[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Masters of Their Domain


By Mikko Hypponen
May/June 2007

Online banking fraud is rampant because it's easy. Here's a fix that 
will mean money in the bank.

Computer security is a complex issue, and there is no simple cure-all. 
But one thing that continues to baffle me is the way we bank online. 
Think about the Web address of your bank. It probably ends in one of the 
common top-level domains: ".com" if you're in the United States, or, 
depending on your home country, in something like ".uk," ".de," ".jp," 
or ".ru." Which is why Web sites with such names as 
"bankofamerica-online.com," "lloydstsb-banking.com," "hsbc-login.com," 
or "paypalaccount.com" are so dangerous. They may look like the real 
thing, but they're operated by criminals. And these rogue banking sites 
are popping up every day. Hosted on Web sites with misleading names that 
read like a real bank's Web address, the domains are registered with 
fake contact information. These impostors then bombard consumers with 
"phishing" e-mails, luring them to these sites, where their financial 
information is stolen.

How does this happen? At the moment, anyone willing to pay the fee of $5 
or so can register any domain name they want, as long as the name is not 
already taken. So creating these look-alike pages is fast, easy, and 

Why do banks and other financial institutions operate under the public 
top-level domains, like .com? The Internet Corporation for Assigned 
Names and Numbers, the body that creates new top-level domains, should 
create a new, secure domain just for this reason—something like ".bank," 
for example.

Registering new domains under such a top-level domain could then be 
restricted to bona fide financial organizations. And the price for the 
domain wouldn't be just a few dollars: It could be something like 
$50,000—making it prohibitively expensive to most copycats. Banks would 
love this. They would move their existing online banks under a more 
secure domain in no time.

The creation of a new domain for a specific industry is not 
unprecedented: We've already done it for museums, with their restricted 
".museum" top-level domain. If we can manage to protect storehouses of 
precious works of art from the Internet's most shameless thieves, surely 
we can find a way to protect our money.

Subscribe to InfoSec News