A Foolproof Way To End Bank Account Phishing?

tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."

Cutting out the competition

[Harmonious Botch]

Banks will love this. It makes it even harder for small competitors to enter the market. In the long run that means higher fees for all of us. I'd rather put up with the phishing risk.

I'm reminded of the phrase...

[tekiegreg]

"Build something that's idiot proof, and they'll build a better idiot..." Really, the same people who fall for attacks to begin with are the people who STILL would despite this .bank implementation. Call me pessimistic but I'm not entirely sure it would work... Good idea though, makes it plainly obvious for the rest of us people with more than 10 IQ points anyways...

citibank.bank.customers.spammer.com

[Toe, The]

I already see URLs like this:
citibank.com.customers.update.spammer.com

It wouldn't take any more effort to make:
citibank.bank.customers.update.spammer.com

Most people don't know much about URLs. And that's assuming the mark even reads the URL at all.

Re:dibs!!!!!

[adrianmonk]

sperm.bank

I have dibs on data.bank.

Re:We'll see about that.

[uberzip]

My thoughts exactly. Currently, most phishing attacks my users have asked about have been for domains such as www.amazon.com.evildomain.com

In the rare event that a user does look at the url they see that first .com and don't bother with the rest of address. I don't see how a .bank would help at all.

Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp [wamu.com] will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the .com and try to make any sense of the rest. Like I said, this is a simple example, some of my banksites have long strings of numbers after the .com, change the alias in the address from www to something else, etc.

it's not like they use their own domains now...

[jfruhlinger]

To access account info for my AT&T Universal MasterCard, which is backed by Citibank, I need to go to a site in the accountonline.com domain.

To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.

To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.

To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.

Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?

Re:Foolproof system

[bhmit1]

Foolproof systems do not take into account the ingenuity of fools.

You're funny and exactly right at the same time. Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I'll suggest (again) that every financial organization make a "catch a phisher" link on their page that provides a unique (so that phishers can't build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who's account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It's something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.

Re:Ummmmm...

[The MAZZTer]

Well, you seem to be forgetting that IT WILL ONLY WORK FOR YOUR COMPUTER. Domain name registrars exist to allow you to purchase a name for ALL COMPUTERS to recognize.

The only way your method could be used successfully for phishing is if the attacker can modify /etc/hosts or %SYSTEMROOT%\System32\drivers\etc\hosts. But if they can do that, it's already game over, so to speak, for the victim, because that implies the attacker has to have other levels of access through which they can probably do more damage than a simple phishing attack could do...

Uncomprehending banks' e-mails

[wytcld]

Do you have an online checking or savings account? Both INGdirect.com and HSBCdirect.com persistently send out plain-text e-mails to confirm just about every transaction - with no option to turn these off. I've written various people at both banks explaining why this is a really, really bad idea. They are uncomprehending. The confirmation e-mails don't give full account details, but give plenty of information for someone who manages to intercept them (or crack someone's Hotmail account) to use social engineering to find out the rest.

Mind you, these are two otherwise fine enough banks that I do business with them. But if I didn't control my mail server - and know and trust the admins running my ISP's routers - I'd be taking on a level of risk that borders on idiotic.

Re:This idea is stupid (tld goldrush?)

[codename.matrix]

AFAIK the limit of 3 letters was added after the tlds were introduced so there are still several 2 letter domains. there are even 1 letter domains such as x.com (which seems to redirect to paypal) or z.com.

Re:We'll see about that.

[Mr. Underbridge]

But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp [wamu.com] will cause their eyes to glaze over when all they typed in was www.wamu.com.

Yup. And worse yet, that sort of thing allows the baddies to do something like www.blah blah/wamu.bank. So the ambiguousness of the period in the URL - used for both file and domain delimiters - will further obfuscate things.

The simple way to end phishing.

[hobo sapiens]

There's one way to end phishing. IE's anti-phishing service is a laugh. This TLD crap won't work. Here is how to end it:

When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.

Same with the 419 scammers. I particularly enjoy messing with the 419 scammers for this very reason.

The only, and I mean only, reason these things proliferate is because its profitable. This type of scamming is VERY profitable. So, we should be focusing on how to make it a waste of time. That would attack the problem at its root: its profitability.

Obviously, this would take a large bite out of spam, another problem in itself. Sometimes you have to fight fire with fire.

It seems obvious to me, but clearly not so obvious to others. Instead of spending time making a decent browser that supports modern standards properly (though better than IE6), Microsoft spent (probably) millions of dollars developing this ridiculous phishing filter for IE7. That is NOT dealing with the problem at its root. Obviously, they don't get it. Am I alone here? Hello? Anyone?

Re:Not a problem

[SEMW]

Just hack the host file to point bankofamerica.bank to your IP Address. Phishing scheme done.

If I've somehow obtained deep enough access to your box to edit your HOSTS file (i.e. admin/root privileges), why bother with phishing emails? I could just install a keylogger, wait for you to visit your bank in the normal course of business, and snag your details. Or just grab them from \My_Documents\misc\unimportantstuff\really_nothing here\FINANCIAL_PASSWORDS.txt. Much more reliable than mucking about with making mockup login pages.

Re:Suckers usually use IE or AOL, not Firefox...

[Kalriath]

I meant http://user:password@domain/ format. Damn you SlashCode.

Re:The simple way to end phishing.

[hobo sapiens]

Have you ever tried messing with 419 scammers or phishing sites? It's quite fun. Try checking out 419eater.com or whatsthebloodypoint.com if you want to see for yourselves (didn't check those URLs before pressing submit, but that'll get you there).

When you mess with 419 scammers, you get the added bonus of being creative. You get to play whatever role you want, you get to mess with someone's head, and you are on the moral higher ground because they are, after all, trying to steal your money!

No way would I let a program do that for me!

I guess the only concern I can think of with going to phishing sites is that they then have your IP. So don't do that if you don't have a firewall. Then again, rip your network cable out of the wall if you don't have a firewall.

Re:How will this stop XSS

[Bazar]

I think its a good idea, well worth investigating, but its not just another domain that they need, they'd need support of the browsers, as well as greater security and administration of the domain itself.

In browers that supported the .bank domain, they could do a series of checks for example

• Checking the security certificates for the .bank domain, ensuring that the cert is authenticated by the .bank domain. Self created certs would be unacceptable.
• Creating a border or some other distinguishable feature to the rendering of the site, when in a .bank extension. For example, a half inch security border around the screen (Yes, thats a bad idea since it could be mimicked by javascript, but you get the idea)
• Enforcing strict security on owners of the sites, as well as extenstive registration processes. Thus preventing cyber-squatters and phishing
• Email clients that supported it, could be designed to do a security checks from emails claiming to come from .bank domains, and flag them as phishing attempts if they fail

The results wouldn't make sites on that domain entirely secure, but with just a LITTLE community backing from mozilla, microsoft, and the others, it would help GREATLY, its a step in the right direction at the very least.

Re:This is already a solvable problem.

[mrcaseyj]

An important feature of such a security device in order to make it truly secure, is a display. You can't trust anything that shows up on a normal computer screen. Your screen can say the money is going to amazon.com and it could really be going anywhere. The display needs to show how much the transaction is AND who it's going to. It should probably also say what is being bought or ordered in order to prevent bait and switch by online shops but that's probably not too important.

In addition, the device needs buttons to signal the authorization and to enter a pin. It doesn't necessarily need a full keypad. Four buttons might be enough. You can't trust people's computer's not to capture their pins if they type it in at their keyboards. If there's no authorization button then a trojan can make unrestricted transactions whenever the device is plugged in.

Personal computers will probably never be very secure because they are made to do too many things. A small purpose built security device could have simple enough software that it may be able to achieve strong security.

A small keychain size device with maybe a two line display and four buttons would be reasonably convenient and would probably only cost about $10 in large quantity. They would probably need to be shareable between banks though because you're probably not going to want to carry very many if they're not thin like credit cards. Although there's a new credit card coming out with a display. A flexible display I guess. I see now reason they couldn't put some thin buttons on them.

Re:We'll see about that.

[Anonymous Coward]

How about browsers like FF, IE, Opera, et al highlighting the domain in bold and in a different color in the address bar?

http//www.wamu.com/personal/default.asp

That calls more attention to the part of the URL which deserves the most attention, no? And how about upping the point size on the address bar too? I look at the top of my browser and I see a sea of similar black type.

Re:The simple way to end phishing.

[MikeyVB]

I used to think that was a good idea, until I under realized the true power of stupid people.

As a system admin at my company, we got a call from a user who said she was a victim of a phishing scam, and wanted to see if we could get a copy of the phising e-mail she was sent so she could forward it to her bank and the police, but since she had already deleted it.

We managed to recover the phising e-mail. It was a standard phishing e-mail, however, it was not sent to her form the phisher him/herself, but from a friend of hers!

The subject had the FWD: tag at the begining, and the first line of the e-mail said, "Hey look! A banking scam! Why don't we all put in bogus information and screw them up! hehe!", but this user clicked on the link and entered her *real* information, as she thought it really was from her bank after she read the "security warning" below her friends comment.

Don't under estimate the power of the stupid.

Re:We'll see about that.

[Twylite]

Nice idea. See also the petname [wikipedia.org] extension [mozilla.org] for Firefox.

It provides a coloured bar (yellow/green) for HTTPS connections in which a user-provided identifier is displayed. So you type in the secure site's URL the first time (https://my.bank.com/), then enter an identifier in the petname bar ("Online banking (Twylite)"). Every time you connect to the site in future the extension will pick up an exact match on the domain name and change the bar to green. Other untrusted SSL sites get yellow. Non-SSL sites are white.

Re:How will this stop XSS

[Simon Donkers]

I'm guessing it would really help out if all browsers work together and take the following steps:
- .bank domains must always use HTTPS with a trusted certificate
- When visiting a .bank domain the browser contacts a trusted third party about the domain for more info and displays an information bar with 'You are know connecting to bank XYZ from ABC'. Place it clearly visible, away from the site content and make sure all browsers do this roughly the same way. Possibly change the toolbar background color everywhere from grey to yellow.

If you combine these two steps with an information push to end users, we could finally get somewhere. Let Banks send out newsletters about security, let TV shows warn people, get the banks to buy some page sized advertisements together in all the papers to tell the story how they are really secure. If all major browsers work together on this as well as the banks and the media this could work out.

Having a seperate .bank domain helps browsers to detect that a page is from a bank to employ all the extra security features. Displaying the identity of the bank clearly and possibly making the .bank domain expensive would stop phishers from registering a domain. In time people will come to accept these secure pages and will find it strange that a phisher doesn't use them. It won't happen overnight but it can happen.

A Small Price to Pay?

[MarkAyen]

Speaking as the former IT manager of a small community bank, I can say conclusively that banks would not love to pay $50,000 to register a domain. Certainly, the cost wouldn't affect the huge money center institutions, but $50,000 is a huge expense for a de novo. Especially when you consider that financial institutions register multiple domain names to avoid confusion. First State Bank might register the domains firststatebank.bank, firststate.bank and maybe even 1ststate.bank.

And even after the bank has jumped through the hoops and paid the exorbitant registration fees, as others have pointed out, consumers who fall for phishing schemes tend to be less sophisticated Internet users and are probably not paying attention to the link they're clicking on anyways.