Mikko Hypponen is the chief research officer at the Helsinki-based F-Secure Corp. F-Secure is one of a few companies that fight day-to-day to locate, prevent, and stop Malware attacks online. The fight is harder than some might think, as is the case with any company, it is in their best interest to come up with solutions and attempt to think somewhat outside the box. That sort of thinking spawned the criticisms aimed at Hypponen, recently, when he suggested a new TLD (Top-level Domain) aimed at financial institutions ‘.bank.’
Hypponen’s original commentary outlined the current trends with Phishing and online fraud. One thing he pointed out was the relative low cost of domains these days. In some cases, a new domain can be registered for as little as five dollars and, from there, used for criminal acts. “The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason—something like ‘.bank,’ for example,” he said.
The cost would be around fifty thousand dollars for the domain, he claimed, and it can be assigned like .gov or .edu domains are, only to proven legitimate companies. “It could be something like $50,000—making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time,” he added. With that idea out in the open the comments and criticisms started rolling in.
Larry Seltzer, of eWeek, said in his blog about the idea, “Mikko's usually a lot more insightful than this. The problem is that users don't look at the URL carefully, and often they can be confused and fooled by domains like the one in the title of this blog entry.” Giving argument that someone would be able to trick users by sending links to sites designed like, h**p://randombank.bank.criminalsite.com or using designs posted by Ben Feinstein of SecureWorks.
Feinstein said that domains designed like the one here: (secureaccess.example.bank6278928login.7host.hk/login.do) would start appearing in new Phishing schemes targeting the TLD change. Alone with the links, other problems such as DNS poisoning, and both Seltzer and Feinstein said that user protection is better served by cheaper and validated alternatives such as EV SSL.
While the professionals and reporters were pointing out a simple TLD is not a great way to form a basis of trust, the users reading the stories were feeling a little put out. Most of the arguments against the ‘.bank’ TLD centered on how it will not protect end users because they will be confused by the new links. Some comments, on more than one community site, pointed out directly that users are too stupid to tell the difference between a real URL and a fake one.
“I think you are underestimating us, the users. I might not be a security expert but I surely know how to read the URL in the address bar. Even if I don’t know what SSL is. Any normal citizen who reads his monthly bank reports, or reads his phone and electricity bills, any normal person who respects himself, without being an expert, can point out such obvious differences. Its plain .bank and nothing else. How difficult is that to understand,” said Angelina Kontini in one comment posted online.
She went on to make more valid points arguing for stronger government laws for domain registration, training at the school level on computer science, and more importantly, internet security basics. The issue raised from those points is too much government interference. The domain ‘.kids’ was shot down for that exact reason. Taking all the comments and critics in stride F-Secure responded on their blog.
Taking on the topic that the ‘.bank’ would solve the Phishing problem completely Mikko said, “This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the Phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of Phishing completely.”
As for the stupid user comment, “The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with,” Hypponen said.
While the ‘.bank’ domain would not solve all the problems, it would be a decent start. Training and information is still the best key to protect users online. No matter what side you are on, there will be arguments for and against the TLD. The entire response for the ‘.bank’ suggestion is located on the F-Secure Corp. blog. While there are still those who call the idea ridiculous, at least it was an idea.
The million-dollar question is will it work? “Yes: in the end there probably would be no rogue sites under such a new TLD. They would be elsewhere.”
Christopher AmblerMay 24th, 2007 - 20:10:22
I blogged a response to this as well when the proposal was first made (I'd include a link to my blog at Ambler.net, but links aren't allowed in comments)
The bottom line is that a TLD, in and of itself, does no good at all. It's the vetting and control around it that would do the good, and for that, a TLD isn't needed. If this proposal were sincere, it could be done under bank.com or any other existing domain right now.
Why isn't it being done, then?
Report this comment