Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

.bank Backers Fighting on

After initially raising the idea of a .bank top level domain (.tld) as a means to defeat phishing and a number of other online financial fraud opportunities, the team at F-Secure are still strongly in support of the idea, despite the critical responses that the idea received on its initial publication.

Extending the original argument, the claim is made that because the domain authority will be limiting access to the domain to legitimate financial institutions ($50,000 per domain can't hurt) then users can be reassured that only a legitimate site will be able to own one of these domains. Unfortunately, history has shown (at least for commercial domains) that it is not possible to isolate complete .tlds as easily as that. Tightly controlled domains, such as .gov, .mil or .edu have had more success, but .bank will lack the necessary teeth behind it to ensure it remains clean (unless it is decided to give a government or a military control over it).

Even if .bank could be established, and was kept completely clean of malicious sites, it doesn't address the issue of banks that have the same name, but exist in different countries - such as 'National Bank', and it doesn't address the greater problem of attackers using flaws in the bank's own sites in order to redirect / confuse / con users. When banks are more than happy to use third parties to deliver content on their behalf (such as a number of US banks are known to do), all the work of ensuring users know that they are on a .bank domain is suddenly useless as official bank correspondence is coming in from a domain that is obviously not a .bank domain.

Unfortunately for F-Secure, they make the argument that smaller banks and credit unions will not be considered as important as larger financial institutions because they may not be able to afford the $50,000 registration fee. This is not going to make either the financial institutions or their customers happy (or safer), and conditions users to accept that official banking domains can still be not on the .bank tld.

Going further, arguing that companies such as PayPal (and presumably online trading companies such as ScottTrade and ETrade) should be eligible for a .bank domain even though they are not banks (though PayPal may soon be a bank in Europe) will further dilute the appearance of .bank as a place purely for banks and major financial institutions.

20 May 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.