Forgot your password?
typodupeerror
Security The Almighty Buck

A Foolproof Way To End Bank Account Phishing? 436

Posted by kdawson
from the worth-a-try dept.
tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."
This discussion has been archived. No new comments can be posted.

A Foolproof Way To End Bank Account Phishing?

Comments Filter:
  • by brian.gunderson (1012885) * on Monday May 07, 2007 @08:16PM (#19029705) Journal
    An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.
    • Re: (Score:2, Insightful)

      by sporkmonger (922923)
      Not just appended URLs, also urls like:

      http://somedomain.ru/ [somedomain.ru]
    • by sporkmonger (922923) on Monday May 07, 2007 @08:32PM (#19029925) Homepage

      In retrospect, I should have previewed the previous comment. Didn't expect Slashdot to munge the url.

      The scheme would still fall victim to urls like this:

      http: //paypal.bank:d7b0425f-a9b5-4dee-8e5d-ae97680e9118 @somedomain .ru Sadly, there doesn't seem to be a way to turn off Slashdot's autolinking. Ignore the spaces.
    • by uberzip (959899) on Monday May 07, 2007 @08:34PM (#19029945)
      My thoughts exactly. Currently, most phishing attacks my users have asked about have been for domains such as www.amazon.com.evildomain.com

      In the rare event that a user does look at the url they see that first .com and don't bother with the rest of address. I don't see how a .bank would help at all.

      Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp [wamu.com] will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the .com and try to make any sense of the rest. Like I said, this is a simple example, some of my banksites have long strings of numbers after the .com, change the alias in the address from www to something else, etc.

      • by Mr. Underbridge (666784) on Monday May 07, 2007 @09:17PM (#19030331)

        But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp [wamu.com] will cause their eyes to glaze over when all they typed in was www.wamu.com.

        Yup. And worse yet, that sort of thing allows the baddies to do something like www.blah blah/wamu.bank. So the ambiguousness of the period in the URL - used for both file and domain delimiters - will further obfuscate things.

      • by Hyperhaplo (575219) on Monday May 07, 2007 @09:24PM (#19030413)
        How long until all browsers have a url checker built in with some simple basic rules applied?
        Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.

        Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.

        I still wonder why people don't use the Firefix [getfirefox.com] / Adblock [mozilla.org] / Filterset.G [mozilla.org] combination as a basic starting point.

        It is good to see that there are some anti-phishing [mozilla.org] addons for Firefox now.
      • by hobo sapiens (893427) on Monday May 07, 2007 @10:44PM (#19031249) Journal
        There's one way to end phishing. IE's anti-phishing service is a laugh. This TLD crap won't work. Here is how to end it:

        When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.

        Same with the 419 scammers. I particularly enjoy messing with the 419 scammers for this very reason.

        The only, and I mean only, reason these things proliferate is because its profitable. This type of scamming is VERY profitable. So, we should be focusing on how to make it a waste of time. That would attack the problem at its root: its profitability.

        Obviously, this would take a large bite out of spam, another problem in itself. Sometimes you have to fight fire with fire.

        It seems obvious to me, but clearly not so obvious to others. Instead of spending time making a decent browser that supports modern standards properly (though better than IE6), Microsoft spent (probably) millions of dollars developing this ridiculous phishing filter for IE7. That is NOT dealing with the problem at its root. Obviously, they don't get it. Am I alone here? Hello? Anyone?
        • Re: (Score:3, Insightful)

          by FutureDomain (1073116)

          When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.

          It would be even better if you had an automatic program that would do the work for you. It would submit bogus usernames and random passwords to drive the phishers crazy. I would call it "Dead Phish". Of course they could block any information from your IP if they figure out what you're doing, but the bogus information is still there for them to try unsuccessfully.

          • by hobo sapiens (893427) on Tuesday May 08, 2007 @12:21AM (#19031987) Journal
            Have you ever tried messing with 419 scammers or phishing sites? It's quite fun. Try checking out 419eater.com or whatsthebloodypoint.com if you want to see for yourselves (didn't check those URLs before pressing submit, but that'll get you there).

            When you mess with 419 scammers, you get the added bonus of being creative. You get to play whatever role you want, you get to mess with someone's head, and you are on the moral higher ground because they are, after all, trying to steal your money!

            No way would I let a program do that for me!

            I guess the only concern I can think of with going to phishing sites is that they then have your IP. So don't do that if you don't have a firewall. Then again, rip your network cable out of the wall if you don't have a firewall.
        • Re: (Score:3, Insightful)

          by syphoon (619506)

          That doesn't at all address the class of phishing scams that put up a fake copy of the site in question. Banks are usually the subject of such phishing attacks; throw up a copy of their site on a plausible-sounding URL, send out an email saying their account may have been compromised and they need to check, and when they enter their username and password you try the username and password at the real bank site, and make whatever transactions you want. That's the class that this TLD is aimed at preventing. Id

          • Re: (Score:3, Insightful)

            by hobo sapiens (893427)
            I see your point, but someone will come up with ways around this. Even if its just the classic user@domain spoof or if its something more legitimate looking. This is not a "root of the problem" solution.

            You take away the profitability, then you've taken away the whole incentive for phishing. Schemes like this TLD thing are not cutting into the profits. It's just a more advanced "ignore them and they'll go away" strategy. That won't work here, since it only takes (SWAG alert) 1 in 1000 people to actuall
        • by MikeyVB (787338) on Tuesday May 08, 2007 @03:22AM (#19033043)
          I used to think that was a good idea, until I under realized the true power of stupid people.

          As a system admin at my company, we got a call from a user who said she was a victim of a phishing scam, and wanted to see if we could get a copy of the phising e-mail she was sent so she could forward it to her bank and the police, but since she had already deleted it.

          We managed to recover the phising e-mail. It was a standard phishing e-mail, however, it was not sent to her form the phisher him/herself, but from a friend of hers!

          The subject had the FWD: tag at the begining, and the first line of the e-mail said, "Hey look! A banking scam! Why don't we all put in bogus information and screw them up! hehe!", but this user clicked on the link and entered her *real* information, as she thought it really was from her bank after she read the "security warning" below her friends comment.

          Don't under estimate the power of the stupid.
        • Re: (Score:3, Informative)

          by Opportunist (166417)
          Well, that only defeats the most moronic scammers.

          You'd be surprised to what lengths they go today. Behind that "insert data here" script (which more and more often actually looks like the bank site), is a forwarder to the real bank. Of course only for the login-information. If it works, you get a "many thanks for your cooperation" (and I do actually believe that they're really thankful for your coop...) and your information gets logged. If you enter bogus crap, the bank will return a "no good" message and
      • by Anonymous Coward on Tuesday May 08, 2007 @01:36AM (#19032451)

        How about browsers like FF, IE, Opera, et al highlighting the domain in bold and in a different color in the address bar?

        http//www.wamu.com/personal/default.asp

        That calls more attention to the part of the URL which deserves the most attention, no? And how about upping the point size on the address bar too? I look at the top of my browser and I see a sea of similar black type.

        • by Twylite (234238) <twylite@crypt.co.TEAza minus caffeine> on Tuesday May 08, 2007 @03:28AM (#19033063) Homepage
          Nice idea. See also the petname [wikipedia.org] extension [mozilla.org] for Firefox.

          It provides a coloured bar (yellow/green) for HTTPS connections in which a user-provided identifier is displayed. So you type in the secure site's URL the first time (https://my.bank.com/), then enter an identifier in the petname bar ("Online banking (Twylite)"). Every time you connect to the site in future the extension will pick up an exact match on the domain name and change the bar to green. Other untrusted SSL sites get yellow. Non-SSL sites are white.

    • by grcumb (781340) on Monday May 07, 2007 @08:51PM (#19030105) Homepage Journal

      An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

      True, but this time, we could actually use technical means to ensure the validity of the address. Browser plugins could quite easily be programmed to mitigate (if not solve) the issues you raise. A hypothetical 'MyBank' plugin could, among other things, use only trusted (or consensus) DNS to resolve the name, and it could absolutely, positively be guaranteed to check the domain spelling every time.

      Knowing the precise namespace would not solve every problem, but software developers could do a lot with that one extra datum for validation.

      • by griffjon (14945) <GriffJon@ g m a i l .com> on Monday May 07, 2007 @09:08PM (#19030251) Homepage Journal
        I can see it now:

        Dear Customer,

        We are in the process of moving to our new, more secure .bank domain, as you have read about in the news. Further, you no doubt have read about the various scams and "phishing" attacks preying on value bank customers such as yourself. To avoid these problems, OurBank (tm) has come up with an innovative and secure system to avoid the problems with the transfer of domain names. Attached to this email is a program which will install itself on your computer. It uses some of the very same techniques that many advanced attackers use, but to defend your privacy! It will ensure that when you want to see either OurBank.COM and/or OurBank.BANK, that you'll get to the right location by setting this at your computer, so no mistakes can be made along the way from your computer to ours.

        Please be aware that some "anti-ad-ware" programs currently detect our system as a "hijacker" - while we are, in effect, "hijacking" your connection, it is to improve your privacy and we are working with vendors to remove this warning for our program.

        Please open and install OurBank.exe - it will ask you to verify your customer information, bank branch, and then log you in (the first time only) to your account with us. Remember to disregard any security warnings and allow our program to communicate through your firewall until we are able to resolve this mis-identification by the anti-ad-ware vendors.

        Thanks again for your business,

        OurBank./
      • Re: (Score:3, Insightful)

        by marcosdumay (620877)

        We have certificates to solve DNS poisoning.

        • Re: (Score:3, Informative)

          by zcat_NZ (267672)
          You wish!!!

          A while back one of the New Zealand banks had their SSL certificate expire, so for an entire afternoon every customer who visited the login page would have got an 'invalid certificate' warning of some sort..

          300-odd customers logged in anyway. Only ONE was suspicious enough to contact the bank.

        • Re: (Score:3, Insightful)

          by mengel (13619)
          That's why the phisher's MyBank.exe installs a new certficate authority in your browser certificate store...
    • Re: (Score:2, Insightful)

      An improvement? Maybe. Foolproof? No. DNS poisoning is still just as prolematic, and appended URLs (i.e. www.mybank.bank.badurl.com) will still fool *some* people.

      I think that if this solution were to be adopted as a standard, browser makers would follow and reflect the "secure" TLD on the main UI. Firefox and IE7 already to this to some extent (yellow URL bar for SSH enabled sites, green (I think) on IE). There could be a special UI state that indicates you're on a secure .bank site. This would help make

    • Re: (Score:3, Insightful)

      by samkass (174571)
      Quick, someone register ba.kn! It's already in a nice Caribbean island. Or you could register "ba" in Bosnia/Herzegovina and fool people with URLs like bankofamerica.ba [bankofamerica.ba]nk. There is no "foolproof" method... you'll always be able to convince people to make a mistake.

      I like the idea of the one-time authentication RSA fobs better.
  • This idea is even stupidder than people who fall for phishing attacks. Another tld gold rush isn't going to solve anything because the problem is people's credulousness,

    I'd expect to see a rush of tld registrations to Macedonia [wikipedia.org] (citybank.ba.mk) and Saint Kitts and Nevis [wikipedia.org] (citibank.ba.kn)

    Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability [secunia.com].
    • Neither of those would work, since your main domain name needs to be at least three characters.
    • Not even. Most of the phishing emails that reach my inbox don't even bother to make the URL look like the bank. They just redirect you and hope you don't bother to look at the URL at the top.

      As long as a signifigant portion of the population doesn't take even basic steps to protect themselves phishing will be a prevalent problem.
    • Exactly. For $50,000, I get a domain that people will "know" is phish-proof. A decent scammer can make tht back in a day if everyone "knows" its "the real bank" and lets their guard down ...

      People who think this will work are also gonna love "security through obscurity."

      • Spend $50K to get $500,000? Sure!

        And if they time it right (end of month, beginning of month) they could easily make that much before it was shut down.

        And how would it be shut down? Who would you complain to? Is there a potential for a DDoS attack against other .bank sites?

        Come on people, don't just think how great your idea is. Spend some time thinking about how the bad guys would attack it.

        #1. Just buy in. Who's going to validate you?

        #2. Fake url's. Exploit old browsers.

        #3. DDoS against the other .bank si
    • by Raindance (680694) *
      Yeah- I would think that, by training people to trust certain TLDs, spoofing URLs with exploits or unicode or traffic hijacking would become much more effective.

      A neat idea, but I'm sure phishers would love this.
  • dibs!!!!! (Score:5, Funny)

    by Average_Joe_Sixpack (534373) on Monday May 07, 2007 @08:17PM (#19029721)
    sperm.bank
  • by Reason58 (775044) on Monday May 07, 2007 @08:18PM (#19029747)
    "Foolproof systems do not take into account the ingenuity of fools."
    • Re:Foolproof system (Score:5, Interesting)

      by bhmit1 (2270) on Monday May 07, 2007 @08:51PM (#19030109) Homepage

      Foolproof systems do not take into account the ingenuity of fools.

      You're funny and exactly right at the same time. Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I'll suggest (again) that every financial organization make a "catch a phisher" link on their page that provides a unique (so that phishers can't build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who's account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It's something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.
    • Re: (Score:3, Informative)

      by ahg (134088)
      Well... normally I don't split hairs, but the notable quote that I believe you are referring to was just posted today on Slashdot in its complete form:

      "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools".

      -- Douglas Adams (1952 - 2001), Mostly Harmless
    • Re: (Score:3, Funny)

      by treeves (963993)
      The quote in my sig was previously:

      "There's no system foolproof enough to defeat a sufficiently great fool." -- Edward Teller

  • by Harmonious Botch (921977) * on Monday May 07, 2007 @08:18PM (#19029749) Homepage Journal
    Banks will love this. It makes it even harder for small competitors to enter the market. In the long run that means higher fees for all of us. I'd rather put up with the phishing risk.
    • by MarcoAtWork (28889) on Monday May 07, 2007 @08:23PM (#19029815)
      what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)
      • by dgatwood (11270) on Monday May 07, 2007 @08:31PM (#19029921) Journal

        The banks that do such high volume transactions also tend to be leeches on society, taking a lot and giving back very little. I say make it ten million dollars a year. Those of us with a clue will keep using our credit unions' .org domains while the .bank TLD bleeds the blood suckers dry.

      • If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)

        What? The credit union I use is pretty big for a local "bank", but it has only $900,000 in total assets. (I don't think that includes ~$700K in outstanding loans.) Even $50K wouldn't be *that* a small a
        • Re: (Score:3, Insightful)

          by EvanED (569694)
          Oh wait, I'm an idiot. I take that back.

          Those graphs said "(in thousands)"...
      • what kind of financial institution couldn't afford to spend 50 grand to register a domain name? or even 50 grand a year to keep it? If it was me I'd make it 500 grand a year: this way only reputable institutions would sign up for this (institutions that realize that this is peanuts compared to the damage phishing can cause, not to mention that half a million these days seems to be pocket change compared to some banks' advertising budgets)

        500 grand? Hell, make it 5 billion/year. Apparently since banks hold m
    • by 2Bits (167227)
      Mod parent up please. This is what I was going to say.

      The guy who proposed this is smoking crack. This does not solve any of the problem, and just put artificial entry barriers to the industry to protect the current banks from any new competition. And while you are at it, why stop at 50K, why not 50 million instead? It's not like any bank can't put up with 50 million either.

      Putting layers and layers of stupid "solutions" like that is not going to solve the problem.

  • by tekiegreg (674773) * <tekieg1-slashdot@yahoo.com> on Monday May 07, 2007 @08:19PM (#19029761) Homepage Journal
    "Build something that's idiot proof, and they'll build a better idiot..." Really, the same people who fall for attacks to begin with are the people who STILL would despite this .bank implementation. Call me pessimistic but I'm not entirely sure it would work... Good idea though, makes it plainly obvious for the rest of us people with more than 10 IQ points anyways...
    • You are absolutely correct. Even now people are falling for phishing attempts with weirdly formed urls that look like

      http://uuu.xxx.yyy.zzz:nnnn/http/app.nordea.se/s itemod/default/...index_php/index.php

      I'm guessing because they actually don't have any major clue about how the web works and go "Hey, there's the url... uh.. some numbers ahead... bet that isn't anything important though". Of course the .bank would cut out some phising but calling it foolproof is naive considering this example.

      The example

  • Ummmmm... (Score:5, Funny)

    by TheDarkener (198348) on Monday May 07, 2007 @08:21PM (#19029775)
    I just made thedarkener.bank on my own computer, using /etc/hosts. It points to my computer.

    I'm gonna go smoke a bowl and see if I can't remember if I spent $50,000 on it or just used basic computer knowledge to bypass the TLD.
    • by Score Whore (32328) on Monday May 07, 2007 @08:48PM (#19030077)
      Now all you've got to do is fake up an email from your bank, send it to yourself. Then when you fall for the trick you'll have your username/account number and passwords. You are truly a l33t hax0r.
      • by roystgnr (4015) <.roystgnr. .at. .ticam.utexas.edu.> on Monday May 07, 2007 @10:49PM (#19031295) Homepage
        Now all you've got to do is fake up an email from your bank, send it to yourself. Then when you fall for the trick you'll have your username/account number and passwords. You are truly a l33t hax0r.

        That, or he'd have to hack into someone else's computer. I know that's impossible today, but a few pessimistic computer scientists suggest that one day Microsoft's crack team of programmers may make a mistake, allowing a malformed file or network connection to initiate the execution of malicious code on an innocent person's computer! Worse yet, some fear that the vigilance of today's sophisticated computer users may itself fail. It's unlikely that anyone would be foolish enough to run an executable file from an untrustworthy source without at least rigorously testing it in a "sandbox" environment, but rumor says that in a few underfunded public schools the computer security classes don't even teach kids how to set up a virtual machine!
    • Re: (Score:2, Interesting)

      by The MAZZTer (911996)

      Well, you seem to be forgetting that IT WILL ONLY WORK FOR YOUR COMPUTER. Domain name registrars exist to allow you to purchase a name for ALL COMPUTERS to recognize.

      The only way your method could be used successfully for phishing is if the attacker can modify /etc/hosts or %SYSTEMROOT%\System32\drivers\etc\hosts. But if they can do that, it's already game over, so to speak, for the victim, because that implies the attacker has to have other levels of access through which they can probably do more damag

  • Solution? (Score:2, Insightful)

    by g0dsp33d (849253)
    This doesn't stop people to giving out account information over the phone, or link spoofing. How many people just click links and don't read them. "My email says its from a bank, and some Prince wants to give me a buttload of money. Yey!".

    Its a step I guess, but education goes a bit further, I think. At least they could use the 50k to help victims of spoofing, or to come up with other (better) solutions.
  • by Frogbert (589961) <frogbert@@@gmail...com> on Monday May 07, 2007 @08:22PM (#19029791)
    But god would it be good to gouge banks for $50k. It would feel so sweet.
    • by Reason58 (775044) on Monday May 07, 2007 @08:23PM (#19029813)

      But god would it be good to gouge banks for $50k. It would feel so sweet.

      Until you realize it was your own money.

    • by alvinrod (889928)
      Don't worry, they'll just pass it on to Joe Consumer at some point.

      It's also disfavors smaller banks in small towns where $50,000 isn't quite the pocket change it is for larger banks with branches all across the country or world.

      And as others have pointed out, it's still not going to keep everyone from being fooled. Scammers are just going to keep finding new and more interesting ways of fooling people.
  • by Toe, The (545098) on Monday May 07, 2007 @08:22PM (#19029803)
    I already see URLs like this:
    citibank.com.customers.update.spammer.com

    It wouldn't take any more effort to make:
    citibank.bank.customers.update.spammer.com

    Most people don't know much about URLs. And that's assuming the mark even reads the URL at all.
  • 1) Good idea!

    Yes, I think it's a great idea. It is very akin to how you go to a .gov site and know it's official. People look for it and know what it means.

    2) Not 100% Fool-proof!

    Why? Well it's not 100% fool-proof because people are morons. Some people will fall for anything. They'll see citibank.bank.bank-info.info and still fall for it. DNS poisoining will also do the trick. Modified hosts files will also do the trick. People are dumb, but this will still help!

    3) Repost!!

    Sort of.. we j
  • Great, this could help phishing attacks ... against banks.

    Phishers will just move on to easier prey, such as all other institutions that handle lots of money or transactions (eBay, PayPal, etc).
  • This wouldn't work (Score:5, Insightful)

    by j0nb0y (107699) <jonboy300@@@yahoo...com> on Monday May 07, 2007 @08:27PM (#19029881) Homepage
    Phishing works because people don't pay attention to URLs. How would changing the URL help?
  • Who needs bankname.bank.phisher.com? Even if this new XTLA-TLD gets implemented, my mom and my grandma will still click on www.bankname.com.

    It's the same as those image captchas BofA uses. It's a nice touch, but if one day you went to the site and it just asked you for a username/password, would you really think something was amiss?

  • Bad! Bad! Bad! (Score:4, Insightful)

    by NeutronCowboy (896098) on Monday May 07, 2007 @08:33PM (#19029935)
    Even if we discount the problems we currently have with various DNS poisoning attacks, social engineering and just URL spam, it's basic premise is completely flawed. Why? Because the two assumptions it rests on are laughably easy to circumvent: spammers don't want to spend $50k on one domain, and registering as a financial institution anywhere is difficult.

    If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank. Time to register for mypersonalcity.bank, bankofus.bank, continentwide.bank, and make a killing!
  • Sure, let me know when you figure out how to force people to pay attention and educate themselves.

    Seriously, though, as I'm sure everyone here knows (but I enjoy preaching to the choir) this is useless. The problem isn't that people can't tell they're not at the actual bank website because it's hard, they can't tell because they don't fucking look and/or don't understand. If after clicking the link (which they shouldn't have clicked to start with) they are incapable of looking at the address bar and think
  • by adrianmonk (890071) on Monday May 07, 2007 @08:40PM (#19030001)

    This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.

    First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans, which are also not banks.

    On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.

    Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption that the set "things crooks want to phish for" equals the set "banks". Which is not reality.

    A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".

  • Duh (Score:4, Insightful)

    by Mwongozi (176765) <slashthree@david ... g ['lov' in gap]> on Monday May 07, 2007 @08:42PM (#19030017) Homepage

    There's already a foolproof solution. My bank never contacts me by e-mail! So I know that all e-mails claiming to be from my bank are fake.

    Quite simple really.

    • Do you have an online checking or savings account? Both INGdirect.com and HSBCdirect.com persistently send out plain-text e-mails to confirm just about every transaction - with no option to turn these off. I've written various people at both banks explaining why this is a really, really bad idea. They are uncomprehending. The confirmation e-mails don't give full account details, but give plenty of information for someone who manages to intercept them (or crack someone's Hotmail account) to use social engine
  • Imagine that someone saw the domain bank.barclays-bank.offshore.com? Devoted slashdot readers may be able to parse it and recognize that it is only a subdomain of offshore.com but what about the fools? I would suggest that it's impossible for something like this to be foolproof by definition. Why? Anyone who could be fooled would be labeled a fool and thus easily fooled. And nothing can stop them from being separated from their money by phishing schemes like this.

    Why not label it something like, " A ni
  • What about SQL injections? Those just use the EXISTING domain, whatever it is, and append their bad code on it. Instant phish without even needing much sheep's clothing.
  • by jfruhlinger (470035) on Monday May 07, 2007 @08:45PM (#19030043) Homepage
    To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.

    To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.

    To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.

    To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.

    Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?
  • by patio11 (857072) on Monday May 07, 2007 @08:51PM (#19030111)
    Banks spend incredible amounts of effort getting people to use their online properties, since they're the most cost effective way to service retail customers (i.e. natural persons as opposed to businesses, institutions, etc). No bank is going to sink their brand investment in citi.com or bankofamerica.com just to head off a wee bit of fraud. The only thing fraud is to a bank is a cost of doing business, nothing more -- they'll make a dispassionate calculation that fraud is less expensive than launching a new nationwide advertising/customer education campaign and pass on this idea. Its the same way that they've decided that it is more important to be able to receive a credit card decision in 15 seconds than it is to verify the identity of the person submitting the request -- fraud stings, losing potential customers to your easy-to-apply competitors stings more.
  • And they can pass the savings on to you!
  • Just hack the host file to point bankofamerica.bank to your IP Address. Phishing scheme done.

    Also people are used to using .com for sites on the web. So Grandma will still type bankofamerika.com by accident and get the false site even without hacking the host file.

    Its not a foolproof solution at all.
    • Re:Not a problem (Score:4, Interesting)

      by SEMW (967629) on Monday May 07, 2007 @10:49PM (#19031303)

      Just hack the host file to point bankofamerica.bank to your IP Address. Phishing scheme done.
      If I've somehow obtained deep enough access to your box to edit your HOSTS file (i.e. admin/root privileges), why bother with phishing emails? I could just install a keylogger, wait for you to visit your bank in the normal course of business, and snag your details. Or just grab them from \My_Documents\misc\unimportantstuff\really_nothing here\FINANCIAL_PASSWORDS.txt. Much more reliable than mucking about with making mockup login pages.
  • Wont Work (Score:3, Insightful)

    by Fujisawa Sensei (207127) on Monday May 07, 2007 @09:01PM (#19030187) Journal

    People don't look at domain names now, nor do they check for https. What makes you think this will change things?

  • And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 -- making it prohibitively expensive to most copycats. Banks would love this

    We here at the Commmerce Bank of Beverly Hills will not pay $50,000... Milburn Drysdale, President
  • by Vellmont (569020) on Monday May 07, 2007 @09:05PM (#19030225)
    There's no need for some dumb .bank tld for users to hope to verify authenticity of a bank site. All we need is something akin to an electronic ATM card.

    The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:

    authenticates the user to the bank (after you enter in a pin).
    authenticates the bank to the user.
    authenticates a secure connection to the bank has been established.
    authenticates each transaction.

    for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).

    This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.

    Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.

    Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.
    • Re: (Score:3, Interesting)

      by mrcaseyj (902945)
      An important feature of such a security device in order to make it truly secure, is a display. You can't trust anything that shows up on a normal computer screen. Your screen can say the money is going to amazon.com and it could really be going anywhere. The display needs to show how much the transaction is AND who it's going to. It should probably also say what is being bought or ordered in order to prevent bait and switch by online shops but that's probably not too important.

      In addition, the device need

  • by csoto (220540) on Monday May 07, 2007 @09:27PM (#19030489)
    Keep all your money hidden in your mattress! No phish there!
  • because... (Score:4, Insightful)

    by xlsior (524145) on Monday May 07, 2007 @09:59PM (#19030829) Homepage
    ...None of us have ever seen alternate DNS-circumvention crapware layers like new.net running on Joe User's PC without their knowledge.

    For the vast majority of users, a new TLD like .bank will be nothing but a false sense of security.
  • by rs232 (849320) on Tuesday May 08, 2007 @12:29PM (#19038333)
    We need to move on from the current DNS system which basically maps character strings to IP addresses. There still is no validity to the Domain name or the IP address. For instance if I was going to hack a bank or do a stock fraud, I would buy an ISP and run it legitimately for a long time. Then on the day pollute the DNS record and redirect them to my fake phishing site. Where they would give me their bank statements or act on fake stock info.

    The new DNS system would consist of the name + contact details + IP + a digital signature + a public key stored on a root DNS servers. When my computer sees a URL, www.bankofAmerica.com, it contacts the root server and downloads the sig, it also requests the same info from bankofAmerica.com. BOI, using local copys of the same info sends an encrypted msg using its private key. The client compares the two and if they match then bankofAmerica.com is legitimate and so is its IP address.

We want to create puppets that pull their own strings. - Ann Marion

Working...