Security Firm Says It Can't Fight Phishing, So Banks Should Move To A New Domain

from the now-there's-a-solution dept

Our friends at anti-virus firm F-Secure have managed to combine two of our favorite things -- security FUD and useless top-level domains -- in a single story. The company says that ICANN should create a ".safe" TLD as a way to stop phishing. It contends that the domain could only be made available to registered banks and financial services firms, then users would know that they should only use sites from such companies that are hosted in the domain. It also contends that such a domain "would allow security providers to create better software to protect the public". The flaws in this concept are pretty obvious. Not only would it require every bank, credit-card company and financial services provider in the world to buy a new domain name and transfer their sites to it, but it doesn't do anything to get around the actual problem with phishing -- that people enter their personal information into sites they think are legitimate. Plenty of phishing attempts use domain names that are fairly obviously fake, but they're either masked by phishers some how, or victims simply don't pay enough attention to notice. Trying to move banks to a new domain won't help stop this at all, and won't provide any advantages over the current system. F-Secure says the change is needed to help security firms fight phishing, but that seems like little more than a comment about its own inadequacies rather than a convincing argument.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Bumbling old fool, 10 Apr 2007 @ 3:49pm

    from the me-too-me-too dept

    Hey, theres no reason to exclude anyone from security, everyone wants to be secure.

    As soon as anything like .safe got created, it would be inundated with complaints from those that are not allowed to be a part of .safe.

    customer: Why isn't your web based email client safe?
    customer service: because ICANN denied us the right to offer you safe email.

    yeah, that would go over well.

    Oh, and ebays paypal is officialy not a financial service (or at least not a bank) so who, exactly would get to decide who is allowed in or not?

    Sounds to me like someone trying to create a paycheck out of thin air.

    link to this | view in thread ]

  2. identicon
    Joe Smith, 10 Apr 2007 @ 4:02pm

    policiing issue

    Phishing is a policing issue.

    Successful phishing attempts leave an electronic trail.

    Phishing efforts are so common that it should be trivial for the police to set up accounts, respond to a phishing attempt and then watch who accesses the account and where they move the small sums of money that the police would put on deposit.

    link to this | view in thread ]

  3. identicon
    itanshi, 10 Apr 2007 @ 4:38pm

    DIBS

    link to this | view in thread ]

  4. identicon
    antiver, 10 Apr 2007 @ 4:54pm

    ...

    DAMNIT ^^

    link to this | view in thread ]

  5. identicon
    GoblinJuice, 10 Apr 2007 @ 6:39pm

    Dibs!

    I'm calling dibs on: cracked.safe and is.safe.

    link to this | view in thread ]

  6. identicon
    |333173|3|_||3, 10 Apr 2007 @ 7:49pm

    Re: policeing issue

    Phising is not a policeing issue, it is an idiotic users issue. the only way to get some people to learn is an object lesson. If people fall for a phising attack, they probalby did something stupid. I myself have (once) fallen for as phising attack, back at schol, but that ws entirely stupidity, and since then, I have never been fooled for a moment by scams.

    link to this | view in thread ]

  7. identicon
    Ed Haas, 10 Apr 2007 @ 8:15pm

    I think its a good idea. Lots of people use online banking, and whatever can be done to make it more secure should be done. Sure, people can be foolish, and dumb. But whatever we can do to stop the criminals who prey on them without giving up our own privacy or rights, I'm for.

    link to this | view in thread ]

  8. identicon
    Xanius, 10 Apr 2007 @ 9:03pm

    The problem isn't the URL, it's the ability to change the text on a link. The average computer user is an idiot, they see a link that says "Bank of America" and click it, without looking to see if the actual link under it is 24.56.134.12/bankofamerica/stealyourshit.php

    If we get rid of the ability to mask links with text then maybe less people will be tricked. It probably won't reduce it much but for security firms that .5% is a win, they could sell useless stuff to people and claim the reason they didn't get scammed was the program instead of the fact that browser makers removed a feature.

    link to this | view in thread ]

  9. identicon
    Lutomes, 10 Apr 2007 @ 10:24pm

    Evil Bit

    Why introduce a safe domain when we could just introduce the Evil Bit and protect everyone...

    link to this | view in thread ]

  10. icon
    SimonTEk (profile), 10 Apr 2007 @ 11:42pm

    Xanius

    Dude, thats old school. Whats coming out now is scary as hell. Php and Javascript Injections. ie using the webbrowser and code to break thru. so www.bankofamerica.com/followed by the script, will allow the attack to happen. very scary stuff. Google it.

    link to this | view in thread ]

  11. identicon
    Jesse McNelis, 11 Apr 2007 @ 12:08am

    idiots.

    Sites that are required to be 'Safe' already have SSL certificates that verifies what company is going to be recieving your data.

    If 'Security' firms want to protect users from phishing they should just check the SSL certificate against a list of 'valid' companies. eg. banks etc.

    .safe domains are stupid as I'm not going to trust my data to the security of my ISPs DNS server.

    link to this | view in thread ]

  12. identicon
    Enrico Suarve, 11 Apr 2007 @ 3:29am

    False sense of security

    I think the best this could offer is basically a false sense of security for users

    As SimonTek states in post #12 there are more ways of obscuring web addresses than simply registering www.yourbank-madeupbit.com and any suck .safe solution would still be vulnerable to redirection as in post #13 or more likely by hosts file hijacking

    I'm surprised at F-Secure as their advice is usually reasonably reliable

    link to this | view in thread ]

  13. identicon
    Xanius, 11 Apr 2007 @ 7:34am

    Re: Xanius

    Ah, well that's neat. I was basing mine off of all of the bank scam emails I get , they are all just using the text masking in the href tag.
    Not that I have a need to click on them since it's for the wrong bank anyway.

    I guess I don't put my email in to enough random forms to get the cool ones.

    link to this | view in thread ]

  14. identicon
    Satish Bhardwaj, 17 May 2007 @ 12:41pm

    Only one way to stop fishing

    The banks should realise that there is only one way to stop Phishing. Every day I receive emails telling me that I've paid $1000 to some party at Paypal to buy some item at ebay or that my Bank of America account has had abnormal activity and I must click on a given klink to fix the security. I receive such emaios on behalf of all the banks. Obviously the sender does not know if I have an account at a vendor or not.

    The banks can only stop it by supporting my effort to redevelop a method of surfing the internet. In this new method the client would have very limited role of communicating with the server. Just sending information. The server will not supply any information.

    I need a donation of $1 Million from each bank to hire enough systems engineer to write a new code. I want to raise a seed capital of $50 Million. My internet address is ffakir005@aim.com/

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.