by Carlo Longino

Security Firm Says It Can't Fight Phishing, So Banks Should Move To A New Domain

from the now-there's-a-solution dept

Our friends at anti-virus firm F-Secure have managed to combine two of our favorite things -- security FUD and useless top-level domains -- in a single story. The company says that ICANN should create a ".safe" TLD as a way to stop phishing. It contends that the domain could only be made available to registered banks and financial services firms, then users would know that they should only use sites from such companies that are hosted in the domain. It also contends that such a domain "would allow security providers to create better software to protect the public". The flaws in this concept are pretty obvious. Not only would it require every bank, credit-card company and financial services provider in the world to buy a new domain name and transfer their sites to it, but it doesn't do anything to get around the actual problem with phishing -- that people enter their personal information into sites they think are legitimate. Plenty of phishing attempts use domain names that are fairly obviously fake, but they're either masked by phishers some how, or victims simply don't pay enough attention to notice. Trying to move banks to a new domain won't help stop this at all, and won't provide any advantages over the current system. F-Secure says the change is needed to help security firms fight phishing, but that seems like little more than a comment about its own inadequacies rather than a convincing argument.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    Bumbling old fool, 10 Apr 2007 @ 3:49pm

    from the me-too-me-too dept

    Hey, theres no reason to exclude anyone from security, everyone wants to be secure.

    As soon as anything like .safe got created, it would be inundated with complaints from those that are not allowed to be a part of .safe.

    customer: Why isn't your web based email client safe?
    customer service: because ICANN denied us the right to offer you safe email.

    yeah, that would go over well.

    Oh, and ebays paypal is officialy not a financial service (or at least not a bank) so who, exactly would get to decide who is allowed in or not?

    Sounds to me like someone trying to create a paycheck out of thin air.

    reply to this | link to this | view in chronology ]

  • identicon
    Joe Smith, 10 Apr 2007 @ 4:02pm

    policiing issue

    Phishing is a policing issue.

    Successful phishing attempts leave an electronic trail.

    Phishing efforts are so common that it should be trivial for the police to set up accounts, respond to a phishing attempt and then watch who accesses the account and where they move the small sums of money that the police would put on deposit.

    reply to this | link to this | view in chronology ]

  • identicon
    itanshi, 10 Apr 2007 @ 4:38pm


    reply to this | link to this | view in chronology ]

  • identicon
    antiver, 10 Apr 2007 @ 4:54pm


    DAMNIT ^^

    reply to this | link to this | view in chronology ]

  • identicon
    GoblinJuice, 10 Apr 2007 @ 6:39pm


    I'm calling dibs on: cracked.safe and is.safe.

    reply to this | link to this | view in chronology ]

  • identicon
    |333173|3|_||3, 10 Apr 2007 @ 7:49pm

    Re: policeing issue

    Phising is not a policeing issue, it is an idiotic users issue. the only way to get some people to learn is an object lesson. If people fall for a phising attack, they probalby did something stupid. I myself have (once) fallen for as phising attack, back at schol, but that ws entirely stupidity, and since then, I have never been fooled for a moment by scams.

    reply to this | link to this | view in chronology ]

  • identicon
    Ed Haas, 10 Apr 2007 @ 8:15pm

    I think its a good idea. Lots of people use online banking, and whatever can be done to make it more secure should be done. Sure, people can be foolish, and dumb. But whatever we can do to stop the criminals who prey on them without giving up our own privacy or rights, I'm for.

    reply to this | link to this | view in chronology ]

  • identicon
    Xanius, 10 Apr 2007 @ 9:03pm

    The problem isn't the URL, it's the ability to change the text on a link. The average computer user is an idiot, they see a link that says "Bank of America" and click it, without looking to see if the actual link under it is

    If we get rid of the ability to mask links with text then maybe less people will be tricked. It probably won't reduce it much but for security firms that .5% is a win, they could sell useless stuff to people and claim the reason they didn't get scammed was the program instead of the fact that browser makers removed a feature.

    reply to this | link to this | view in chronology ]

  • identicon
    Lutomes, 10 Apr 2007 @ 10:24pm

    Evil Bit

    Why introduce a safe domain when we could just introduce the Evil Bit and protect everyone...

    reply to this | link to this | view in chronology ]

  • icon
    SimonTEk (profile), 10 Apr 2007 @ 11:42pm


    Dude, thats old school. Whats coming out now is scary as hell. Php and Javascript Injections. ie using the webbrowser and code to break thru. so www.bankofamerica.com/followed by the script, will allow the attack to happen. very scary stuff. Google it.

    reply to this | link to this | view in chronology ]

    • identicon
      Xanius, 11 Apr 2007 @ 7:34am

      Re: Xanius

      Ah, well that's neat. I was basing mine off of all of the bank scam emails I get , they are all just using the text masking in the href tag.
      Not that I have a need to click on them since it's for the wrong bank anyway.

      I guess I don't put my email in to enough random forms to get the cool ones.

      reply to this | link to this | view in chronology ]

  • identicon
    Jesse McNelis, 11 Apr 2007 @ 12:08am


    Sites that are required to be 'Safe' already have SSL certificates that verifies what company is going to be recieving your data.

    If 'Security' firms want to protect users from phishing they should just check the SSL certificate against a list of 'valid' companies. eg. banks etc.

    .safe domains are stupid as I'm not going to trust my data to the security of my ISPs DNS server.

    reply to this | link to this | view in chronology ]

  • identicon
    Enrico Suarve, 11 Apr 2007 @ 3:29am

    False sense of security

    I think the best this could offer is basically a false sense of security for users

    As SimonTek states in post #12 there are more ways of obscuring web addresses than simply registering www.yourbank-madeupbit.com and any suck .safe solution would still be vulnerable to redirection as in post #13 or more likely by hosts file hijacking

    I'm surprised at F-Secure as their advice is usually reasonably reliable

    reply to this | link to this | view in chronology ]

  • identicon
    Satish Bhardwaj, 17 May 2007 @ 12:41pm

    Only one way to stop fishing

    The banks should realise that there is only one way to stop Phishing. Every day I receive emails telling me that I've paid $1000 to some party at Paypal to buy some item at ebay or that my Bank of America account has had abnormal activity and I must click on a given klink to fix the security. I receive such emaios on behalf of all the banks. Obviously the sender does not know if I have an account at a vendor or not.

    The banks can only stop it by supporting my effort to redevelop a method of surfing the internet. In this new method the client would have very limited role of communicating with the server. Just sending information. The server will not supply any information.

    I need a donation of $1 Million from each bank to hire enough systems engineer to write a new code. I want to raise a seed capital of $50 Million. My internet address is ffakir005@aim.com/

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.