Would an exclusive internet address for banks help prevent phishing and identity theft? That's the hope of a new project from a financial services trade group in the US, which plans to apply to domain name overseer ICANN early next year for a ".bank" top-level domain. BITS, the technology policy arm of the Financial Services …
First educate the bankers
The Halifax owns halifax.co.uk, but if I try to do some internet banking, I end up halifax-online.co.uk, which I have no confidence in. If it does belong to The Halifax, it shows such an abysmal understanding of internet security that I have to assume the actual site contains some more equally brain dead design decisions.
Have to agree
Phishtank someone wanted to block the official Natwest online banking bit because its nwolb.com and wasn't natwest.co.uk, certain at first glance you would think thats a good phish until you realise its actually their site.
It's been doing that for over 10 years now and is only accessible via a link from the main site anyway, so I'd imagine nobody is particularly phased by it. As to the actual site, it's unlikely to have any related design decisions at all since they retired the (extremely good) original site last year and replaced it with a rebranded version of the (largely regrettable) Lloyds one.
Yes, and why does Nationwide use
Me, personally, I wouldn't trust it any further than I would a .com, though not for the want of trying.
First up, I doubt most users would notice, other than not getting to their bank with .com first time. The very fact that phishing is still so prevalent, because people just don't look at emails properly, suggests to me that it wouldn't solve anything from that direction.
More importantly, though, vulnerabilities in DNS resolution that already permit MITM and cert abuse don't get stopped, and if anything it gives people yet more belief in security than should be warranted; it won't stop MITM attacks, it won't stop DNS poisoning, and it won't stop people getting keylogged, but it will make them think they're more secure...
"Would an exclusive internet address for banks help prevent phishing and identity theft?"
Probably not significantly in my opinion. Existing phishing scams try to conceal that they're not going to the real address, and users don't seem to look at the address in the address bar, just blindly click the underlined words in the email. It also wouldn't stop keyloggers, or malware infecting the browser from changing the page to add extra fields and send the login page somewhere else. If SSL and certificates and other technical measures don't stop that at the moment, I can't see that changing .com to .bank in the addressbar will solve the problem.
I would tend to trust a bank that sticks to fractional reserve banking rather than pyramid selling - of course by now most of the former have probably been irreparably damaged by the (by definition criminal) acts of the latter.
only vetted financial institutions would be able to register a .bank domain.
Like the ones we bailed out in 2008 and the ones we are having to protect this year due to their exposure to Grease :-)
Greece is nothing
The real unraveling has just begun. Greece is nothing compared to the debts which have been run up by local authorities across Europe. Dexia and its multi-GDP of Greece debts are just the tip of the iceberg. The defaults on credit lines to Spanish, Italian and other Eu local authorities by other banks are yet to come.
Do we like it or not - there has been no money to spend since the late 90-es. Do we like it or not our "elected representatives" have been spending like mad. It is yet another bit of history repeating. I saw this in the second half of the 90-es in Eastern Europe. 1000% annual hyperinflation and total collapse of the economy. Enormous debts racked up by local authorities on various folly projects played a significant role in that. Every city center was marble paved and marble clad. Monuments were raised and built no matter the cost. And so on. All of that on credit which at some point ran out. Even before that we saw it in Yugoslavia (it was not even ex- in those days).
Then the darkness descended. By the time the economy hit the bottom it looked and felt like Mad Max. This is just a repeat of it on a larger scale :(
Credit is nice, but if you have to take credit to pay credit this means that your predecessor should be in the dock.
"...due to their exposure to Grease...."
They are slippery bastards bankers, aren't they?
Would the Uk bother?
It isn't as though UK banks have any great history of using coherent domains as it is - you find Natwest's services scattered across umpteen different domains which have increasingly less obvious ties to their main domain. Why is the online banking service on a different frickin domain, and one that isn't even registered to them directly? (nwolb.com)
The problem isn't lack of trust in domains, but lack of trust in the banks themselves.
Why is the online banking service on a different frickin domain?
Probably, because it was outsourced to a different bunch than the main site was outsourced to.
"including .insure and .invest"
One wonders what the Germans will think of that ... I see a plethora of ".versicherung" or ".investierung" etc.
And that is only one language.
Given how many people fall for the most transparent of phishing scams (please to vist www.yourbank.com.suspicious.cc and enter the password) and given the less than awesome success achievements of SSL in the face of corporate (Diginotar), technical (SSLstrip, BEAST) and user (who might not even notice the difference between EV and standard certificates) failures, how on earth would .bank fix anything?
Well, .bank could definitely fix the corporate issue, as there would be a vetting process.
Part of the vetting process could be a security check (e.g, does your site require TLS 1.1+), which could help fix the technical issues.
So it could fix "anything", but it's certainly not going to fix "everything".
But no, let's piss on partial solutions and wait for a system that fixes everything. That would truly be pointless.
"due to their exposure to Grease :-)"
Q. What does a topless Olivia Newton-John have to do with banking ?
A. Dunno. It has to be something to do with confidence in those Greece nipples, but I can't quite keep myself abreast of the situation.
So if they control the DNS, the routers, the switches, the DMZ's, and the hosts involved and also have CA root servers maybe. Otherwise, no fucking way as they're all thick as thieves and outsource so much that their bastardised operations are ineffective fingerprinting morons.
Here credit unions make a big deal about how they're different from banks. Would credit unions actually apply for a bank TLD?
It won't work
It won't work. Given that a lot of phishing sites use things along the lines of
I'm sure they can swap the .com for a .bank in there.
I was thinking the same thing re: Building Societies
Haven't used a bank in 2 decades - stopped using them when, as a student, I was suddenly being charged a $5-per-month fee for having less than $500 in my (only) account. Which bank? Every bloody bank!
I'd give it three weeks
Before the domain names industry was flogging .bank domains to anyone who could produce a convincing looking bit of Laser printed headed paper...
I'll take a "no" please, Bob.
Banks and the finance industry as a whole have proven themselves entirely untrustworthy over the last few years.
I'd trust a .xxx site over a .bank because at least their intentions are honest and the people being screwed are there by choice and being paid for it.
Before you Protect us From Phishing Start Protecting US FromYour Bankers
I saw a $25 service charge on my Business checking last month. When I visited the branch today I asked the CS what it was for and she said it was a service charge on a $12K cash deposit I made. I thought that was crazy and said as much. The CS proceeded to tell me that what I need to do is to open a saving account and deposit the funds to the saving next time and then transfer it back to my checking.
My next question to her was.. "How many times must I ask you guys to stop pestering me about opening additional account. Is that the only think the bank pays you for ..." I also told her that the solution is not for me to open a new account it is for the government to start regulating the myriad of charges the banks are now imposing on their customers or for me to move my bysiness to a small community bank. I actually decided to move the accounts now its time to shop afound for a new bank.
Its time our banks be forced to get back to the business of Banking ... Economics 101 calls it Financial Intermediation ... when a bank can charge me a monthly service charge to maintain an account with tens of thousand of dollars something is wrong.
Anybody remember back when ATM first came out how they were hailed by banks as a means of reducing their cost through the reduction in the number and size of branches and number of tellers they would need. Then with the deregulation of the sector they also started charging us a fee to use ATMs. Now they are charging fees to use our ATM cards.
It rhymes with wankers.
No Trust in Banks or Bankers
I have software to prevent malware and trojan attack but nothing on the market will protect me from the outrageous greed of the Financial Industry.
I just looked at my online statement for BofA last night and there was the $25 monthly service fee for my checking account and below it was a fee for "imaging" my checks (all two of them)
It is time for Re-Regulation of the "Banking" industry. How in hell do you get charged a service fee for a cash deposit? For a business account?!?
If I were you, I'd go to the bank and ask for a $25 credit in person. When they deny it, demand that they show you in writing where you are required to pay a service fee on a cash deposit in a business account.
When that doesn't work, you have my permission to go completely batshit crazy and call the police.
What do you think "Merchant" is rhyming slang for?
You underestimate them, I refer you to
"only qualified candidates"
What does that "qualified" mean, exactly, hm?
How are you going to establish trust, exactly? Verisign? They're not trustworthy.
Will you be transparent and, say, maintain a public list showing just why this dotbank SLD was given to just whom and why they were deemed "qualified"?
And a bunch of other questions. It'll probably be about as useful as .edu again: mainly 'merkins. They're not the first and far from the only ones, ensuring only half-baked ideas survive.
We really ought to move most now in "the historical generics" under .us. A .bank.us would make more sense. It would be useful if the purported .bank peeps can manage to make the thing truly international, transparent, and actually trustworthy, just like trustworthy banking would be useful. But I doubt they'll even try.
And I doubt ICANN will be any help. They're what looks suspiciously like a nonprofit gone for profit after all, and not at all looking out for the long-term good of the internet community. Unless that's somehow the same as looking out for the long-term profits of the global corporate community.
Seems like a moderately good idea, but I don't know how easy it would be to actually get banks un board with it.
...instead of creating a new set of problems, we fix the existing ones we already have!
It ain't the domain that's the problem.
It's the bankers.
The answer to the question posed is about as much as I'd trust the Titanic, once the deckchairs had been repositioned for safety reasons.
ts ignore the fact that I'm in America. Just look at the URL
As part of our ongoing program to make our online service easier to use and even more secure, we will like you to carry out some upgrades to our banking systems.
For your convenience we urge you to upgrade your account by Clicking Here <http://www.environnet.in.th/kids/components/com_events/Userterms.htm> and complete the upgrade
Cahoot is a division of Santander UK plc
Why? <shakes head>
This is the stupidest idea I've ever heard. Sure the domains will be only available to certified banks...
But what about DNS poisoning?
Or plain old phishing sites running from some other random domain? We'll just see someone register .bank.com so they can scam people.
And then there's good old fashioned host files modifications that so much malware still gets up to.
To state the obvious
Yes, it's a good idea. A browser can easily colour the status bar if the current URL host matches *.bank. Other vulnerabilities in bank sites, CAs, SSL, the financial system in general, notwithstanding, this is still a good idea.
Actually, I don't see why not
Sure, this is going to have a minisclue effect on security, but since I can't imagine the costs being anything more than miniscule either they shouldn't waste time debating it, just get on with it and concentrate then on some things that will have significant benefits.
I won't list any - everyone else here did a bang up job.
H4x0r sets up DNS server,
points .bank to .phish.scamartists.ru, and compromises your machine with a trojan in the usual fashion to mess with the DNS settings.
The actual domain name doesn't matter so much (though I agree that using a completely different domain like nwolb.com is just dumb from the bank's operations).
What actually matters is the registry that controls the .bank is not a US concern like the most untrustworthy entity of them all: Verisign. In other words, DNS and SSL need to be managed from a far more trusted source that is UK based, and one that has public oversight for this to be OK.
... for the .banks, .banking, .bankers TLDs?
It's for legitimate purposes, honest!
Now let me see...
"Would you trust a dot-bank site more than a dot-com?"
Much, much less.
The clue is in the word "bank".
Not a TLD...
It would probably be better to have a subdomain for each country, eg bank.uk rather than .bank...
Each country has different regulations on banking, and at least in the case of the UK there is the FSA which regulates such organisations...
Create a bank.uk namespace for banks trading in the uk, and have it managed by the FSA... Other countries can do the same.
- It's true, the START MENU is coming BACK to Windows 8, hiss sources
- iSPY: Apple Stores switch on iBeacon phone sniff spy system
- Pic NASA Mars tank Curiosity rolls on old WET PATCH, sighs, sniffs for life signs
- How UK air traffic control system was caught asleep on the job
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps