Feeds

back to article Euro banks slam dot-bank plan

European banking regulators have slammed an American-led plan to create a new ".bank" top-level domain, saying it could give way to "a more dangerous form of phishing". The European Banking Authority wrote to California-based domain name industry overseer ICANN earlier this month to say that plans for financially oriented …

COMMENTS

This topic is closed for new posts.
Bronze badge
Headmaster

"The company applied for a US trademark on ".bank" last year ... before the US Patent and Trademark Office – which takes a dim view of companies attempting to trademark gTLD strings – revoked the registration."

Except it's not a gTLD string.

Perhaps a case of doing the right thing for the wrong reason, or maybe just more evidence that USPTO is seriously broken.

0
1
Pirate

.fin

For loan sharks only?

13
0
FAIL

Regional subdomains..

The idea of a subdomain specifically for financial institutions is a good one, as if done correctly and combined with user education it will make phishing harder...

But instead of just .bank, they should make country subdomains of .bank, for instance uk.bank and possibly regional ones such as eu.bank...

Then each country subdomain should be managed by the appropriate regulatory organisation of that country, eg the FSA.

0
0
Bronze badge
Stop

Re: Regional subdomains..

Right idea, but wrong domain registry governance and ownership. I'd have much better confidence in logging in at nationwide.bank.uk than in nationwide.uk.bank because the .uk TLD is subject to UK Internet community governance through Nominet,and not subject to the whims, scams and rakeoffs of ICANN. I have no confidence in banks anyway, which is why I gave the name of a mutual.

Nominet is in a much better position to establish the credentials of a UK financial regulator than whoever ICANN flogs .bank to.

8
0
Thumb Up

Re: Regional subdomains..

I thought something similar and totally agree.

What we in the UK also need to do is make sure that the FSA and UK bank regulation is fit for purpose, which it isn't as yet.

1
0
Silver badge
Stop

Re: Re: Regional subdomains..

But would the French domain be .bank.fr or .banque.fr, and so on for other languages? If one gets chosen, the other will be used for phishing. Having ".bank" would at least be consistent, which is what they're aiming for.

Then again, will paypal.bank be allowed?

0
0
Bronze badge

Re: Re: Regional subdomains..

Agree, it also means that companies/sites using .bank.uk will be subject to UK legal oversight and not US legal oversight.

Remember, a loan to Iran to enable it to buy "peaceful nuclear technology" might satisfy UK/EU laws, but because a UK/EU company beat a US company to the battery supply deal, the US government (lobbied by the lossing US company) decides the whole deal is incontravention of US domestic law and so uses it's self-declared "ownership" of the non-national gTLD's to take control of the relevant .bank domain name...

Remember they have already done this recently with megaupload.com and prior to that various (UK-based) gambling .com's... We also shouldn't forget what happened to Systime in the mid-1980's [ http://hansard.millbanksystems.com/commons/1986/feb/25/systime-plc ]

Finally, I suspect that the banks themselves will prefer to use a country element in the domain name to enable better targetting: nationwide.bank.uk reads better than any of nationwide.uk.bank, uk.nationwide.bank or nationwide.bank/uk

However, because the US domestic market think of themselves as being the centre of the universe, the US banks will want .bank and not .bank.us

2
0
FAIL

Re: Regional subdomains..

I am baffled by the belief system behind this comment. Why on earth would you expect such a domain (whether it's uk.bank or bank.uk is irrelevant) to be less full of dross than .com? All TLDs converge towards unverified first-come-first-served with some sort of retrospective disputes procedure; that's become the religion at ICANN. There's no way they will be managed exclusively by regulators (and would you trust, say, bank.tv even if it did claim to be managed by the Tuvalu Banking Authority?).

In any case, it doesn't matter. A naming system cannot prevent most phishing attacks, which trade on users not even looking at the URL.

Just another piece of endless TLD madness.

0
0
g e
Silver badge

Riiight and what about...

<a href="dodgysite.ro">barclays.bank</a>

1
1

Re: Riiight and what about...

Exactly. People can't tell phishing sites apart as it is. A unique .bank will not change things.

<a href="secure.barclays.bank.session-log.in/enteryourpin.html">secure.barclays.bank/session-login/enteryourpin.html</a>

3
0
Silver badge

Re: Re: Riiight and what about...

Au contraire.

If the idea of a registered .bank takes off, then any web browser will detect an address switch like that and probably wouldn't highlight the address as a banking site as such (hint, hint: if it isn't recognized as a banking site, it isn't--barring some whitelist collapse, only genuine banks will have .bank addresses). And since .bank sites will be screened prior to approval, and since the safeguards already in place (SSL/TLS and the like) will still be there, it would be another layer.

So how would you go about fooling both the user and the web browser without hacking an actual bank site?

0
0
Anonymous Coward

Re: Re: Re: Riiight and what about...

>So how would you go about fooling both the user and the web browser without hacking an actual bank site?

Trust in all the muppets running IE6 and other old browsers which will not support this spiffy new special .bank handling.

0
0
Bronze badge
Boffin

Re: Re: Re: Riiight and what about...

.bank or .bank.uk +SSL only gives you so much, even if you type the URL in yourself under the current CA system, unless you trust all of the 600 or so CA certs present within your browser as not being usable for MITM attacks - an increasingly untenable position as recent Diginotar and other cases of certs being used and even sold for MITM attack purposes recently.

With DNSSEC, name registration validity checks become more meaningful from a security point of view, to the extent you can reasonably trust your client system and setup, as security of this setup then depends on the reliability of fewer parties.

0
0
Silver badge

Too much faith in the gatekeeper

You seriously suggest that making a domain registrar the arbiter of a good financial institution, including all those fine businesses registered in the Cayman Islands, Moldova, etc. ?

Even if the screening process is reasonable, and past performance has given more than enough reason to doubt this, what about resale of domains? It's the usual "lipstick on a pig" approach of dressing something up to avoid the problem.

0
0
Silver badge

Re: Too much faith in the gatekeeper

You assume the gatekeeper is an outside firm. Think the other way around. What if the domain registrars *are the banks themselves*? Banks would have a vested interest in vetting their own domain since it's a matter of trust. Then it becomes like a country club with limited admission: only genuine banks with proper financial credentials and backing (and perhaps an actual brick-and-mortar presence) admitted. If they police from within, they can check up on all entries and weed out the sleazy entries. Also, since trademarks are involved, they can institute a "no resale/non-transferrable" clause in the agreement. Maybe also insist on a DNSSEC requirement before issuance.

0
0
Bronze badge

Re: Re: Re: Riiight and what about...

>So how would you go about fooling both the user and the web browser without hacking an actual bank site?

As at present use an in-browser man-in-the-middle applet deployed using a tool such as Zeus.

An advantage of .bank to browser and security software developers, is that it would permit the creation and deployment of gTLD specific security profiles; something that doesn't make sense when you only have a few general purpose gTLDs.

0
0

This post has been deleted by its author

Stop

Very little point

not sure why they're trying to foist more domain names on us. Based on what I see from recent advertising trends, all urls in the future will be in the format facebook.com/brandname.

Except mine and your's, of course. We know better.

3
0
This topic is closed for new posts.