There’s no doubt that phishing has become a huge problem. If you legitimately bank online, use Paypal, or have an eBay account, it’s beyond my comprehension how you manage to tell the real e-mails and fake e-mails apart. But Mikko over at F-Secure has what seems like a foolproof plan to counter bank-related phishing scammers. Make a new top level domain called .bank.
This new domain would be exclusively available to banks and financial institutions only. To top it off, these domains would not cost $8.95 at GoDaddy. Mikko suggests a high price tag around the $50,000 mark to ensure that only legit businesses or really rich scammers can purchase a domain. Banks would pay the 50k premium in no time to ensure that customers can log on to their sites securely. I think this idea is a surefire way to fight phishing. Your thoughts?
Masters of Their Domain [Foreign Policy via Slashdot]
one word: “GENIUS”
It’s sort of like raising the prices of bullets to $5k/bullet in an effort to lower fatal shootings. :)
Actually, take a look at this (Crunchgear) article:
http://crunchgear.com/2006/10/19/domain-name-%D0%BC%D1%83%D1%95%D1%80%D0%B0%D1%81%D0%B5com-for-sale-affordable/
I’d have to guess that people fall for phishing email scams because they’re undereducated about computer security, and/or they’re careless. A new top-level domain will do nothing to remedy that… Worse still, it could make those same people even *more* careless; if they’re told “only legitimate banks will have ‘.bank’ in their address,” once they see “www.yourbankname.bank” in a fraudulent email, they’ll assume “this one must be real - it has ‘.bank’ in it.”
I’ve seen PIN numbers written on the backs of debit cards, I’ve seen passwords written on Post-It Notes affixed to monitors, and I’ve seen countless news stories about people who sent their life savings to deposed Nigerian royalty millionaires… A “.bank” URL will not help these people.
Won’t help. Not one bit.
1) people don’t understand URL’s - the same phishing attacks that work against citibank.com today will work against citibank.bank.
2) only tries to fix one small issue with a problem that has a dozen different attack vectors - (e.g. doesn’t fix dns poisoning)
3) although its meant to be an arbitrary number 50k is a lot of money for one or two retail outlet credit unions or banks
The phishing e-mail I get has URLs that don’t look anything like the right URL.
If this scam… er, scheme goes ahead, I’ll get phishing e-mail that doesn’t look like a .bank URL, instead of phishing e-mail that doesn’t look like a .com URL. Whoop-de-doo.
Somehow, I doubt that’ll stop Joe MSNer from providing his bank login and password to a random web site in China. I mean, if he was checking URLs, he wouldn’t be falling for phishing scams right now.