Security Firm Says It Can't Fight Phishing, So Banks Should Move To A New Domain

from the now-there's-a-solution dept

Our friends at anti-virus firm F-Secure have managed to combine two of our favorite things — security FUD and useless top-level domains — in a single story. The company says that ICANN should create a “.safe” TLD as a way to stop phishing. It contends that the domain could only be made available to registered banks and financial services firms, then users would know that they should only use sites from such companies that are hosted in the domain. It also contends that such a domain “would allow security providers to create better software to protect the public”. The flaws in this concept are pretty obvious. Not only would it require every bank, credit-card company and financial services provider in the world to buy a new domain name and transfer their sites to it, but it doesn’t do anything to get around the actual problem with phishing — that people enter their personal information into sites they think are legitimate. Plenty of phishing attempts use domain names that are fairly obviously fake, but they’re either masked by phishers some how, or victims simply don’t pay enough attention to notice. Trying to move banks to a new domain won’t help stop this at all, and won’t provide any advantages over the current system. F-Secure says the change is needed to help security firms fight phishing, but that seems like little more than a comment about its own inadequacies rather than a convincing argument.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Firm Says It Can't Fight Phishing, So Banks Should Move To A New Domain”

Subscribe: RSS Leave a comment
Bumbling old fool (profile) says:

from the me-too-me-too dept

Hey, theres no reason to exclude anyone from security, everyone wants to be secure.

As soon as anything like .safe got created, it would be inundated with complaints from those that are not allowed to be a part of .safe.

customer: Why isn’t your web based email client safe?
customer service: because ICANN denied us the right to offer you safe email.

yeah, that would go over well.

Oh, and ebays paypal is officialy not a financial service (or at least not a bank) so who, exactly would get to decide who is allowed in or not?

Sounds to me like someone trying to create a paycheck out of thin air.

Joe Smith says:

policiing issue

Phishing is a policing issue.

Successful phishing attempts leave an electronic trail.

Phishing efforts are so common that it should be trivial for the police to set up accounts, respond to a phishing attempt and then watch who accesses the account and where they move the small sums of money that the police would put on deposit.

|333173|3|_||3 says:

policeing issue

Phising is not a policeing issue, it is an idiotic users issue. the only way to get some people to learn is an object lesson. If people fall for a phising attack, they probalby did something stupid. I myself have (once) fallen for as phising attack, back at schol, but that ws entirely stupidity, and since then, I have never been fooled for a moment by scams.

Xanius says:

The problem isn’t the URL, it’s the ability to change the text on a link. The average computer user is an idiot, they see a link that says “Bank of America” and click it, without looking to see if the actual link under it is

If we get rid of the ability to mask links with text then maybe less people will be tricked. It probably won’t reduce it much but for security firms that .5% is a win, they could sell useless stuff to people and claim the reason they didn’t get scammed was the program instead of the fact that browser makers removed a feature.

Jesse McNelis (user link) says:


Sites that are required to be ‘Safe’ already have SSL certificates that verifies what company is going to be recieving your data.

If ‘Security’ firms want to protect users from phishing they should just check the SSL certificate against a list of ‘valid’ companies. eg. banks etc.

.safe domains are stupid as I’m not going to trust my data to the security of my ISPs DNS server.

Enrico Suarve (user link) says:

False sense of security

I think the best this could offer is basically a false sense of security for users

As SimonTek states in post #12 there are more ways of obscuring web addresses than simply registering and any suck .safe solution would still be vulnerable to redirection as in post #13 or more likely by hosts file hijacking

I’m surprised at F-Secure as their advice is usually reasonably reliable

Satish Bhardwaj (user link) says:

Only one way to stop fishing

The banks should realise that there is only one way to stop Phishing. Every day I receive emails telling me that I’ve paid $1000 to some party at Paypal to buy some item at ebay or that my Bank of America account has had abnormal activity and I must click on a given klink to fix the security. I receive such emaios on behalf of all the banks. Obviously the sender does not know if I have an account at a vendor or not.

The banks can only stop it by supporting my effort to redevelop a method of surfing the internet. In this new method the client would have very limited role of communicating with the server. Just sending information. The server will not supply any information.

I need a donation of $1 Million from each bank to hire enough systems engineer to write a new code. I want to raise a seed capital of $50 Million. My internet address is

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...