back to article Would you trust a dot-bank site more than a dot-com?

Would an exclusive internet address for banks help prevent phishing and identity theft? That's the hope of a new project from a financial services trade group in the US, which plans to apply to domain name overseer ICANN early next year for a ".bank" top-level domain. BITS, the technology policy arm of the Financial Services …

COMMENTS

This topic is closed for new posts.
  1. Flocke Kroes Silver badge

    First educate the bankers

    The Halifax owns halifax.co.uk, but if I try to do some internet banking, I end up halifax-online.co.uk, which I have no confidence in. If it does belong to The Halifax, it shows such an abysmal understanding of internet security that I have to assume the actual site contains some more equally brain dead design decisions.

    1. Captain Scarlet

      Have to agree

      Phishtank someone wanted to block the official Natwest online banking bit because its nwolb.com and wasn't natwest.co.uk, certain at first glance you would think thats a good phish until you realise its actually their site.

    2. Anonymous Coward
      Anonymous Coward

      It's been doing that for over 10 years now and is only accessible via a link from the main site anyway, so I'd imagine nobody is particularly phased by it. As to the actual site, it's unlikely to have any related design decisions at all since they retired the (extremely good) original site last year and replaced it with a rebranded version of the (largely regrettable) Lloyds one.

    3. Anonymous Coward
      FAIL

      Yes, and why does Nationwide use

      olb2.nationet.com

  2. Pete Spicer
    Thumb Down

    Me, personally, I wouldn't trust it any further than I would a .com, though not for the want of trying.

    First up, I doubt most users would notice, other than not getting to their bank with .com first time. The very fact that phishing is still so prevalent, because people just don't look at emails properly, suggests to me that it wouldn't solve anything from that direction.

    More importantly, though, vulnerabilities in DNS resolution that already permit MITM and cert abuse don't get stopped, and if anything it gives people yet more belief in security than should be warranted; it won't stop MITM attacks, it won't stop DNS poisoning, and it won't stop people getting keylogged, but it will make them think they're more secure...

  3. SteveK

    "Would an exclusive internet address for banks help prevent phishing and identity theft?"

    Probably not significantly in my opinion. Existing phishing scams try to conceal that they're not going to the real address, and users don't seem to look at the address in the address bar, just blindly click the underlined words in the email. It also wouldn't stop keyloggers, or malware infecting the browser from changing the page to add extra fields and send the login page somewhere else. If SSL and certificates and other technical measures don't stop that at the moment, I can't see that changing .com to .bank in the addressbar will solve the problem.

    Steve.

  4. arrbee
    Meh

    I would tend to trust a bank that sticks to fractional reserve banking rather than pyramid selling - of course by now most of the former have probably been irreparably damaged by the (by definition criminal) acts of the latter.

  5. John G Imrie

    only vetted financial institutions would be able to register a .bank domain.

    Like the ones we bailed out in 2008 and the ones we are having to protect this year due to their exposure to Grease :-)

    1. Voland's right hand Silver badge
      Devil

      Greece is nothing

      The real unraveling has just begun. Greece is nothing compared to the debts which have been run up by local authorities across Europe. Dexia and its multi-GDP of Greece debts are just the tip of the iceberg. The defaults on credit lines to Spanish, Italian and other Eu local authorities by other banks are yet to come.

      Do we like it or not - there has been no money to spend since the late 90-es. Do we like it or not our "elected representatives" have been spending like mad. It is yet another bit of history repeating. I saw this in the second half of the 90-es in Eastern Europe. 1000% annual hyperinflation and total collapse of the economy. Enormous debts racked up by local authorities on various folly projects played a significant role in that. Every city center was marble paved and marble clad. Monuments were raised and built no matter the cost. And so on. All of that on credit which at some point ran out. Even before that we saw it in Yugoslavia (it was not even ex- in those days).

      Then the darkness descended. By the time the economy hit the bottom it looked and felt like Mad Max. This is just a repeat of it on a larger scale :(

      Credit is nice, but if you have to take credit to pay credit this means that your predecessor should be in the dock.

    2. TeeCee Gold badge
      Headmaster

      "...due to their exposure to Grease...."

      They are slippery bastards bankers, aren't they?

  6. Geoff May

    "including .insure and .invest"

    One wonders what the Germans will think of that ... I see a plethora of ".versicherung" or ".investierung" etc.

    And that is only one language.

  7. Anonymous Coward
    FAIL

    Would the Uk bother?

    It isn't as though UK banks have any great history of using coherent domains as it is - you find Natwest's services scattered across umpteen different domains which have increasingly less obvious ties to their main domain. Why is the online banking service on a different frickin domain, and one that isn't even registered to them directly? (nwolb.com)

    The problem isn't lack of trust in domains, but lack of trust in the banks themselves.

    1. John G Imrie

      Why is the online banking service on a different frickin domain?

      Probably, because it was outsourced to a different bunch than the main site was outsourced to.

  8. Ru
    FAIL

    Utterly pointless

    Given how many people fall for the most transparent of phishing scams (please to vist www.yourbank.com.suspicious.cc and enter the password) and given the less than awesome success achievements of SSL in the face of corporate (Diginotar), technical (SSLstrip, BEAST) and user (who might not even notice the difference between EV and standard certificates) failures, how on earth would .bank fix anything?

    1. Steve Knox
      Flame

      Fixes Something

      Well, .bank could definitely fix the corporate issue, as there would be a vetting process.

      Part of the vetting process could be a security check (e.g, does your site require TLS 1.1+), which could help fix the technical issues.

      So it could fix "anything", but it's certainly not going to fix "everything".

      But no, let's piss on partial solutions and wait for a system that fixes everything. That would truly be pointless.

  9. Anonymous Coward
    Anonymous Coward

    "due to their exposure to Grease :-)"

    Q. What does a topless Olivia Newton-John have to do with banking ?

    A. Dunno. It has to be something to do with confidence in those Greece nipples, but I can't quite keep myself abreast of the situation.

  10. s. pam Silver badge
    Pirate

    Absolutely farcical

    So if they control the DNS, the routers, the switches, the DMZ's, and the hosts involved and also have CA root servers maybe. Otherwise, no fucking way as they're all thick as thieves and outsource so much that their bastardised operations are ineffective fingerprinting morons.

  11. jonathanb Silver badge
    FAIL

    It won't work

    It won't work. Given that a lot of phishing sites use things along the lines of

    www.barclays.com.accountlogin.ahsdjfkahjdkfh.ng/verify.php

    I'm sure they can swap the .com for a .bank in there.

    1. LaeMing

      I was thinking the same thing re: Building Societies

      Haven't used a bank in 2 decades - stopped using them when, as a student, I was suddenly being charged a $5-per-month fee for having less than $500 in my (only) account. Which bank? Every bloody bank!

  12. Laie Techie

    Credit Unions?

    Here credit unions make a big deal about how they're different from banks. Would credit unions actually apply for a bank TLD?

  13. JimC

    I'd give it three weeks

    Before the domain names industry was flogging .bank domains to anyone who could produce a convincing looking bit of Laser printed headed paper...

  14. Paul RND*1000
    Thumb Down

    I'll take a "no" please, Bob.

    Banks and the finance industry as a whole have proven themselves entirely untrustworthy over the last few years.

    I'd trust a .xxx site over a .bank because at least their intentions are honest and the people being screwed are there by choice and being paid for it.

  15. Anonymous Coward
    Anonymous Coward

    Before you Protect us From Phishing Start Protecting US FromYour Bankers

    I saw a $25 service charge on my Business checking last month. When I visited the branch today I asked the CS what it was for and she said it was a service charge on a $12K cash deposit I made. I thought that was crazy and said as much. The CS proceeded to tell me that what I need to do is to open a saving account and deposit the funds to the saving next time and then transfer it back to my checking.

    My next question to her was.. "How many times must I ask you guys to stop pestering me about opening additional account. Is that the only think the bank pays you for ..." I also told her that the solution is not for me to open a new account it is for the government to start regulating the myriad of charges the banks are now imposing on their customers or for me to move my bysiness to a small community bank. I actually decided to move the accounts now its time to shop afound for a new bank.

    Its time our banks be forced to get back to the business of Banking ... Economics 101 calls it Financial Intermediation ... when a bank can charge me a monthly service charge to maintain an account with tens of thousand of dollars something is wrong.

    Anybody remember back when ATM first came out how they were hailed by banks as a means of reducing their cost through the reduction in the number and size of branches and number of tellers they would need. Then with the deregulation of the sector they also started charging us a fee to use ATMs. Now they are charging fees to use our ATM cards.

    1. LaeMing
      Unhappy

      Bankers

      It rhymes with wankers.

      1. Anonymous John

        We know.

        What do you think "Merchant" is rhyming slang for?

    2. Dan Paul
      Mushroom

      No Trust in Banks or Bankers

      I have software to prevent malware and trojan attack but nothing on the market will protect me from the outrageous greed of the Financial Industry.

      I just looked at my online statement for BofA last night and there was the $25 monthly service fee for my checking account and below it was a fee for "imaging" my checks (all two of them)

      It is time for Re-Regulation of the "Banking" industry. How in hell do you get charged a service fee for a cash deposit? For a business account?!?

      If I were you, I'd go to the bank and ask for a $25 credit in person. When they deny it, demand that they show you in writing where you are required to pay a service fee on a cash deposit in a business account.

      When that doesn't work, you have my permission to go completely batshit crazy and call the police.

      1. arrbee
        Holmes

        You underestimate them, I refer you to

        http://gregpytel.blogspot.com/2009/04/largest-heist-in-history.html

  16. Anonymous Coward
    Anonymous Coward

    "only qualified candidates"

    What does that "qualified" mean, exactly, hm?

    How are you going to establish trust, exactly? Verisign? They're not trustworthy.

    Will you be transparent and, say, maintain a public list showing just why this dotbank SLD was given to just whom and why they were deemed "qualified"?

    And a bunch of other questions. It'll probably be about as useful as .edu again: mainly 'merkins. They're not the first and far from the only ones, ensuring only half-baked ideas survive.

    We really ought to move most now in "the historical generics" under .us. A .bank.us would make more sense. It would be useful if the purported .bank peeps can manage to make the thing truly international, transparent, and actually trustworthy, just like trustworthy banking would be useful. But I doubt they'll even try.

    And I doubt ICANN will be any help. They're what looks suspiciously like a nonprofit gone for profit after all, and not at all looking out for the long-term good of the internet community. Unless that's somehow the same as looking out for the long-term profits of the global corporate community.

  17. Old Handle

    Seems like a moderately good idea, but I don't know how easy it would be to actually get banks un board with it.

  18. NoneSuch Silver badge
    Facepalm

    How about...

    ...instead of creating a new set of problems, we fix the existing ones we already have!

  19. Robert E A Harvey

    .bum

    It ain't the domain that's the problem.

    It's the bankers.

  20. TeeCee Gold badge
    WTF?

    .bank

    The answer to the question posed is about as much as I'd trust the Titanic, once the deckchairs had been repositioned for safety reasons.

  21. kain preacher

    ts ignore the fact that I'm in America. Just look at the URL

    Dear customer,

    As part of our ongoing program to make our online service easier to use and even more secure, we will like you to carry out some upgrades to our banking systems.

    For your convenience we urge you to upgrade your account by Clicking Here <http://www.environnet.in.th/kids/components/com_events/Userterms.htm> and complete the upgrade

    Yours sincerely,

    Cahoot is a division of Santander UK plc

  22. Tim Bates
    FAIL

    Why? <shakes head>

    This is the stupidest idea I've ever heard. Sure the domains will be only available to certified banks...

    But what about DNS poisoning?

    Or plain old phishing sites running from some other random domain? We'll just see someone register .bank.com so they can scam people.

    And then there's good old fashioned host files modifications that so much malware still gets up to.

  23. Eddie Edwards
    Thumb Up

    To state the obvious

    Yes, it's a good idea. A browser can easily colour the status bar if the current URL host matches *.bank. Other vulnerabilities in bank sites, CAs, SSL, the financial system in general, notwithstanding, this is still a good idea.

  24. Andy Fletcher
    Thumb Up

    Actually, I don't see why not

    Sure, this is going to have a minisclue effect on security, but since I can't imagine the costs being anything more than miniscule either they shouldn't waste time debating it, just get on with it and concentrate then on some things that will have significant benefits.

    I won't list any - everyone else here did a bang up job.

  25. Anonymous Coward
    Anonymous Coward

    H4x0r sets up DNS server,

    points .bank to .phish.scamartists.ru, and compromises your machine with a trojan in the usual fashion to mess with the DNS settings.

  26. MrHorizontal

    Registry

    The actual domain name doesn't matter so much (though I agree that using a completely different domain like nwolb.com is just dumb from the bank's operations).

    What actually matters is the registry that controls the .bank is not a US concern like the most untrustworthy entity of them all: Verisign. In other words, DNS and SSL need to be managed from a far more trusted source that is UK based, and one that has public oversight for this to be OK.

  27. Yag
    Trollface

    How much...

    ... for the .banks, .banking, .bankers TLDs?

    It's for legitimate purposes, honest!

  28. Anonymous Coward
    Anonymous Coward

    Now let me see...

    "Would you trust a dot-bank site more than a dot-com?"

    Much, much less.

    The clue is in the word "bank".

  29. Joe Montana
    WTF?

    Not a TLD...

    It would probably be better to have a subdomain for each country, eg bank.uk rather than .bank...

    Each country has different regulations on banking, and at least in the case of the UK there is the FSA which regulates such organisations...

    Create a bank.uk namespace for banks trading in the uk, and have it managed by the FSA... Other countries can do the same.

This topic is closed for new posts.

Other stories you might like