Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

Phighting phishing with a new top level .bank domain?

6 comments

IT TOPICS:Internet, Personal Technology, Security

Here's a very interesting idea for fighting phishing. Why not create a .bank top-level domain, limit it to "bona fide financial organizations", and make the registration cost of the domain high (suggested at $50,000 or more)? This is what Mikko Hypponen is suggesting here.

Mikko says:

Why do banks and other financial institutions operate under the public top-level domains, like .com? The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason—something like “.bank,” for example.

Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn’t be just a few dollars: It could be something like $50,000—making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time.

I am going to think about this for a few days to try to poke holes in it, but right now I am loving this idea. I think this would go a long way in restoring (or just plain creating) confidence in online banking. The only thing I am wondering is if this needs to be a requirement for financial institutions and not just a choice. Please shoot over some comments on what you think.

Email this

Digg this

What People Are Saying

Add new comment

Most "older" people I know

Submitted by Anonymous on May 17, 2007 - 12:39 P.M.

Most "older" people I know have no idea what the address bar is let alone where to look for it. I tell them check out this website, and they open their broswer and type it in the default search engine, hoping it will show up. I have to explain, you need to turn on the address bar and actually type it in, I think its off by default in windows. They still don't know what I am talking about, never have actually typed in a web address, and wondering why their bank is asking them for their pin and ss#.

Reply | Report this comment

I have to echo the DNS

Submitted by Nutkrkr on May 16, 2007 - 10:08 A.M.

I have to echo the DNS server comments. It is too easy to compromise most DNS servers and once that is done setting up an alias takes no time.

From the time it is introduced until it was discovered and corrected a lot of damage could be done.

This is a nice thought, just not effective in the real world until all DNS servers are hardened and protected and monitored for unauthorized changes.

Reply | Report this comment

The premise of the of this

Submitted by Anonymous on May 9, 2007 - 9:59 A.M.

The premise of the of this suggestion is that the cost of registering a domain will keep phishers at bay. Unfortunately there's no good way to stop rogue or compromised DNS servers from being up long enough for phishers to harvest many bits of personal information.

One only has to look at the problem with spam. Today, the spec calls for all MTAs to have at least one MX record registered for the domain the mail is being sent from. There is no requirement to check if that sending host has a MX record, just its domain. That's why spam can be sent from machines with cable/DSL connections because the host comes from a domain that has an MX record. The problem is also compounded by the fact that many legitimate MTAs use pooled servers and often the mail is sent from a host that doesn't have an MX record.

Reply | Report this comment

To be honest - .bank would

Submitted by Anonymous on May 4, 2007 - 10:43 A.M.

To be honest - .bank would do nothing.

If the people getting phished would just LOOK AT THE ADDRESS OF THE WEBSITE before putting in their UN/PW/SSN/DOB/CC/CVV/EXP/etc..., there would be so few phishing attacks that it wouldn't be a profitable industry.

it doesn't matter if it's .bank, .com, or .identitytheft - there's always going to be a large portion of the population that is completely oblivious.

Reply | Report this comment

50,000? 500,000? All this

Submitted by Anonymous on May 4, 2007 - 10:34 A.M.

50,000? 500,000? All this cost to register a domain name? In case you are not aware, most of the US banks are not Bank of America. Most are small community banks which cannot afford this sort of short-sighted thinking. When your net revenue is less than 2 million/year, $50,000 is a huge amount to pay and 500,000 is nothing short of laughable.

I'm sure you wouldn't mind paying more in fees to cover these costs now would you? Would you at least make it a one-time fee? The large majority of people have no concept of the fees that banks already have to pay for mandatory compliance and you want to increase it by 50,000 or 500,000?

While patting yourself on the back for this "great" idea you will probably be grumbling about your service charges.

I am a Security Officer at a small community bank and I deal daily with people who have no trouble divulging their personal account information to anyone who comes along and asks for it. Then they get defrauded and wonder what happened. Even after they do this once some of them will do it again, at which point they will find themselves unbanked.

Just because you would make banks use the .bank domain name would not stop the phishing. People would still fall victim to it because they do not exercise common sense. You can't protect people from themselves.

Reply | Report this comment

US $500,000 registration and

Submitted by Big Sven on May 3, 2007 - 3:12 P.M.

US $500,000 registration and a guaranteed bond of $2.0 million backed by a registered agency bonding authority shoud deter copycats. Required, not optional: I'm liking this idea.

Reply | Report this comment

Google acquires reCAPTCHA in two-for-one deal

Linux's dirty little secret: Uninstall

Brooklyn camera stores: The scam stops here

Mumbai terrorists' most powerful weapon: VoIP phones

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

Faster, Cheaper and Easier to Maintain
Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Michael R. Farnum's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Phighting phishing with a new top level .bank domain?

What People Are Saying

Most "older" people I know

I have to echo the DNS

The premise of the of this

To be honest - .bank would

50,000? 500,000? All this

US $500,000 registration and

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Michael R. Farnum's Archive

IT Topics

Sponsored Links