ineffectiveness against one of the most common phishing URL formats, which uses the form of paypal.com.fakedomain.com. Chase.bank.omgphished.com would probably fool quite a few n00bs.

But we can trust that if this becomes a standard, browser makers will take advantage of it to make life easier to users, or at least to some users. Just like Firefox turns the URL bar yellow for SSL sites, and IE7 turns it green (I think), there could be some UI cue telling the user that he's visiting a real .bank website. Whether users will pay attention to this and realize that the lack of this cue means potential trouble, well, that's a different story.

I think .bank would add an extra layer of online banking security, and that's a big plus IMO.

What does this do to address URL display bugs?

[SuperBanana]

Nothing in this addresses links that show up in email clients or browsers as say, www.yourbankyouknowandlove.com instead of where they really take you- an IP address of some random server run by the phisher.

If email clients were fixed to show the REAL url on mouseover, people wouldn't click the links in the first place. If browsers (well, mostly IE) were fixed such that you couldn't obfuscate the *real* URL, people would realize quickly what was going on.

Working with a lot of office people, they're all sharp enough to pick up on stuff like this pretty quickly (we use all macs, so we have neither problem- Safari and Apple Mail aren't "spoofed.")

Re:Sooo....

[Anonymous Coward]

Presumably, England's policy regulating .gov.uk registration is substantially different from the U.S.'s, where there do not exist any .gov sites that do not actually represent government agencies.

The Banks Don't Help Themselves

[s7uar7]

My current account is with NatWest, website www.natwest.com, who's online banking is on www.nwolb.com. My main credit card is with Tesco (www.tesco.com). Their financial site is www.tescofinance.com and their online banking site is cardsonline-consumer.com.

Is it any wonder people end up falling for phishing site?

Re:Sooo....

[Znork]

"you don't see criminals purporting to represent U.S. government agencies by using fake .gov domains"

Nah, they use real .gov domains instead.

Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would .bank deny registration to Offshore Islands Phishermens Bank? Just now I got a google ad advertising 140 Russian banks for sale...

The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.

Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register .bank.us and verify everyone under that (and, hey, just validate US banks under it, just so we have a less wide definition of the word 'bank').

Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.

They missed the 2 biggest flaws...

[KillerCow]

The "point-by-point" response did not address DNS poisoning or l/p obsfucation ( www.citi.bank/youraccount/index.html@fraud.org ).

Re:The Banks Don't Help Themselves

[GigsVT]

Hah, even worse when companies farm out surveys to some random bulk mailing outfit, so you get an email that claims to be from the place that's actually from some bulk mailing service, sometimes even asking you to log in using your normally credentials on another site (less often with banks though).