Security firm renews campaign for .bank domain

 

Gallery

By Simon Aughton

Posted on 22 May 2007 at 11:57

F-Secure has renewed its campaign for the introduction of a .bank Web domain that it believes could help to reduce instances of phishing data and identity theft.

The security company is seeking a sponsoring organisation that is willing to promote the domain as part of ICANN's recently announced public consultation on possible new top-level domains (TLDs).

As things stand there is nothing to prevent fraudsters registering a URL containing a bank's name - as F-Secure has noted before - and that is unlikely to change.

The company does not believe that a .bank domain would provide an instant fix for the widespread problem of phishing, but argues that if properly and rigorously controlled it could completely eliminate it in many instances. Not because users would suddenly wise-up and start carefully checking Web addresses, but because the issuing of .bank domains could be restricted, enabling browsers and security applications to better identify phishing sites, by providing a means of clearly identifying legitimate sites.

'There are no rogue sites on .gov domain names,' the Finnish company notes. 'Why? Because you can only get a .gov domain if you really are a US governmental organisation. Or how about .fi? The .fi (Finland) domain has very few malicious websites. Why is that? Because the registration process involves mailing a verification code to a physical mailing address. Just that extra step makes it less convenient to use for the bad guys. With all the extra verifications steps that we would have in the registration of a .bank domain, scammers just wouldn't be able to do it.'

The TLD would also make it easier for security researchers to figure out which sites are not phishing sites.

'This really isn't as obvious as it sounds, as banks themselves use tons of different domains,' F-Secure explains. 'We often spend precious time trying to confirm whether a particular phishy-sounding domain really belongs to a real bank or not.'

The company rejects concerns that small banks and financial institutions could not afford to register a new domain.

'Small banks are not currently the ones losing the most money,' it notes. 'It's the big banks. And the domain doesn't have to be ".bank" literally. The TLD could be along the lines of .account, .verified, .safe, etc. It would be a TLD for "big players" that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn't a traditional bank [though it is registered as such in Europe] but they certainly do get phished. They might want to have a secured TLD for account access.'

Scammers, on the other hand, would have to prove that they were a genuine financial institution before a domain is granted - even if they could afford the estimated $50,000 registration fee.

'And in the worst case, a rogue domain would be shut down quickly,' F-Secure says. 'The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.'