How Banks Could Help Minimize Phishing

One of the fastest growing and biggest problems in the security world today is phishing. Criminals who yearn to take advantage of the trend are swarming like mosquitoes on a warm and muggy summer evening--and they need to be swatted out of existence, fast.

Today it's easy for a crook to set up a Web site with nearly any domain name they want. They take advantage of the situation by registering domains very similar to legitimate commercial domains. Banks and their customers are the biggest targets. In fact, data from the Anti-Phishing Working Group shows that since May 2006, 20,000 new phishing scams have been reported every month. The data also shows that the overwhelming majority of those scams targeted customers of various financial institutions.

Phishing scams fool so many people that a mega-million-dollar antiphishing industry has popped up to produce products and services to help protect people. The tools provide decent proactive defense, but they aren't foolproof, and many people don't use them.

Is there another way to help protect the public against the bank phishing plague? Recently, F-Secure's Mikko Hypponen wrote a brief article for "Foreign Policy" magazine (at the URL below) that proposes an idea that's so obvious I find it really difficult to figure out why no one has acted on it before.

The idea was originally sent to him by a reader of F-Secure's blog back in October 2006 (see the URL below). The idea is simple: The Internet Corporation for Assigned Names and Numbers (ICANN) could establish a new top-level domain (TLD) called something like .bank and allow only legitimate, verified financial institutions to register a name in that level.

Hypponen expands on the idea by suggesting that as an added precaution against scammers--who would undoubtedly attempt to falsify information in an effort to register a name in that TLD--banks and other financial institutions could be charged a hefty fee for new registrations. Hypponen suggests something like $50,000 per domain.

I think that other requirements centered around verification of credentials could be put in place too; these could be kept secret from the public so that scammers aren't sure exactly what they are.

If a .bank TLD were available and had enough publicity, people would quickly become aware that their financial institutions should be using this TLD and could avoid bank Web sites that didn't use it. This would help put a serious damper on phishing scams.

Of course, a .bank TLD wouldn't stop phishing entirely. Several techniques could still be used to fool or take advantage of unsuspecting bank customers; for example, DNS poisoning, man-in-the- middle attacks, cross-site scripting, browser-based URL spoofing, and Trojan horses and keyloggers. So security tools and user education would still be important. Nevertheless, a new TLD would help.

As for creating the TLD, if I understand correctly, it's not up to ICANN to start the process. Instead, some independent entity must request its creation. So, for example, banks (and other financial institutions) could unite towards that effort, establish an entity that would handle applications for domain name registration requests (and the related services), and formally petition ICANN to create the new TLD. ICANN would then review the proposal and decide whether to proceed with delegating the new TLD to the DNS root zone.

I hope this happens. It seems like an idea whose time has come and an easy way for banks to help secure their customer interactions.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.