A Foolproof Way To End Bank Account Phishing? 436
tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."
We'll see about that. (Score:5, Insightful)
This idea is stupid (tld goldrush?) (Score:5, Insightful)
I'd expect to see a rush of tld registrations to Macedonia [wikipedia.org] (citybank.ba.mk) and Saint Kitts and Nevis [wikipedia.org] (citibank.ba.kn)
Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability [secunia.com].
Solution? (Score:2, Insightful)
Its a step I guess, but education goes a bit further, I think. At least they could use the 50k to help victims of spoofing, or to come up with other (better) solutions.
make it half a million a year and we're talking... (Score:4, Insightful)
Re:We'll see about that. (Score:2, Insightful)
http://somedomain.ru/ [somedomain.ru]
This wouldn't work (Score:5, Insightful)
Re:This idea is stupid (tld goldrush?) (Score:4, Insightful)
As long as a signifigant portion of the population doesn't take even basic steps to protect themselves phishing will be a prevalent problem.
Re:This idea is stupid (tld goldrush?) (Score:4, Insightful)
Exactly. For $50,000, I get a domain that people will "know" is phish-proof. A decent scammer can make tht back in a day if everyone "knows" its "the real bank" and lets their guard down ...
People who think this will work are also gonna love "security through obscurity."
Re:This idea is stupid (tld goldrush?) (Score:4, Insightful)
Might want to tell that to people who register
Re:make it half a million a year and we're talking (Score:4, Insightful)
The banks that do such high volume transactions also tend to be leeches on society, taking a lot and giving back very little. I say make it ten million dollars a year. Those of us with a clue will keep using our credit unions' .org domains while the .bank TLD bleeds the blood suckers dry.
Re:We'll see about that. (Score:5, Insightful)
In retrospect, I should have previewed the previous comment. Didn't expect Slashdot to munge the url.
The scheme would still fall victim to urls like this:
http:Bad! Bad! Bad! (Score:4, Insightful)
If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank. Time to register for mypersonalcity.bank, bankofus.bank, continentwide.bank, and make a killing!
Re:make it half a million a year and we're talking (Score:3, Insightful)
Those graphs said "(in thousands)"...
.bank is the wrong name (Score:5, Insightful)
This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.
First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans,
which are also not banks.
On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.
Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption
that the set "things crooks want to phish for" equals
the set "banks". Which is not reality.
A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".
Duh (Score:4, Insightful)
There's already a foolproof solution. My bank never contacts me by e-mail! So I know that all e-mails claiming to be from my bank are fake.
Quite simple really.
Re:We'll see about that. (Score:5, Insightful)
True, but this time, we could actually use technical means to ensure the validity of the address. Browser plugins could quite easily be programmed to mitigate (if not solve) the issues you raise. A hypothetical 'MyBank' plugin could, among other things, use only trusted (or consensus) DNS to resolve the name, and it could absolutely, positively be guaranteed to check the domain spelling every time.
Knowing the precise namespace would not solve every problem, but software developers could do a lot with that one extra datum for validation.
No additional security, added cost (Score:5, Insightful)
Re:We'll see about that. (Score:2, Insightful)
I think that if this solution were to be adopted as a standard, browser makers would follow and reflect the "secure" TLD on the main UI. Firefox and IE7 already to this to some extent (yellow URL bar for SSH enabled sites, green (I think) on IE). There could be a special UI state that indicates you're on a secure .bank site. This would help make this solution even more robust and harder to circumvent.
This is obviously not fool proof, and I don't think such a solution exists, as there will always be someone oblivious or stupid enough not to notice the blatant lack of security signs, or highly sophisticated attacks (window spoofing, for instance) that confuse even savvy users.
Wont Work (Score:3, Insightful)
People don't look at domain names now, nor do they check for https. What makes you think this will change things?
This is already a solvable problem. (Score:5, Insightful)
The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:
authenticates the user to the bank (after you enter in a pin).
authenticates the bank to the user.
authenticates a secure connection to the bank has been established.
authenticates each transaction.
for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).
This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.
Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.
Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.
Re:We'll see about that. (Score:5, Insightful)
Dear Customer,
We are in the process of moving to our new, more secure
Please be aware that some "anti-ad-ware" programs currently detect our system as a "hijacker" - while we are, in effect, "hijacking" your connection, it is to improve your privacy and we are working with vendors to remove this warning for our program.
Please open and install OurBank.exe - it will ask you to verify your customer information, bank branch, and then log you in (the first time only) to your account with us. Remember to disregard any security warnings and allow our program to communicate through your firewall until we are able to resolve this mis-identification by the anti-ad-ware vendors.
Thanks again for your business,
OurBank./
Suckers usually use IE or AOL, not Firefox... (Score:5, Insightful)
And if they're using the one that came with their PC, they may very well have several extra toolbars to "help" them use the Internet, though that can be a problem for phishers because other crackers may get the bank account info before they do.
Re:We'll see about that. (Score:3, Insightful)
We have certificates to solve DNS poisoning.
Re:We'll see about that. (Score:3, Insightful)
I like the idea of the one-time authentication RSA fobs better.
URL checking - similar to adblock (Score:5, Insightful)
Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.
Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.
I still wonder why people don't use the Firefix [getfirefox.com] / Adblock [mozilla.org] / Filterset.G [mozilla.org] combination as a basic starting point.
It is good to see that there are some anti-phishing [mozilla.org] addons for Firefox now.
Re:citibank.bank.customers.spammer.com (Score:3, Insightful)
because... (Score:4, Insightful)
For the vast majority of users, a new TLD like
Re:.bank is the wrong name (Score:3, Insightful)
Re: having a special certificate class, there kind of already is - they're called Extended Validation certificates, from Verisign:
http://www.verisign.com/ssl/ssl-information-cente
Supposed to turn the address bar in IE 7 (and upcoming Firefox releases) green. Not that it will matter much, they're still only ~ $2K, easily within reach of even casual phishers.
Re:We'll see about that. (Score:3, Insightful)
Re:We'll see about that. (Score:5, Insightful)
How will this stop XSS (Score:3, Insightful)
Re:The simple way to end phishing. (Score:3, Insightful)
Re:The simple way to end phishing. (Score:3, Insightful)
That doesn't at all address the class of phishing scams that put up a fake copy of the site in question. Banks are usually the subject of such phishing attacks; throw up a copy of their site on a plausible-sounding URL, send out an email saying their account may have been compromised and they need to check, and when they enter their username and password you try the username and password at the real bank site, and make whatever transactions you want. That's the class that this TLD is aimed at preventing. Ideally I imagine the banks as a collective introducing it with public advertising campaigns to ensure the user looks for a .bank when they do their banking.
Is it perfect? Foolproof? Not by any means. But it'd be a good step.
Re:The simple way to end phishing. (Score:3, Insightful)
You take away the profitability, then you've taken away the whole incentive for phishing. Schemes like this TLD thing are not cutting into the profits. It's just a more advanced "ignore them and they'll go away" strategy. That won't work here, since it only takes (SWAG alert) 1 in 1000 people to actually fall for it in order for it to be profitable. Crapflooding them will make sure they never find that 1 in 1000 who is credulous enough to give personal information to someone with a somewhat credible looking website.
This whole TLD thing is more of the same old thinking, that we'll just make up more rules to prevent crime. We'll legislate morality. We'll make up unenforceable laws. Look where that's gotten us: check your spam folder if you have a yahoo or gmail account, and marvel at the sheer volume of scam spam. I maintain that in this case, the only effective way to fight these crooks is with some of their own medicine. Fight fire with fire.
You give too much credit (Score:2, Insightful)
"Please update your BankOfAmerica account at www.somerandomname.com"
and some people would do it.
Foolproof is a word only used by fools.
You're never going to get past the education issue whenever you add something that requires the user to notice that something is wrong. Your solution needs to completely invade the privacy of the user and double guess their intentions to 'protect' them and we all know how that will look. Even with this, some people would probably throw their password into a blank page with a text form on it that says "enter your information to update your account"
Re:We'll see about that. (Score:2, Insightful)
If this certificate had been invalid because of a DNS poisoning attack rather than an expired certificate, what do you think would have happened? Basically the same thing; 300-odd people would have handed their authentication details to the attackers and only one would have been suspicious enough to contact the bank.
So tell me again how well SSL certificates work?
my replacement for the DNS system .. (Score:3, Insightful)
The new DNS system would consist of the name + contact details + IP + a digital signature + a public key stored on a root DNS servers. When my computer sees a URL, www.bankofAmerica.com, it contacts the root server and downloads the sig, it also requests the same info from bankofAmerica.com. BOI, using local copys of the same info sends an encrypted msg using its private key. The client compares the two and if they match then bankofAmerica.com is legitimate and so is its IP address.