Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Slashback Security IT

F-Secure Responds To Criticism of .bank 203

Posted by kdawson from the no-silver-bullets dept.
Crimson Fire writes "F-Secure recently offered a solution to the problem of bank-account phishing, and the discussion here of a .bank TLD generated some criticism. In their latest blog entry F-Secure has responded point-by-point."
This discussion has been archived. No new comments can be posted.

F-Secure Responds To Criticism of .bank More

F-Secure Responds To Criticism of .bank

Comments Filter:

  • I'm still not convinced (Score:5, Insightful)

    by j0nb0y ( 107699 ) <jonboy300@ya[ ].com ['hoo' in gap]> on Sunday May 20, 2007 @12:47PM (#19199267) Homepage
    Quite frankly, the only way to prevent phishing fraud is through user education.

    If you're going to spend money on fixing this problem, I think the best place to put it is in user education.

    Suppose .bank goes through. Browsers implement a feature that when a user is at a legitimate SSL protected .bank site, the URL bar turns green.

    At this point, you *still* have to educate users of what this green bar means. So why not just skip this expensive .bank/browser implementation, and go straight for the user education, which you will have to do anyway if you truly want to prevent phishing scams?

    This just seems like it would be a big waste of money for all parties involved.

    • Impossible. (Score:5, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday May 20, 2007 @12:55PM (#19199321)
      Just about everyone has a bank account. That means educating a mere 300 MILLION people in the US alone.

      Even if you spend just $1 on educating each person, there has got to be a better way to secure online transactions for $300 MILLION.

      A far better solution would be to go for the simpler approach.

      For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

      There, that solves the problem for all people with online banking who also have a phone (say about 99.9% of them).

      And the best thing is that the bank will then have records of what IP addresses are originating the fraudulent transactions and be able to flag those on its own.

      "The transaction for the amount $X is originating from an address with a history of reports of fraudulent behaviour. Press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

      • Re: (Score:3, Insightful)

        by mark-t ( 151149 )
        But that wouldn't work that well for people who connect to the internet via dialup, and while they are trying to perform this action, their phone line is busy (or gets auto-forwarded to voice mail).
        • So your transaction isn't released until you get off the phone line and take the call from the bank.

          This is a good thing. The system fails in such a manner that your money STAYS with you.

          This gets to the concepts of not doing something if it cannot be secured and verified
          vs
          Making it as easy as possible for the customer even it it makes it easier to criminals to steal the customer's money.

          • Re: (Score:3, Insightful)

            by TheRaven64 ( 641858 )
            It also doesn't work for people who spend any time away from their registered telephone. I dated a girl from the USA for a while, and her credit card company had a similar policy. They called her registered address to confirm that her card, being used in the UK, was not being used fraudulently. Unfortunately, being in the UK, she wasn't near the telephone at her registered address. Fortunately, the bank wrote to her at her parents' address just before cancelling the card, and she was able to call the ba
            • If you know you're going to be away from your registered phone number for a while, you can always pre-emptively call your bank/CC company and tell them. If such a verification program were in place, it should be easy to add things like this. Call from your registered phone to their number and give them a new number where you will be reachable, and for how long, where, etc...

              My CC company (Wells Fargo Mastercard) likes to call me when they see charges that are different from my usual purchasing pattern.

      • Re: (Score:2)

        by pdbaby ( 609052 )

        For every transaction you initiate online, the bank will call the phone number that they have on record for you and ask you to "press 1 to authorize the transaction in the amount of $X, press 2 to cancel or press 3 to report a fraudulent transaction".

        What I've wanted for years is for my bank to let me specify this for my Mastercard or my Debit card - you go out to dinner, pay with your card and the bank's system calls you and asks you to authorise the payment by pressing a key / entering a password PIN on

    • Re: (Score:2)

      by mark-t ( 151149 )
      Or worse... if the security was compromised later, long after the user is accustomed to implicitly trusting the green bar, and their confidential data is given to someone who was not who they thought it was.

      You are right on the money on this issue. Education is the only real solution to the problem, and trying to impose a technological solution to what is ultimately a social problem only makes it that much harder to teach people how to avoid it later because they are that much more used to trusting suppo

    • Re: (Score:2)

      by pcgamez ( 40751 ) *
      You are missing the point. The idea is to make this one part of an overall strategy. Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people. Furthermore, user education has limited effectiveness and takes a long period of time. It is unlikely that we would be able to properly educate the majority of people if we had a decade.

      • Re: (Score:2)

        by mark-t ( 151149 )
        Except that you are still going to need to educate at least that many people later (more actually, since the population is constantly growing) even *IF* they implement this solution. Delaying education only makes things worse.

        You are right that it would expensive, but it would be orders of magnitude more effective than a technological solution like a trusted top level domain name that in the end accomplishes nothing more than being a placebo.

      • Re: (Score:2)

        by Khyber ( 864651 )
        "Sure, it is expensive, but it is nowhere near as expensive as say educating a couple billion people."

        Expensive? I can educate a couple bilion people cheaply - make a text website that simply says "Keep your account secure - don't bank online, get off your lazy ass, and learn how to write checks and mail them." and point them to that site.

        Problem solved.

    • Re: (Score:3, Insightful)

      by allgood2 ( 226994 )
      OK, well I can see a massive difference. It's far easier to train a user to recognize a combo of .bank and a green bar as legitimate, than it is to education them on all the various phishing options, and then having to keep them up to date, since new ones are added all the time.

      My biggest issue with the proposal is the cost; and not that it shouldn't charge big banks $50,000 but that it ignores small banks and credit unions. Especially, since it ignores them with a 'they aren't the ones loosing money or big

      • Re: (Score:2)

        by j0nb0y ( 107699 )
        Anti phishing education is actually quite simple right now.

        What's the URL of your bank?

        Before you type in your login/bank information, check to make sure that the URL in the URL toolbar is the URL of your bank. If it isn't, then this is most likely a phishing scam, and you shouldn't enter any information.

        All banks have to do is put this information on a nice one sheet insert, and put it in with the account statements that they mail out monthly anyway.

        • Re: (Score:2)

          by dabraun ( 626287 )

          Before you type in your login/bank information, check to make sure that the URL in the URL toolbar is the URL of your bank. If it isn't, then this is most likely a phishing scam, and you shouldn't enter any information.

          Then you get companies like citibank which insists on putting their online credit card access under "citicards.com". How about educating the banks themselves? Get it through their head that they need ONE site with ONE name which is their OFFICIAL name that their customers know.

          Then build a

          • Not just Citibank, what about fairly large institutions like Associated Bank or Household Bank. Household Bank is fine when your banking, but to look up my credit card data, I have to go to HSBC or hsbccreditcard.com. I need a crib sheet just to keep up with the variations of names related to my credit card; and that doesn't even count when a bank decides it needs to distinguish urls for business or personal accounts, checking and savings, etc., etc. Most banks have a litany of urls associated with them. I

      • Re: (Score:3, Insightful)

        by mark-t ( 151149 )
        It's worthwhile to note that bank tellers recognize counterfeits not because they necessarily know what characteristics that particular counterfeit has, but because they handle the real thing all the time, they know what the real thing is supposed to look like, and when something doesn't match what they know, they realize it's a fake. This enables them to even recognize counterfeit bills they may have never seen before. So the idea is that you train people what to look for in the real thing, give them en

  • What the ... ? (Score:5, Insightful)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday May 20, 2007 @12:47PM (#19199269)

    Organized online criminals could afford to buy .bank domains for $50,000.

    Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

    Who determines what "misleading domain names" means?

    And we are talking about criminals making MILLIONS of dollars a year.

    Spending $50K to make $5,000K is a GREAT deal. After all, EVERYONE knows that if it's a .bank address it's completely safe.
    • The $50,000 presumably isn't the only authentication mechanism. With a $50,000 registration fee it's possible to perform significant checks on the applicants.
      • Either very few will spend the money to get the domain name, in which case there won't be enough information out to know that .bank was 'safe' ... or was it .safe?

        Or lots of banks will spend the money and that will mean lots of different people will be performing the checks.

        Now, you DO realize that we are talking about "criminals", right? The people who already break the law. So things like bribery and extortion will not be forbidden.

        Just look at the drug trade.
        • Yes, look at the drug trade.

          Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

          Does ANYONE think that that would be a good idea? That it would reduce drug smuggling in any way?

          Or would you just laugh at the person naive enough to suggest it?

          • Re: (Score:2)

            by setirw ( 854029 )
            Fallacious logic. The .bank registrar isn't performing a background check on the individual registering the domain. Instead, it's ensuring that the name being registered will actually represent a major financial institution. It's the same case with other "exclusive" domains: I don't think the .gov or .mil registrar performs a background check on the actual person registering the domain, but rather ensures that army.mil truly represents the United States Army.

            Granted, there are many more financial instit
          • It's an entirely different situation, a domain would only work until they were reported, i.e. the first time someone was ripped off. Then the domain would have to close and the phishers would be out $50,000. They would have to be very sure of returning more than $50k which means most phishing would stop.
             

          • Re: (Score:2)

            by vux984 ( 928602 )
            Suppose there was a seal that you could only buy for $50,000 and a background check. But having that seal on your vehicle (no matter what size) meant that your shipment would NEVER be checked by law enforcement. No matter what borders you crossed. No matter what time.

            Right lets keep going with that, because your analagy is flawed, and this will fix it up:

            Now suppose that seal had a serial number as part of its design, and it was displayed prominently. (because each domain name is different)

            Next suppose that

            • Yes. (Score:2)

              by khasim ( 1285 )

              So would you spend $50k on the seal, knowing that anyone who sees you standing on the street with it can report you?

              Sure. Why not?

              Should it pose a problem, your criminal friends can spend their spare time reporting every other seal. The cops won't know the legitimate complaints from the fraudulent ones.

              And all you need is enough time to turn that $50K investment into $5,000K.

              This is not about establishing a permanent presence. This is about cashing out a LOT of money as QUICKLY as possible by exploiting the

    • There are a number of countries that have extensive private banking systems, generally connected with tax-haven free trade environments. You want to start a bank in the Caribbean? It'll cost you more than starting a corporation, and you might need a local partner to sponsor you, but that's well within the range of anybody who's willing to fork over $50K for a bank domain name.

      The harder part is getting a *useful* bank domain name - you're probably not going to get chase-manhattan-grand-cayman-branch.bank

    • Re: (Score:2)

      by vux984 ( 928602 )
      Spending $50K to make $5,000K is a GREAT deal.

      If that were true. Do you have any evidence to support the claim that one phishing site is likely to return 5000k?

      How long does the average phishing site stay active before people figure it out, and it gets shutdown?
      Phishers, from my understanding of it, plow through junk domains, I'm not even sure they go a full day before getting knocked offline, and probably only hours before they a get added to the list of known phish sites and get blocked by 'anti-phish' so

    • Pfft. (Score:5, Insightful)

      by way2trivial ( 601132 ) on Sunday May 20, 2007 @01:43PM (#19199693) Homepage Journal
      I'm sorry... how hard is it for me to write software that changes your DNS setting...

      now how safe is the .bank my DNS server sends you to.....

      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Okay, change my DNS settings then.

        Wait, you need to actually install that software on my computer? Then how is it different from any other piece of malware that could possibly be installed on my computer? If a computer isn't secure then you shouldn't be using it for online banking in the first place.
        • The GP isn't insightful, it's an obvious commentary that has nothing to do with the problem at hand. The parent is right, if your computer is already compromised you're well past the phishing stage.

    • And we are talking about criminals making MILLIONS of dollars a year.

      They might stop immediately as they notice that selling .bank domains yields much higher profits.

  • "The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with."

    So, uh... build a white list of valid banks. How hard can that be? What are you going to do with that while list, eh? Block everything that isn't on it? This is clearly an idea they haven't throught through, and they felt a little defensive about it after the thrashing they received from Slashdot. Their defense could use help. Maybe a d

  • Will they assign not.a.bank as a redirect to paypal.com?
  • It wouldn't take much to munge up the /etc/hosts or 'doze LMHOSTS file to make a certain ".bank" name redirect to whatever you want...

    While admittedly it would take a compromise of the user's computer to do it, it still points out the one big, fat inherent weakness of a new TLD: The fact that sites aren't specifically identified by DNS name per se, but by a translation mechanism that points to the real site identifier (IP).

    ('course, the "safety toolbar" could then do a WHOIS check and such, but now we'r

    • Re: (Score:2, Insightful)

      by EvanED ( 569694 )
      course, the "safety toolbar" could then do a WHOIS check and such, but now we're just adding layers of complexity.

      Or, you know, a check of the SSL certificate, which you'll need to do anyway.
    • DNS can be authenticated. Without a valid .bank domain certificate it isn't a valid domain and the browser would be correct to mention such. The only way to get a .bank certificate would be to have a real .bank domain.

       
  • He didn't address that point. You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

    Even worse, hackers can start poisoning the hosts on individual machines, which makes it even worse. It's already at a known address: %SystemRoot%\system32\drivers\etc. Once they start adding their own entries into the hosts file for Windows users, they are fucked. It will be so easy to point them whereever the hackers want.

    His suggestion solves NOTHING. In fact, it is extremely shortsi
    • Once you have control of their workstation, there's really nothing you can do ONLINE that can be safe.

      That's why you need a SECOND CHANNEL to confirm the transaction.

      Which is why the bank should be calling your phone number and asking you to press "1" to authorize the transaction.

      This won't stop them from re-routing your transactions. If you're trying to send $500 from your bank account, they can re-route it to their account. But they couldn't make any DIFFERENT transactions.

      And the bank could quickly build

      • Re: (Score:2)

        by jonwil ( 467024 )
        The best idea I have seen is the idea of a little calculator type device that you plug the transaction details (amount and account number into) and get a hash back that you feed to the bank. That way, unless the hacker is able to steal the number inside the little calculator, they can't steal any money. Solves phishing, hosts file attacks, trojan horses, keyloggers and rootkits.

    • Re: (Score:2, Insightful)

      by EvanED ( 569694 )
      You can poison DNS servers so that it will set the .bank addresses to other DNS servers.

      And then you go to that site... and the browser says "your SSL certificate's no good".

      You would also need to compromise one of the SSL certificate authorities.

    • And how does that get round a domain cert? (Score:4, Informative)

      by Colin Smith ( 2679 ) on Sunday May 20, 2007 @01:49PM (#19199753)
      It doesn't. Any random IP address added would have to have a valid .bank domain certificate. The hackers would have to compromise the OS and browser to bypass this, not just the hosts file. Certainly possible, but an order of magnitude harder.

       
  • I know its traditional for slashdotters to NOT RTFA but I'm still surprised how negative people are being about this clearly without having bothered to.

    Name ONE genuinely negative aspect of this to the individual consumer.
    I can't think of one but I'm not so egotistical as to think there might not be one, but there are certainly lots of positive aspects.

    You won't be paying for this, the banks will, why do you care.

    As TFA states there are .aero for aviation, and .museum, so why not .bank to actually help prot

    • Re:I'm suprised (Score:5, Insightful)

      by denebian devil ( 944045 ) on Sunday May 20, 2007 @01:21PM (#19199529)
      I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

      Not every solution can solve every problem, but adding the .bank TLD does solve at least some problems. So why not implement it, and come up with other solutions for the problems that it doesn't solve?

      • I'm also confused by the overwhelmingly negative reaction. Most of the complaints about this .bank suggestion fall under the category of "It doesn't solve problem X, therefore it's a worthless security measure."

        They are trying to be polite. For those who fail to understand the point, let me express it this way: The entire .bank proposal is utter bullshit. The real problem of phsihing and related attacks (namely pharming and Trojans) is pretty simple: doing business over a compromised channel. We do hav

    • Re: (Score:2)

      by Ilgaz ( 86384 ) *
      I have read/commented on first story and after reading this one and comments, I'd say everyone to check http://www.phishtank.com/ [phishtank.com] and enjoy that mess they are defending.
    • At the risk of sounding like a troll, one constant of the universe is that for _everything_ you'll get at least the following kinds of responses:

      1. things were working perfectly fine in the good old days, changing things and/or making me learn/do new stuff is _evil_. Someone ought to educate users instead, change the whole culture, whatever. (A.k.a., "back in my days we walked to school 2 miles through the snow, up hill both ways, and we _liked_ it" nostalgia.)

      2. It's a conspiracy and/or it will be bought a
  • I don't understand the purpose of having $50,000 registration. The banks are officially recognized by their states. Wouldn't it be sufficient to get an approval from the state? I understand this may require little more paperwork but it will protect the small banks from expansive registration.

    As the article mentioned this is not a silver bullet. For example, this won't solve DNS hijacking. Recently, I have observed such an attack. The victim told me that the bank site he was looking asked for national ID
    • These seem to be the main issues here: Banks and other forms of attack such as DNS hijacking.

      F-secure's comment on this not being an issue for small banks/credit unions doesn't make sense. I assume that if this .bank domain was approved, there'd be a mass marketing push for "Only use .bank addresses for online banking", and quite obviously this is going to make people wary of small banks and credit unions who are forced to do ebanking with .com addresses, and consequently make people less likely to use them
    • My guess is that the $50K would be because running a TLD takes resources, and since .bank would be a very exclusive one, the cash to run it would have to come out of somewhere. If it cost $10 a year then the cash for funding it would have to come from somewhere else, but the $50K are probably enough to cover the infrastructure and personnel.

  • I see big business for North Korea selling the domain name "ba.nk".

    This in no way will "fix" the problem. It would however make sure that smaller banks can't get a look in which will help to enforce the monopoly of the large ones... and make a fuck of a lot of money for the people who get to pocket that 50k.

    What would be a far better resource would be a firefox plug-in which highlights the part of the name which is the website, so "itsyourbank.obviouslyphishing.co.uk" would highlight the relevant par
    • ba.nk wouldn't fool browser security updates/certs designed to be damn sure the domain stops at blah.bank and not blah.bank.com or anything as TFA implies.
  • You can usually gauge the strength of someone's position in a debate by how quickly they bring out the strawmen to knock down. The first two items in their "rebuttal" ("New top-level domain will not solve the phishing problem once and for all, so it's not even worth considering." and "But .com works just fine!") are pretty transparent misrepresentations/exaggerations of the arguments made against their proposal.

  • What are the consequences when a bad guy gets in? (Score:3, Interesting)

    by CTho9305 ( 264265 ) on Sunday May 20, 2007 @01:12PM (#19199455) Homepage
    What are the consequences if somebody malicious does manage to register a misleading .bank domain name? What happens if a .bank or .safe site is hacked? Will they reimburse fraud victims and provide credit monitoring services, or just say, "oops"?
  • Uhm...

    Uhm...

    My lawyer says my comment is NO COMMENT.

  • One thing they don't address... (Score:3, Insightful)

    by niceone ( 992278 ) * on Sunday May 20, 2007 @01:24PM (#19199557) Journal
    ...is phishing sites that are not banks. Just look at all the phishing of myspace passwords for an example. This is bound to increase in the future as more of our lives move online. So, people need to be able to recognise phishing in many more cases than .bank will handle.

  • What does this do to address URL display bugs? (Score:3, Interesting)

    by SuperBanana ( 662181 ) on Sunday May 20, 2007 @01:28PM (#19199585)

    Nothing in this addresses links that show up in email clients or browsers as say, www.yourbankyouknowandlove.com instead of where they really take you- an IP address of some random server run by the phisher.

    If email clients were fixed to show the REAL url on mouseover, people wouldn't click the links in the first place. If browsers (well, mostly IE) were fixed such that you couldn't obfuscate the *real* URL, people would realize quickly what was going on.

    Working with a lot of office people, they're all sharp enough to pick up on stuff like this pretty quickly (we use all macs, so we have neither problem- Safari and Apple Mail aren't "spoofed.")

  • .bullshit (Score:2, Insightful)

    by Anonymous Coward
    I think that F-Secure might be more interested in .savingFace than anything else. .bank is a stupid idea proposed by someone who has no understanding of DNS.

    Who will be liable when the crime gangs start poisoning DNS and consumers enter details into what they believe is a .bank domain? Will F-Secure be liable for coming up with such a stupid idea?

    F-Secure are a laughing stock, this is a PR exercise that fails to address any of the real points.
  • ...of one of these domain names, then it really isn't going to be secure now, is it?

    • Re: (Score:2)

      by villoks ( 27306 )
      It really doesn't matter as long as the the domain names are not confusing with the real bank names. Or would you enter your pincode to Citybank to website, which address is www.royalscambankofnigeria.bank? In addition, with 50k registration fee there's enough resources to make very extensive checks to root out the obvious misleading domains - right?

  • The Banks Don't Help Themselves (Score:4, Interesting)

    by s7uar7 ( 746699 ) on Sunday May 20, 2007 @01:46PM (#19199719) Homepage
    My current account is with NatWest, website www.natwest.com, who's online banking is on www.nwolb.com. My main credit card is with Tesco (www.tesco.com). Their financial site is www.tescofinance.com and their online banking site is cardsonline-consumer.com.

    Is it any wonder people end up falling for phishing site?

    • Re: (Score:2, Interesting)

      by GigsVT ( 208848 )
      Hah, even worse when companies farm out surveys to some random bulk mailing outfit, so you get an email that claims to be from the place that's actually from some bulk mailing service, sometimes even asking you to log in using your normally credentials on another site (less often with banks though).

  • Won't do jack (Score:3, Informative)

    by Opportunist ( 166417 ) on Sunday May 20, 2007 @01:48PM (#19199735)
    I think I used the same subject line for the original suggestion, I use it again: All the "explanations" and answers don't even touch the actual problem at hand.

    The far bigger problem are trojans that hijack the system to siphon login data from the user, either using browser plugins or hooks into the system. No .bank or .whatever TLD will solve this. The amount of people actually naive enough to follow instructions on a fraud mail are in decline. Every bank I know already informs its customers at least 10 times and every time they log in that they will NEVER EVER contact them via email and ask for login data. Almost all data currently stolen is grabbed when users log in to the real bank site and do their online business.

  • They missed the 2 biggest flaws... (Score:3, Interesting)

    by KillerCow ( 213458 ) on Sunday May 20, 2007 @01:58PM (#19199793)
    The "point-by-point" response did not address DNS poisoning or l/p obsfucation ( www.citi.bank/youraccount/index.html@fraud.org ).

  • I still wonder, why are the email messages from ebay/paypal/banks/etc not PGP signed?
    If these companies used trusted public keys, which you download from their website or receive when you sign up..
    Any phishing mail would be immediately visible as a scam, and easily deleted. Upstream filters could easily do this too.

  • Even in the financial services industry, there's disagreement over what a "bank" is. Consider

    • PayPal. [paypal.com] Probably ought to be regulated as a bank, but is not.
    • Western Union [westernunion.com], a regulated money transfer service.
    • ETrade [etrade.com] Etrade is a brokerage house, but owns a bank on the side. Both operate under the "etrade.com" domain.
    • Bank of America [bankofamerica.com] is a major bank which owns a brokerage house on the side, the reverse of ETrade.
    • L. F Rothschild. [lfrothschild.com] Once one of the old-line banking houses of Europe, after about three merg

    • Re: (Score:2)

      by cdrguru ( 88047 )
      All of them, if they register and are found to be legitimate.

      If you have a business that has nothing to do with banking or money and want a .bank domain, you should be able to get one - if you register and pass their requirements. This is why the article makes specific reference to .bank not being the ideal TLD but just one possibility. The idea is that you have a TLD that means the business that registered it has passed a bunch of requirements for being legitimate. Something that your friendly bunch of

  • Dave G. covered this on our blog [matasano.com] last month. There's backstory to this.

    As Mikko acknowledges, the real purpose of ".bank" is not to make it easier for end-users to recognize fake sites. A new TLD does almost nothing to ameliorate that problem; end-users don't know what TLDs are, or what the slash character in a URL means. And before you yelp that end-users should learn that stuff, ask yourself: do you understand how the NANP phone number scheme works, or what the 3-digit exchange number in the middle of yo

  • Maybe it's Bank of America...

    Anyway, they let you choose a color and background pattern (or even your own picture). When you visit their website, it displays that picture and color. This is extremely difficult for phishing sites to emulate. They may be able to match the main webpage, but they won't be able to match the background and color since only the real website has this information.

    It's easy to train users: Just tell them that all the bank's pages will display their background and color and no others.

    • Anyway, they let you choose a color and background pattern (or even your own picture). When you visit their website, it displays that picture and color. This is extremely difficult for phishing sites to emulate.

      It's pretty simple, actually. All the phishing site has to do is to fetch the color and picture from the real bank site, pretending to be the user.

    • Re: (Score:2)

      by jonwil ( 467024 )
      How is that solution resistant to man-in-the-middle attacks?
      Picture this:
      Phisher copies main page. Unsuspecting user logs into fake bank page. Fake bank page passes username and password on to real bank page. User is now on real bank site only fake bank page now has their username and password.
  • We still have 50 million or more computers out there running Win 98SE, and how many have not upgraded to IE7 yet? (hell, I even still have a Win95 machine here! And a DOS 3.3 one, niether of which is used much, but there).

    (I raise my hand for 4 computers for IE7 alone, as corporate has outlawed that yet on machines that connect to that network).

    Yet you expect all 300 million users out there to immediately update their browsers?

    Foolish foolish thinking on your part.
  • Corrupt ICANN and the authorities have always known the answer for authenticating registered trademarks e.g. barclays.bank.uk.reg

    So user could enter this URL directly or barclays.co.uk could be redirected to this as certificate of authentication.

    Obviously, this would work for all other trademarks in other goods or service (called classification) e.g. apple.computer.us.reg

    Please visit http://wipo.org.uk/ [wipo.org.uk] - not connected with the crooks at UN's WIPO.org ;)
  • Uh...they obviously aren't in the financial services industry. Phishing is happening at EVERY level of the spectrum. From the $50 million credit union, to the trillion dollare international conglomerate. They ALL face it. I can see a system of subsidizing for smaller organizations, but I'm just not buying that Citibank will pay to fund the domain of Iowa State Community Credit Union.
  • Is PayPal a "bank"? No, it's an unregulated global internet banking monopoly, but it's not a "bank" (or it would be regulated as one). Should it get a PayPal.bank domain for people to trust?

    What if it did? Should some competing Internet (or real world) payment system that's not regulated as a bank get a .bank domain? If it's not regulated as a bank, why should anyone trust it? Because it's got a .bank domain?

    This whole thing is stupid. Real banks are trusted because they are insured, by the FDIC, FSLIC and/

Slashdot Top Deals

Avoid strange women and temporary variables.

Close