Security Firm Says It Can't Fight Phishing, So Banks Should Move To A New Domain
from the now-there's-a-solution dept
Our friends at anti-virus firm F-Secure have managed to combine two of our favorite things -- security FUD and useless top-level domains -- in a single story. The company says that ICANN should create a ".safe" TLD as a way to stop phishing. It contends that the domain could only be made available to registered banks and financial services firms, then users would know that they should only use sites from such companies that are hosted in the domain. It also contends that such a domain "would allow security providers to create better software to protect the public". The flaws in this concept are pretty obvious. Not only would it require every bank, credit-card company and financial services provider in the world to buy a new domain name and transfer their sites to it, but it doesn't do anything to get around the actual problem with phishing -- that people enter their personal information into sites they think are legitimate. Plenty of phishing attempts use domain names that are fairly obviously fake, but they're either masked by phishers some how, or victims simply don't pay enough attention to notice. Trying to move banks to a new domain won't help stop this at all, and won't provide any advantages over the current system. F-Secure says the change is needed to help security firms fight phishing, but that seems like little more than a comment about its own inadequacies rather than a convincing argument.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
from the me-too-me-too dept
As soon as anything like .safe got created, it would be inundated with complaints from those that are not allowed to be a part of .safe.
customer: Why isn't your web based email client safe?
customer service: because ICANN denied us the right to offer you safe email.
yeah, that would go over well.
Oh, and ebays paypal is officialy not a financial service (or at least not a bank) so who, exactly would get to decide who is allowed in or not?
Sounds to me like someone trying to create a paycheck out of thin air.
[ link to this | view in chronology ]
policiing issue
Successful phishing attempts leave an electronic trail.
Phishing efforts are so common that it should be trivial for the police to set up accounts, respond to a phishing attempt and then watch who accesses the account and where they move the small sums of money that the police would put on deposit.
[ link to this | view in chronology ]
DIBS
[ link to this | view in chronology ]
...
[ link to this | view in chronology ]
Dibs!
[ link to this | view in chronology ]
Re: policeing issue
[ link to this | view in chronology ]
[ link to this | view in chronology ]
More Dibs
www.not.safe
www.was.safe
www.aids.safe
www.locked.safe
www.cracked.safe
www.crackthis.safe
www.impenetrable.safe
www.fireproof.safe
www.3littlepigs.safe
and
www.whois.safe
[ link to this | view in chronology ]
Re: More Dibs
www.fail.safe
www.marginally.safe
www.nearly.safe
www.almost.safe
www.your.safe
www.im.sa fe
www.areyou.safe
www.home.safe
[ link to this | view in chronology ]
If we get rid of the ability to mask links with text then maybe less people will be tricked. It probably won't reduce it much but for security firms that .5% is a win, they could sell useless stuff to people and claim the reason they didn't get scammed was the program instead of the fact that browser makers removed a feature.
[ link to this | view in chronology ]
Evil Bit
[ link to this | view in chronology ]
Xanius
[ link to this | view in chronology ]
Re: Xanius
Not that I have a need to click on them since it's for the wrong bank anyway.
I guess I don't put my email in to enough random forms to get the cool ones.
[ link to this | view in chronology ]
idiots.
If 'Security' firms want to protect users from phishing they should just check the SSL certificate against a list of 'valid' companies. eg. banks etc.
.safe domains are stupid as I'm not going to trust my data to the security of my ISPs DNS server.
[ link to this | view in chronology ]
False sense of security
As SimonTek states in post #12 there are more ways of obscuring web addresses than simply registering www.yourbank-madeupbit.com and any suck .safe solution would still be vulnerable to redirection as in post #13 or more likely by hosts file hijacking
I'm surprised at F-Secure as their advice is usually reasonably reliable
[ link to this | view in chronology ]
Only one way to stop fishing
The banks can only stop it by supporting my effort to redevelop a method of surfing the internet. In this new method the client would have very limited role of communicating with the server. Just sending information. The server will not supply any information.
I need a donation of $1 Million from each bank to hire enough systems engineer to write a new code. I want to raise a seed capital of $50 Million. My internet address is ffakir005@aim.com/
[ link to this | view in chronology ]