Paid Advertising
web application security lab

.bank TLD

I suppose I should probably weigh on on my feelings on the .bank TLD proposal. I kept my tongue hoping that someone would come out and explain what they thought it would solve, and I’m glad I did. Mikko from F-Secure finally published a writeup on why it should go through to ICANN. It was actually a pretty well thought out reply. I’m not going to summarize the post - go read it and come back, I’ll wait.

Now that you’ve read it, here are my thoughts. Yes, .bank will solve some heuristics problems. No, it won’t solve all of them. Banks hiring external marketing departments, regional divisions, loan offices, etc… etc… that all are owned by the parent will not be able to afford their own .bank TLD and will not be protected. Piggybacking off the parent URL is an equally bad idea for XSS phishing attacks. And if the banks allowed external organizations to piggyback how wold that solve your problem of extended validation of the site? Anyone have any guess as to how much money external marketing companies spend on server sercurity? Anyway, it does solve a few issues for heuristics, but it also creates a lot more. (Does this sound at all like why companies were told to buy EV certs? Has that worked for them? Why are we doing this twice?)

Banks have spent a lot of time and energy into making online presences. They can’t switch over to a new TLD on a dime. Sure, they will because they are told it’s the right thing to do, but it’s certainly not an overnight process. How much money are they going to spend buying the domains, re-tooling their websites, re-branding them and re-educating their own staff and their customers?

.bank does not apply to some of the most heavily phished sites out there, like Amazon, eBay, PayPal, AOL, MySpace and a host of credit unions. I see where they are going with this, but it’s a slippery slope. Just because you get phished a lot doesn’t earn you the right to have a .bank TLD (because that is the exclusive domain of banks, of course). While it may earn you a right to have a .dontphishme TLD every site on earth that does electronic transactions is going to want that.

Probably my biggest problem with this, is that these companies each spend a ton of money in education, and promoting their brand. For them to switch their TLD would work against all those dollars spent, and ultimately wouldn’t prevent blind redirects, XSS phishing, or just plain old URL obfuscation. Yes, it would make detection slightly easier, but by how much? An order of magnitude? I highly doubt it, and even if it did, is the problem not being able to detect the phishing sites well or is our problem not being able to take them down quickly enough? I think it’s the latter, and I don’t think a .bank TLD or any other derivative is going to solve that issue.

While I applaud the creativity, I really don’t think it does enough to warrant it going through. But I have no doubt where there’s a will there’s a way and it will go through despite my opinions. I know people mean well with these types of proposals, but I think there’s a lot more going on here than just detection. Yes, detection does need to be improved, but there’s tons of ways around detection and phishers have not had resort to that (minus a few experiments).

To me that means we are a long way from having to worry about the detection portion of the attack and if people want to put a dent in it they should instead focus on building better extradition treaties and tougher international cybercrime laws with all countries. Currently it can take days or weeks to get phishing sites taken down because there is no political pressure to do so in certain areas. I believe people would be much better suited in solving the take-down issue than creating a new .TLD that excludes more phished domains than it protects.

12 Responses to “.bank TLD”

  1. cail Says:

    The lame part is: there is (well, was) a mechanism available to distinguish banks from the rest of the crowd. Back in the days of regulated crypto, banks could get a special strong-crypto SSL cert while everyone else was stuck with export grade. It’s referred to generically as ‘Server Gated Cryptography’, although Microsoft calls it SGC while Netscape calls it ‘Step-up’. Either way, only financial institutions are supposed to have the SGC/Step-up extended property OIDs on their SSL certs. They had to go through extra steps with Verisign to get such a cert.

    I’m not sure if Verisign is now handing out SGC certs like candy, or if they still require a financial instution to prove they are, well, a financial institution. If Verisign still limits SGC certs to banks, then a single SSL handshake tells you if it’s a bank or not. Not nearly as easy as knowing ahead of time based on the .TLD in a URL, but SGC certs are already deployed and widespread, albeit a bit depreciated.

  2. Kyran Says:

    Most people wouldn’t be able to tell the difference.

    It has it’s merits, I admit, but overall this concept is flawed.

  3. Ronald van den Heetkamp Says:

    *cough* joke right?

    It is probably the stupidest idea i’ve read so far. IDN spoofing is pretty trivial and no one looks at the address bar, people watch what loads on the screen. If they see their bank logo; it’s their bank. Remember that these people who fall victim are uber noobs per see, in no way comparable regular and “advanced” surfers, let alone people like “us”. I know nobody who reads certificates, or who does the DNS server lookups to check if everything is alright on _every_ site.

    Guess who falls victim for URI’s like this, yah people actually do. I’m not even seeing a .com or whatever:



  4. Ronald van den Heetkamp Says:

    And next up are the creditcard companies with the .cc

    Oops: still free :D

  5. thrill Says:

    I agree that a TLD is not the solution to the problem. It may help a little, but how do you fix the problem of unqualified people setting up servers within the bank?

    Just this past weekend I was given an article written by a ‘banking’ magazine dedicated to banking IT departments, and this article spoke of the ‘rise’ in chinese brute force attempts on bank’s FTP sites.

    Umm.. why do US banks have world visible FTP sites?

    Oh yeah, that’s right. In case Mr. Doe wants to FTP his bank information while visiting Djibouti (that ryhmes with yar bootey) and share it with his 419 scamming buddies so that they too can share in those millions of dollars that are being kept safe somewhere out there.

    And Ronald, my favorite one was always the I think they had a lot of success as you mentioned.. if it’s got my bank’s logo, it must be my bank! :)

  6. fogez Says:

    I am glad to see you comment on this…actually, I have been waiting for it :)

    You clearly highlight many of the flaws associated with the .bank concept. I personally would like to add one more - what are the fortune 10000 banks supposed to do? They can’t afford the ‘estimated’ entry fees to the .bank domain! Even if all the issues you provide aren’t a reality, there are hundreds if not thousands of banks in the US alone that won’t be able to justify the suggested .bank fees. They aren’t currently a target so why bother? On the flipside, if I was a bad guy, my ‘whitelist’ would quickly include such institutions…

    In other words, only the select few are protected…kinda sounds like a form of government where the rich rule…hmm…………

  7. Xavier Says:

    I think that if the idea is to set a set price for these .bank domains, and only richer banks can buy them, what would be the impact on community banks and so on?

    If citizens are trained on the FUD that only .bank URLs are valid, and the others are scams, then those banks who are unable to afford the .bank will be at risk of losing their credibility and/or business.

  8. digi7al64 Says:

    is a far better solution if we can get the other browsers (currently only supported by IE) to come on board.

  9. hieln Says:

    i guess its tough on smaller community banks

    it should be standardised for all banks

    take care

  10. kaes Says:

    my biggest beef with this proposal is that the writer of the article doesn’t address the “Small banks and/or credit unions couldn’t afford it.” argument satisfactory to me.

    his counter argument is that small banks shouldn’t need it because they are not the big targets in phishing schemes. this argument is really completely flawed for the following reasons:

    1) if this idea takes off, customers are going to *want* their bank to be at a “safe” .bank domain. this puts large banks at an unfair advantage because they can afford appearing “safer” by buying a .bank domain.

    2) [and i think this is the point fogez also was trying to make?] if, for some reason, the really big banks who can afford it suddenly become harder targets for phishing, phishers will simply start to target “the long tail” (all the little banks in large volumes). we all know by now, “the long tail” has a lot of beef in it, and again, this will put an unfair advantage to the large banks versus the smaller ones.

    and to: “Ok, I’m convinced. What’s next?

    This initiative won’t move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.”

    seeing as how this favours large financial institutions versus small ones, i guess it will be simply a matter of time before some big political lobby corporation sees the advantage in this ;-) :tinfoil:

  11. Ronald van den Heetkamp Says:

    Why the hassle: http://0×

    Works like a charm, and got the bank ext. at the end :)

    RewriteEngine on
    RewriteRule ^ http://www.0× [R]

  12. stinger Says:

    yea so people are idats these days are they really going to look at that they are going to look at the symbol they see lions its barklays

    it aont going to work but its a good idea exspand on it