Computing in the real world
SEARCH FOR: IN: Advanced Search
Guest  Level 00    Register Log in

News 

[PSUs]
Tuesday 22nd May 2007
Security firm renews campaign for .bank domain 1:45PM, Tuesday 22nd May 2007
F-Secure has renewed its campaign for the introduction of a .bank Web domain that it believes could help to reduce instances of phishing data and identity theft.

The security company is seeking a sponsoring organisation that is willing to promote the domain as part of ICANN's recently announced public consultation on possible new top-level domains (TLDs).

As things stand there is nothing to prevent fraudsters registering a URL containing a bank's name - as F-Secure has noted before - and that is unlikely to change.

The company does not believe that a .bank domain would provide an instant fix for the widespread problem of phishing, but argues that if properly and rigorously controlled it could completely eliminate it in many instances. Not because users would suddenly wise-up and start carefully checking Web addresses, but because the issuing of .bank domains could be restricted, enabling browsers and security applications to better identify phishing sites, by providing a means of clearly identifying legitimate sites.

'There are no rogue sites on .gov domain names,' the Finnish company notes. 'Why? Because you can only get a .gov domain if you really are a US governmental

 
 
ADVERTISEMENT
organisation. Or how about .fi? The .fi (Finland) domain has very few malicious websites. Why is that? Because the registration process involves mailing a verification code to a physical mailing address. Just that extra step makes it less convenient to use for the bad guys. With all the extra verifications steps that we would have in the registration of a .bank domain, scammers just wouldn't be able to do it.'

The TLD would also make it easier for security researchers to figure out which sites are not phishing sites.

'This really isn't as obvious as it sounds, as banks themselves use tons of different domains,' F-Secure explains. 'We often spend precious time trying to confirm whether a particular phishy-sounding domain really belongs to a real bank or not.'

The company rejects concerns that small banks and financial institutions could not afford to register a new domain.

'Small banks are not currently the ones losing the most money,' it notes. 'It's the big banks. And the domain doesn't have to be ".bank" literally. The TLD could be along the lines of .account, .verified, .safe, etc. It would be a TLD for "big players" that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn't a traditional bank [though it is registered as such in Europe] but they certainly do get phished. They might want to have a secured TLD for account access.'

Scammers, on the other hand, would have to prove that they were a genuine financial institution before a domain is granted - even if they could afford the estimated $50,000 registration fee.

'And in the worst case, a rogue domain would be shut down quickly,' F-Secure says. 'The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.'
Simon Aughton

Submit to: Digg  |  Slashdot  |  Del.icio.us  |  Technorati

Related News


Back to top
Compare Broadband
Broadband?
Compare 50+ packages
Enter your postcode below:
Powered by:
Top 10 Broadband
Bookstore Top 5
› See more News
› See more Hot topics

Columns

Prolog:

Tim Danton puts his safety at risk by standing between the internet bullies and Microsoft. › See full Opinion
› See more Columns
›  See more Research Papers