F-Secure Responds To Criticism of .bank 203
Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."
What about DNS hijacking? (Score:2, Interesting)
As the article mentioned this is not a silver bullet. For example, this won't solve DNS hijacking. Recently, I have observed such an attack. The victim told me that the bank site he was looking asked for national ID number even though the bank officially announced that they would never ask that information at their website. He further told me that the webpage looked little different on his computer compared to his friend's powermac. I was skeptical since I thought if you type a name, you should get the correct IP of the bank. Note that I don't use windows but I'm an expert on linux. So for me, DNS hijacking meant that the DNS server the computer talking was giving the wrong IP. Anyway, I checked the ip of the bank in his computer and did a reverse ip lookup on the web. The first red flag was that the IP was mapped to a dynamic name, further more IP was different when I looked at it on powermac. Luckily for him, spyware doctor was on the computer, so with little hope I run it. It gave warnings on some entries in hosts file. Apparently windows also have some kind of
Re:Sooo.... (Score:4, Interesting)
What are the consequences when a bad guy gets in? (Score:3, Interesting)
Once you crack the workstation, it's over. (Score:3, Interesting)
That's why you need a SECOND CHANNEL to confirm the transaction.
Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.
This won't stop them from re-routing your transactions. If you're trying to send $500 from your bank account, they can re-route it to their account. But they couldn't make any DIFFERENT transactions.
And the bank could quickly build up a list of known fraudulent addresses.
Re:Sooo.... (Score:3, Interesting)
But we can trust that if this becomes a standard, browser makers will take advantage of it to make life easier to users, or at least to some users. Just like Firefox turns the URL bar yellow for SSL sites, and IE7 turns it green (I think), there could be some UI cue telling the user that he's visiting a real .bank website. Whether users will pay attention to this and realize that the lack of this cue means potential trouble, well, that's a different story.
I think .bank would add an extra layer of online banking security, and that's a big plus IMO.
What does this do to address URL display bugs? (Score:3, Interesting)
Nothing in this addresses links that show up in email clients or browsers as say, www.yourbankyouknowandlove.com instead of where they really take you- an IP address of some random server run by the phisher.
If email clients were fixed to show the REAL url on mouseover, people wouldn't click the links in the first place. If browsers (well, mostly IE) were fixed such that you couldn't obfuscate the *real* URL, people would realize quickly what was going on.
Working with a lot of office people, they're all sharp enough to pick up on stuff like this pretty quickly (we use all macs, so we have neither problem- Safari and Apple Mail aren't "spoofed.")
Re:Sooo.... (Score:1, Interesting)
The Banks Don't Help Themselves (Score:4, Interesting)
Is it any wonder people end up falling for phishing site?
Re:Sooo.... (Score:5, Interesting)
Nah, they use real
Seriously tho, when it comes to banks they're even harder than governments to tell apart the good guys from the bad guys. Banking regulations are not at all the same over the world, and I suspect it might not be that hard for serious phishers to get a 'real' bank registered in some less regulated country. And would
The very idea that security vendors would automatically trust anything just because it had special domain or a special designation has me wondering how seriously they've tried to break their own idea.
Further, F-Secure validating all sites under a domain doesnt need a new TLD, they could just as well register
Of course, the trouble with both certificates and validated domains is essentially that you get more profit the less you validate and the more customers you accept. Which means it's not in the providers actual financial interest to do what they say they do. Which is why we have Verisign and co suggesting brand-spanking-new extraspecial validated certificates. Which they have all the incentive to turn into crap and then come up with yet another, extraextraspecial validated... etc.
They missed the 2 biggest flaws... (Score:3, Interesting)
Re:The Banks Don't Help Themselves (Score:2, Interesting)