A Foolproof Way To End Bank Account Phishing? 436
tcd004 writes "F-Secure's Mikko Hypponen proposes an elegant solution to the problem of bank account phishing in the latest Foreign Policy magazine. Hypponen thinks banks should have exclusive use of a new top-level domain: .bank. 'Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn't be just a few dollars: it could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time."
We'll see about that. (Score:5, Insightful)
Re: (Score:2, Insightful)
http://somedomain.ru/ [somedomain.ru]
Re:We'll see about that. (Score:5, Insightful)
In retrospect, I should have previewed the previous comment. Didn't expect Slashdot to munge the url.
The scheme would still fall victim to urls like this:
http:Suckers usually use IE or AOL, not Firefox... (Score:5, Insightful)
And if they're using the one that came with their PC, they may very well have several extra toolbars to "help" them use the Internet, though that can be a problem for phishers because other crackers may get the bank account info before they do.
Re:Suckers usually use IE or AOL, not Firefox... (Score:5, Informative)
Re:Suckers usually use IE or AOL, not Firefox... (Score:5, Interesting)
How will this stop XSS (Score:3, Insightful)
Re:How will this stop XSS (Score:5, Interesting)
In browers that supported the
The results wouldn't make sites on that domain entirely secure, but with just a LITTLE community backing from mozilla, microsoft, and the others, it would help GREATLY, its a step in the right direction at the very least.
Re:How will this stop XSS (Score:5, Informative)
Re:We'll see about that. (Score:5, Interesting)
In the rare event that a user does look at the url they see that first
Now, perhaps if bank sites didn't do immediate redirects when you visited them and kept the url in the address bar simple, then that may help. That way, if a user sees anything other than www.bank.com it should raise suspicion. But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp [wamu.com] will cause their eyes to glaze over when all they typed in was www.wamu.com. So why should they look past the
Re:We'll see about that. (Score:4, Interesting)
But for the average user even a relatively simple url such as http://www.wamu.com/personal/default.asp [wamu.com] will cause their eyes to glaze over when all they typed in was www.wamu.com.
Yup. And worse yet, that sort of thing allows the baddies to do something like www.blah blah/wamu.bank. So the ambiguousness of the period in the URL - used for both file and domain delimiters - will further obfuscate things.
URL checking - similar to adblock (Score:5, Insightful)
Eg: If the address contains ".bank.com" and there is a "." after the com then alert the user / disable javascript / etc.
Yes, I do know that for a lot of people having technology that calls attention to these kinds of problems just causes them to not worry about it. There are, however, too many people who just don't have a clue, are not capable or don't care. I've taught many of them to be careful.
I still wonder why people don't use the Firefix [getfirefox.com] / Adblock [mozilla.org] / Filterset.G [mozilla.org] combination as a basic starting point.
It is good to see that there are some anti-phishing [mozilla.org] addons for Firefox now.
Re:URL checking - similar to adblock (Score:5, Informative)
I was trying to tell my dad how to recognize what domain he was at, but I couldn't think of how to describe it while taking into account all the variations a phisher might use. Then I saw a regular expression designed to extract the domain name from a URL. It basically said to take the part just before the third slash. That seems pretty good to me and easy enough to explain to my dad. Can a scammer fake that? Another way in Firefox at least is that Firefox shows the domain on the status bar at the lower right.
Another problem I've run into lately is that a couple of institutions that I deal with have stopped using SSL encryption for the entire login page. They use regular http for most of the page and just have the username and password form submitted with https. The problem is that you see no padlock and there is no way to know that the page is really from the domain you see in the address bar. A man in the middle could have intercepted the page between you and the bank and removed the encryption from the login form and redirected your password to a bad guy. The entire page and everything on it needs to be encrypted with https or the page is insecure. Even Microsoft's Internet Explorer programmers say this is bad and tell the banks not to do it but the banks do it anyway. Read more about it at Microsoft's website.
http://blogs.msdn.com/ie/archive/2005/04/20/410240 .aspx [msdn.com]
This is not just a possibility but it seems to me like a realistic attack. On most wired networks you don't have to worry too much about ISP employees doing a man in the middle attack on you, but if you're using wireless at a coffee shop you'd better watch out for the https in your address bar. A hacker might use something like airpwn
http://www.informit.com/guides/content.asp?g=secur ity&seqNum=158&rl=1 [informit.com]
to do a man in the middle attack and to intercept your password. It looks like it would be pretty easy.
I read an easy way you can get an entirely encrypted login page even if they don't have one available. You start your login by giving a bogus username and password. The bank will usually come back with an entirely encrypted login page that says you entered the wrong password. Just check the domain and check for the s in https and then go ahead and enter the correct username and password.
The simple way to end phishing. (Score:5, Interesting)
When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.
Same with the 419 scammers. I particularly enjoy messing with the 419 scammers for this very reason.
The only, and I mean only, reason these things proliferate is because its profitable. This type of scamming is VERY profitable. So, we should be focusing on how to make it a waste of time. That would attack the problem at its root: its profitability.
Obviously, this would take a large bite out of spam, another problem in itself. Sometimes you have to fight fire with fire.
It seems obvious to me, but clearly not so obvious to others. Instead of spending time making a decent browser that supports modern standards properly (though better than IE6), Microsoft spent (probably) millions of dollars developing this ridiculous phishing filter for IE7. That is NOT dealing with the problem at its root. Obviously, they don't get it. Am I alone here? Hello? Anyone?
Re: (Score:3, Insightful)
When you get a phishing eMail, go to the URL. Enter some information. Not valid information unless you are a fool. Enter bogus crap. It's fun, and if everyone did it just once a month the phishers would be so crapflooded with false information that it'd be nigh impossible for them to separate the crap from the valid information. Phishing won't be worth the time anymore.
It would be even better if you had an automatic program that would do the work for you. It would submit bogus usernames and random passwords to drive the phishers crazy. I would call it "Dead Phish". Of course they could block any information from your IP if they figure out what you're doing, but the bogus information is still there for them to try unsuccessfully.
Re:The simple way to end phishing. (Score:4, Interesting)
When you mess with 419 scammers, you get the added bonus of being creative. You get to play whatever role you want, you get to mess with someone's head, and you are on the moral higher ground because they are, after all, trying to steal your money!
No way would I let a program do that for me!
I guess the only concern I can think of with going to phishing sites is that they then have your IP. So don't do that if you don't have a firewall. Then again, rip your network cable out of the wall if you don't have a firewall.
Re: (Score:3, Insightful)
That doesn't at all address the class of phishing scams that put up a fake copy of the site in question. Banks are usually the subject of such phishing attacks; throw up a copy of their site on a plausible-sounding URL, send out an email saying their account may have been compromised and they need to check, and when they enter their username and password you try the username and password at the real bank site, and make whatever transactions you want. That's the class that this TLD is aimed at preventing. Id
Re: (Score:3, Insightful)
You take away the profitability, then you've taken away the whole incentive for phishing. Schemes like this TLD thing are not cutting into the profits. It's just a more advanced "ignore them and they'll go away" strategy. That won't work here, since it only takes (SWAG alert) 1 in 1000 people to actuall
Re:The simple way to end phishing. (Score:5, Interesting)
As a system admin at my company, we got a call from a user who said she was a victim of a phishing scam, and wanted to see if we could get a copy of the phising e-mail she was sent so she could forward it to her bank and the police, but since she had already deleted it.
We managed to recover the phising e-mail. It was a standard phishing e-mail, however, it was not sent to her form the phisher him/herself, but from a friend of hers!
The subject had the FWD: tag at the begining, and the first line of the e-mail said, "Hey look! A banking scam! Why don't we all put in bogus information and screw them up! hehe!", but this user clicked on the link and entered her *real* information, as she thought it really was from her bank after she read the "security warning" below her friends comment.
Don't under estimate the power of the stupid.
Re: (Score:3, Informative)
You'd be surprised to what lengths they go today. Behind that "insert data here" script (which more and more often actually looks like the bank site), is a forwarder to the real bank. Of course only for the login-information. If it works, you get a "many thanks for your cooperation" (and I do actually believe that they're really thankful for your coop...) and your information gets logged. If you enter bogus crap, the bank will return a "no good" message and
Re:We'll see about that. (Score:5, Interesting)
How about browsers like FF, IE, Opera, et al highlighting the domain in bold and in a different color in the address bar?
http//www.wamu.com/personal/default.asp
That calls more attention to the part of the URL which deserves the most attention, no? And how about upping the point size on the address bar too? I look at the top of my browser and I see a sea of similar black type.
Re:We'll see about that. (Score:5, Interesting)
It provides a coloured bar (yellow/green) for HTTPS connections in which a user-provided identifier is displayed. So you type in the secure site's URL the first time (https://my.bank.com/), then enter an identifier in the petname bar ("Online banking (Twylite)"). Every time you connect to the site in future the extension will pick up an exact match on the domain name and change the bar to green. Other untrusted SSL sites get yellow. Non-SSL sites are white.
Re:We'll see about that. (Score:5, Insightful)
True, but this time, we could actually use technical means to ensure the validity of the address. Browser plugins could quite easily be programmed to mitigate (if not solve) the issues you raise. A hypothetical 'MyBank' plugin could, among other things, use only trusted (or consensus) DNS to resolve the name, and it could absolutely, positively be guaranteed to check the domain spelling every time.
Knowing the precise namespace would not solve every problem, but software developers could do a lot with that one extra datum for validation.
Re:We'll see about that. (Score:5, Insightful)
Dear Customer,
We are in the process of moving to our new, more secure
Please be aware that some "anti-ad-ware" programs currently detect our system as a "hijacker" - while we are, in effect, "hijacking" your connection, it is to improve your privacy and we are working with vendors to remove this warning for our program.
Please open and install OurBank.exe - it will ask you to verify your customer information, bank branch, and then log you in (the first time only) to your account with us. Remember to disregard any security warnings and allow our program to communicate through your firewall until we are able to resolve this mis-identification by the anti-ad-ware vendors.
Thanks again for your business,
OurBank./
Re: (Score:3, Funny)
Re:We'll see about that. (Score:5, Funny)
Re: (Score:3, Insightful)
We have certificates to solve DNS poisoning.
Re: (Score:3, Informative)
A while back one of the New Zealand banks had their SSL certificate expire, so for an entire afternoon every customer who visited the login page would have got an 'invalid certificate' warning of some sort..
300-odd customers logged in anyway. Only ONE was suspicious enough to contact the bank.
Re: (Score:3)
Re:We'll see about that. (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
I think that if this solution were to be adopted as a standard, browser makers would follow and reflect the "secure" TLD on the main UI. Firefox and IE7 already to this to some extent (yellow URL bar for SSH enabled sites, green (I think) on IE). There could be a special UI state that indicates you're on a secure .bank site. This would help make
Re:We'll see about that. (Score:4, Informative)
Don't know who thought that up.
Re: (Score:3, Informative)
American Express Canada [americanexpress.ca] is just as bad. They expect you to log on on an unencrypted connection (and they even put a little padlock icon next to the "login" button). I've mentionned it several times to their customer s
Re: (Score:3, Informative)
That's great to prevent password sniffing, but it doesn't stop a man in the middle attack. The man in the middle can just rewrite the login page before sending it to you with the encryption disabled. You wouldn't know. Microsoft's Internet Explorer programmers have told the banks about this but they do it anyway. See the Microsoft Developer Net
Re: (Score:3, Insightful)
I like the idea of the one-time authentication RSA fobs better.
This idea is stupid (tld goldrush?) (Score:5, Insightful)
I'd expect to see a rush of tld registrations to Macedonia [wikipedia.org] (citybank.ba.mk) and Saint Kitts and Nevis [wikipedia.org] (citibank.ba.kn)
Even if you could train people to look at the URL properly, theres always the chance that we'll see another Internet Explorer URL Spoofing Vulnerability [secunia.com].
Re: (Score:2)
Re:This idea is stupid (tld goldrush?) (Score:4, Insightful)
Might want to tell that to people who register
Re: (Score:2)
Re: (Score:3, Informative)
aa.com
ms.com
hp.com
id.com
io.com
ts.com
Re: (Score:3, Informative)
"Neither of those would work, since your main domain name needs to be at least three characters."
Nope. Look at gc.ca [gc.ca] as a counter-example. I'm sure there are others ...
Re:This idea is stupid (tld goldrush?) (Score:4, Insightful)
As long as a signifigant portion of the population doesn't take even basic steps to protect themselves phishing will be a prevalent problem.
Re:This idea is stupid (tld goldrush?) (Score:4, Insightful)
Exactly. For $50,000, I get a domain that people will "know" is phish-proof. A decent scammer can make tht back in a day if everyone "knows" its "the real bank" and lets their guard down ...
People who think this will work are also gonna love "security through obscurity."
Mod parent up! (Score:2)
And if they time it right (end of month, beginning of month) they could easily make that much before it was shut down.
And how would it be shut down? Who would you complain to? Is there a potential for a DDoS attack against other
Come on people, don't just think how great your idea is. Spend some time thinking about how the bad guys would attack it.
#1. Just buy in. Who's going to validate you?
#2. Fake url's. Exploit old browsers.
#3. DDoS against the other
Re: (Score:2)
A neat idea, but I'm sure phishers would love this.
dibs!!!!! (Score:5, Funny)
Re:dibs!!!!! (Score:5, Funny)
How do I make an online deposit?
Are there penalties for early withdrawal?
Re:dibs!!!!! (Score:5, Funny)
Yes; no linked child accounts... although for some that is desirable.
Re: (Score:3, Funny)
Deposits will require both the
I don't even want to know about withdrawals...
Re: (Score:3, Interesting)
I have dibs on data.bank.
Foolproof system (Score:5, Funny)
Re:Foolproof system (Score:5, Interesting)
You're funny and exactly right at the same time. Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I'll suggest (again) that every financial organization make a "catch a phisher" link on their page that provides a unique (so that phishers can't build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who's account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It's something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.
Re: (Score:3, Informative)
Re: (Score:3, Funny)
"There's no system foolproof enough to defeat a sufficiently great fool." -- Edward Teller
Cutting out the competition (Score:5, Interesting)
make it half a million a year and we're talking... (Score:4, Insightful)
Re:make it half a million a year and we're talking (Score:4, Insightful)
The banks that do such high volume transactions also tend to be leeches on society, taking a lot and giving back very little. I say make it ten million dollars a year. Those of us with a clue will keep using our credit unions' .org domains while the .bank TLD bleeds the blood suckers dry.
Re:make it half a million a year and we're talking (Score:2, Informative)
What? The credit union I use is pretty big for a local "bank", but it has only $900,000 in total assets. (I don't think that includes ~$700K in outstanding loans.) Even $50K wouldn't be *that* a small a
Re: (Score:3, Insightful)
Those graphs said "(in thousands)"...
Re:make it half a million a year and we're talking (Score:2)
500 grand? Hell, make it 5 billion/year. Apparently since banks hold m
Re: (Score:2)
The guy who proposed this is smoking crack. This does not solve any of the problem, and just put artificial entry barriers to the industry to protect the current banks from any new competition. And while you are at it, why stop at 50K, why not 50 million instead? It's not like any bank can't put up with 50 million either.
Putting layers and layers of stupid "solutions" like that is not going to solve the problem.
I'm reminded of the phrase... (Score:3, Interesting)
Re: (Score:2)
I'm guessing because they actually don't have any major clue about how the web works and go "Hey, there's the url... uh.. some numbers ahead... bet that isn't anything important though". Of course the .bank would cut out some phising but calling it foolproof is naive considering this example.
The example
Ummmmm... (Score:5, Funny)
I'm gonna go smoke a bowl and see if I can't remember if I spent $50,000 on it or just used basic computer knowledge to bypass the TLD.
Re:Ummmmm... (Score:5, Funny)
Re:Ummmmm... (Score:5, Funny)
That, or he'd have to hack into someone else's computer. I know that's impossible today, but a few pessimistic computer scientists suggest that one day Microsoft's crack team of programmers may make a mistake, allowing a malformed file or network connection to initiate the execution of malicious code on an innocent person's computer! Worse yet, some fear that the vigilance of today's sophisticated computer users may itself fail. It's unlikely that anyone would be foolish enough to run an executable file from an untrustworthy source without at least rigorously testing it in a "sandbox" environment, but rumor says that in a few underfunded public schools the computer security classes don't even teach kids how to set up a virtual machine!
Re: (Score:2, Interesting)
Well, you seem to be forgetting that IT WILL ONLY WORK FOR YOUR COMPUTER. Domain name registrars exist to allow you to purchase a name for ALL COMPUTERS to recognize.
The only way your method could be used successfully for phishing is if the attacker can modify /etc/hosts or %SYSTEMROOT%\System32\drivers\etc\hosts. But if they can do that, it's already game over, so to speak, for the victim, because that implies the attacker has to have other levels of access through which they can probably do more damag
Solution? (Score:2, Insightful)
Its a step I guess, but education goes a bit further, I think. At least they could use the 50k to help victims of spoofing, or to come up with other (better) solutions.
Re: (Score:2, Funny)
I know it will never happen (Score:3, Funny)
Re:I know it will never happen (Score:5, Funny)
Until you realize it was your own money.
Re: (Score:2)
It's also disfavors smaller banks in small towns where $50,000 isn't quite the pocket change it is for larger banks with branches all across the country or world.
And as others have pointed out, it's still not going to keep everyone from being fooled. Scammers are just going to keep finding new and more interesting ways of fooling people.
citibank.bank.customers.spammer.com (Score:3, Interesting)
citibank.com.customers.update.spammer.com
It wouldn't take any more effort to make:
citibank.bank.customers.update.spammer.com
Most people don't know much about URLs. And that's assuming the mark even reads the URL at all.
Re: (Score:3, Insightful)
Good idea! Not 100% Fool-proof! Repost! (Score:2)
Yes, I think it's a great idea. It is very akin to how you go to a
2) Not 100% Fool-proof!
Why? Well it's not 100% fool-proof because people are morons. Some people will fall for anything. They'll see citibank.bank.bank-info.info and still fall for it. DNS poisoining will also do the trick. Modified hosts files will also do the trick. People are dumb, but this will still help!
3) Repost!!
Sort of.. we j
Banks Only? (Score:2)
Phishers will just move on to easier prey, such as all other institutions that handle lots of money or transactions (eBay, PayPal, etc).
This wouldn't work (Score:5, Insightful)
Won't stop my mom (Score:2)
It's the same as those image captchas BofA uses. It's a nice touch, but if one day you went to the site and it just asked you for a username/password, would you really think something was amiss?
Bad! Bad! Bad! (Score:4, Insightful)
If I'd be an organized crime ring, I'd be barely able to contain my enthusiasm for this solution: for a paltry $50K, I can set up a site that users will almost automatically assume to be safe and part of a real bank. Time to register for mypersonalcity.bank, bankofus.bank, continentwide.bank, and make a killing!
A Foolproof Way To End Bank Account Phishing? (Score:2)
Seriously, though, as I'm sure everyone here knows (but I enjoy preaching to the choir) this is useless. The problem isn't that people can't tell they're not at the actual bank website because it's hard, they can't tell because they don't fucking look and/or don't understand. If after clicking the link (which they shouldn't have clicked to start with) they are incapable of looking at the address bar and think
.bank is the wrong name (Score:5, Insightful)
This is a dumb idea in the first place. But assuming we went with it, .bank is the wrong domain name.
First of all, I have a credit union. It's not a bank. There is an important legal difference. Its domain should not end with .bank. Then there are also savings and loans,
which are also not banks.
On top of that, people try to phish for account information for other financial institutions which aren't credit unions, savings and loans, or banks. For example, investment companies and stockbrokers. This scheme would force us to have fidelity.bank and vanguard.bank and etrade.bank and so forth. They're not banks, yet people often have accounts there with millions of dollars that bad guys want to phish for.
Effectively, the idea of putting it into DNS all under .bank seems to be based on the assumption
that the set "things crooks want to phish for" equals
the set "banks". Which is not reality.
A much better idea would be a separate SSL/TLS certificate signing authority that would specifically mark the registered domain as having some proven attribute, like "this is a bank" or "this is a credit union". That is certificate authorities that not only sign, but make specific assertions like "we verified that this web site belongs to a bank named Foo licensed in the following states: CA, CT, NJ, NY, TX".
Re: (Score:3, Insightful)
Re: having a special certificate class, there kind of already is - they're called Extended Validation certificates, from Verisign:
http://www.verisign.com/ssl/ssl-information-center
Supposed to turn the address bar in IE 7 (and upcoming Firefox releases) green. Not that it will matter much, they're still only ~ $2K
Duh (Score:4, Insightful)
There's already a foolproof solution. My bank never contacts me by e-mail! So I know that all e-mails claiming to be from my bank are fake.
Quite simple really.
Uncomprehending banks' e-mails (Score:3, Interesting)
Foolproof? Hah! (Score:2)
Why not label it something like, " A ni
What a dumb idea. (Score:2)
it's not like they use their own domains now... (Score:5, Interesting)
To access account info for my wife's Fidelily Visa Card, I need to go to a site in the ibsnetaccess.com domain.
To access account info for my IRA, which I own through Citizens Funds, I need to go to a site in the websolcentral.com domain.
To access account info for my wife's 401K, which she owns through Fidelity Investments, I need to go to a site in the mysavingsatwork.com domain.
Honestly, it's like they're all trying to confuse people. Why should we expect anyone to recognize a phishing URL when the financial services companies won't host their own secure sites under their own domain names?
No additional security, added cost (Score:5, Insightful)
Only $50K!!!! (Score:2)
Not a problem (Score:2)
Also people are used to using
Its not a foolproof solution at all.
Re:Not a problem (Score:4, Interesting)
Wont Work (Score:3, Insightful)
People don't look at domain names now, nor do they check for https. What makes you think this will change things?
With all due respect.... (Score:2)
We here at the Commmerce Bank of Beverly Hills will not pay $50,000... Milburn Drysdale, President
This is already a solvable problem. (Score:5, Insightful)
The card plugs into a USB port (or a reader plugs into USB and the card plugs into the reader). The card performs several functions:
authenticates the user to the bank (after you enter in a pin).
authenticates the bank to the user.
authenticates a secure connection to the bank has been established.
authenticates each transaction.
for an added bonus, keeps the users authentication secrets INSIDE the magic card (authentication of the user performed via challenge-response).
This is NOT a terribly complicated system. Encryption has been doing authentication for years. If banks wanted to prevent fishing attacks, they'd develop a standard and not do any online banking without this device.
Could it still be hacked? Sure, but an attacker would have to compromise the users computer AND have the magic card inserted into it while performing the attack. Lose your magic card? No problem, it gets invalidated just like an ATM card and the bank sends you a new one, possibly for a small fee.
Of course, banks are too cheap and conservative to do this on their own. We need a regulatory body to start pushing this on them, otherwise it'll never happen.
Re: (Score:3, Interesting)
In addition, the device need
I have an even easier way! (Score:3, Funny)
because... (Score:4, Insightful)
For the vast majority of users, a new TLD like
my replacement for the DNS system .. (Score:3, Insightful)
The new DNS system would consist of the name + contact details + IP + a digital signature + a public key stored on a root DNS servers. When my computer sees a URL, www.bankofAmerica.com, it contacts the root server and downloads the sig, it also requests the same info from bankofAmerica.com. BOI, using local copys of the same info sends an encrypted msg using its private key. The client compares the two and if they match then bankofAmerica.com is legitimate and so is its IP address.
Re:You just have to wrap the site and redirect par (Score:2)