more .shenanigans

Dave G. | May 9th, 2007 | Filed Under: Industry Punditry

Jeremiah Grossman commented about the .bank TLD, that I talked about previously:

His take:

Mikko Hyppönen, Chief Research Officer of F-Secure, publish an article entitled “Masters of Their Domain” (with /. coverage), suggesting a phishing solution that says financial institutions should be served from a reserved .bank tld. Oh, and also that it would be expensive ($50,000) in order to keep phishers away. The logic goes that users would be assured that .bank sites are safe and to conduct business with. OK, leaving aside browser vulnerabilities, potential flaws in the domain registration system (like the SSL Cert system), and website vulnerabilities ….

The users who are getting phished are not those analyzing the domain name in the URL, reading the SSL Certs, or even double checking links before they click. The users who are getting phished are the same ones who would ignore a big red banner on the page that says “THIS IS A PHISHING WEBSITE!” And statistically thats A LOT of people and a .bank tld isn’t going to help them.

I totally agree with Jeremiah that there is no way that people who get tripped up by current phishing attacks will see the light. Of course, it is ridiculous what an average user has to do to not get deceived by phishing attacks.

I think what my previous post didn’t explain very well was that the reason F-Secure is proposing this isn’t because users are going to identify when they are going to a .bank website or not. This is about making it easier for F-Secure to catch phishing sites.

Right now, keeping track of phishing sites is basically a blacklist approach that is constantly updated. I propose that the goal of the bank TLD is to allow AV vendors to change their products so that they can basically whitelist with a regex for /^.*bank$/. The 50k ante is just to help this goal.

I think I am opposed to this more out of principle than the practice. I still think establishing who is a financial institution will be problematic.

Reader Poll: Is this a good idea even it the primary way it makes things safer is because AV can simplify their product?

Viewing 22 Comments

    • ^
    • v
    Do we believe the change to have significant real world impact in preventing the exposure of consumer assets to illegal harvesting? I agree that there will always be the lost causes in the WWW infoasset war, and that a signifying TLD would reduce the likelihood of, at least, a few people being duped. I also agree with your original points of "Who gets to determine the criteria for qualifying for the '.bank' TLD?" "What will the validation process entail?", etc. However, it does seem like a significant amount of effort for a small to marginal reduction in exposure. Phishing organizations, in general, operate on a hydra-like model of replacing blacklisted phishing servers almost instantaneously , usually with different colo-providers, or at the very least on a different network.

    A TLD is not the solution to the problem. The solution is not chasing down invalid domains, it's chasing down the people involved with perpetuating the phishing sites. If SSL can't be trusted to certify the domains we already have, what's the point of expecting them to protect the ones we're making to help everyone be "safe". Which brings us to AV products.

    I seriously doubt that AV products will be saving enough clock cycles (by whitelisting /.bank$/) to justify the enormous amount of time, energy, and money it would require in order to implement.

    CBA Ninja Says: Bad idea, based on inefficiency.
    • ^
    • v
    I made similar comments in my own blog (http://blogs.eweek.com/cheap_hack/content/phish...).

    I would say that banks would be better off at this point using EV-SSL certificates, which provide a very high assurance of authenticity, a clear visible signal to the user, and a high barrier to entry (like a .bank registration). Of course you could use .bank and EV-SSL at the same time.

    Neither solution tells you that the phishing site you are looking at is *not* a bank. The user always has to have a skeptical eye which is, alas, why we're screwed on the matter in large part.
    • ^
    • v
    Hmmm... That link didn't work out well. Let me see if A tags are permitted:

    Larry's Blog On .bank
    • ^
    • v
    I am not opposed to the idea, but I don't like the idea that admission is based on how much money you are willing to put up. I would like to see the second level domain being something like the country code and the registry being the responsibility of someone who already has some type of oversight for the industry in that jurisdiction. For example, I live in Canada, so if the registrar for ca.bank was the Canadian Bankers Association or Canada Deposit Insurance Corporation (I think I prefer the latter).

    It will help, but it won't solve the problem, users will still have to realise that mybank.ca.bank is not the same as mybank.ng.bank. And those people who click on links in emails will continue to click on links in emails.

    And then there are the banks themselves! They really need to follow some half decent coding practices. My bank (mybank.ca) has a brokerage division (mybank-brokerage.ca) and an insurance division (mybank-insurance.ca). They insist on using javascript and do some of the most horrid XSS to pass you back and forth amongst those sites. I get so immunised to NoScript popping up warnings that I would probably click OK if they asked if it was OK to send my data to mybank.ru!!! And don’t get me started on their use of cookies (and Flash Local Shared Object aka Flash Cookies) as authentication tokens.
    • ^
    • v
    Larry,

    I think EV-SSL could make things worse. It gives the user an even higher sense of false security through blind trust.

    For a good read on the subject I defer to this research paper:
    http://www.usablesecurity.org/papers/jackson.pdf
    • ^
    • v
    Jon: I'm pretty sure that this isn't a move by the AV companies to have a good global cost-benefit, it's a move to externalize their costs at great expense to the rest of the world.
    • ^
    • v
    I think as geeks, we all want cool/elegant *technical* solutions to problems like fishing. But the reality is that fishing is a social problem (people are stupid and will click on anything) and like most other social problems, technical solutions don't work all that well.

    So if F-Secure, Norton, McAfee, ClamAV and all the other anti-virus firms can just do a simple regex to catch bank fishing sites to allow these stupid people to keep their money, then I'm all for it. Honestly, I'm not sure how that'll work-- does it pop up a box everytime you go to a non .bank domain and warn you "This is not a real banking website!" Obviously, there's still some heursitics that have be developed or people will just turn the feature off and be no safer.

    For $50K (hell make it $100K- they can afford it) you can fly someone to their offices, validate they are who they say they are and still make a profit, so I don't see that being a problem.
    • ^
    • v
    www.citibank.com.ec/.bank

    I wish we could stop calling the people clicking on phishing mails "stupid". It isn't their job to know how to authenticate a website. It's our jobs to make it trivially obvious which ones are and aren't. Other people have already pointed out the plethora of weird little domains major banks use to clear transactions, and we've been talking for years about how "authentication" of websites hasn't progressed since Netscape invented the little blue key.

    We are the dumbasses here, not our moms.
    • ^
    • v
    If .bank does happen, are we taking bets on whether or not URL obfuscation (www.chase.bank@01010101) still works on more than half half of AV products?
    • ^
    • v
    It’s our jobs to make it trivially obvious which ones are and aren’t.

    Are and aren't what? Authentic bank web sites? One of the reasons that phishing is a hard problem is that phishing operates at a higher semantic level than the level at which current defenses operate. The phisher's objective is to put in front of the user a page which looks like the page found at mybank.com. Certificates don't work because they verify the actual identity of the site, rather than the identity which is perceived by the user, the visual appearance of the site. We don't have good tools to authenticate how a site looks.

    I, and clearly from discussion here and elsewhere, many others with good understanding of the phishing problem, fail to see merit in the idea of .bank. However, I'm pretty sure that Mikko Hypponen is not clueless about phishing, e.g., he's familiar with things like URL obfuscation, and so I would guess that he has sound technical reasons for proponing this idea. I'd like to see those reasons expressed in more detail than the glorified press releases we've seen so far.
    • ^
    • v
    I totally agree that .bank is a silly idea.

    I think a good first step would be vastly better, user-centric, research-driven UI design around SSL certificates, and better policies at CA's.
    • ^
    • v
    This just seems like a twist on the "evil bit" theory; an attempt to find a simple technical solution to a difficult social problem.

    Why would banks be driven to register a .bank TLD? I see no benefit to them.
    • ^
    • v
    Kaospunk - The paper doesn't really say much about EV. It says that it doesn't help with phishing sites, and it's not really supposed to. It's supposed to help users identify legit sites as legit, and they say that trained users were able to do this. I'm sure it would be easier for a trained user to notice an EV site with all that green crap going on than to notice a .bank domain, and this is the point I was making.

    Getting back to your point, how could EV-SSL make things worse through blind trust? The paper doesn't make this point. Do you really think there will be a lot of sites with EV-SSL certs that will attack users?
    • ^
    • v
    This is indeed a non solution for many reasons, the first two which come to my head being:

    1 it takes a far too limited view of financial institutions which get subject to phishes. The "what qualifies as a bank" problem.

    2 it assumes that "bank" has the same meaning to all Internet users. The "do they speak English in what" problem.
    • ^
    • v
    The point is that a great deal of those users won't even notice anything different or will continue(as was also shown in a study regarding the worthless SiteKey solution). Another potential issue is that of a phishing site spawning a "browser in browser" via javascript. If this fake browser was set up to have an image displaying a green bar the user sees this and thinks they're secure.

    I equate the EV-SSL to the current certificate issue whereas many users believe that just by seeing a lock in their browser means they are secure. It's just a false sense of security.

    The point was made by Aaron Turner. This is a social issue. I'm not all that confident that layering more technology on will help my grandma do her online banking.
    • ^
    • v
    Nope, not a good idea. First, and really just a nitpick, you would have to add .credit or .union or something similar, as credit unions HATE HATE HATE being called banks. Which is fun when you let the b-word slip in front of your first CU client on a pentest engagement...

    Second, as identified above, a bank is hard to define, given the US has six or seven banking regulators, and banks have several types of charters, based on its regulatory agency.

    Third, international banks pose challenges, but I guess we wrote those off with the .edu domain, so what's another.
    • ^
    • v
    Grr...forgot to suggest an alternative that could be implemented sooner than a new TLD:

    .bank.us and .cu.us
    • ^
    • v
    50K would be better spent on advertising literature, educating users on how to avoid fraudulent sites. They can't stop it all, but education would go a long way.

    I know that banks don't like to talk about account fraud (when was the last time you saw any of their literature mentioning it), but it would help.

    Alternative domain naming will not help anyone uneducated enough to be taken in by these sites. To be fair, some of them are very, very convincing.
    • ^
    • v
    Joe.Banks@foo.bar says he *loves* Mikko's regex idea. Ka-ching!

    -- joe@joe.vs.volcano.com
    • ^
    • v
    Hello guys:

    I can't believe what I am reading. How can an antivirus company just say banks should change their domain in order to avoid phising? Unbelievable! I don't understand how it will offer any protection to the phising issue. Who cares if it is .com or .whatever? It is ridiculous.

    I think the current approach with every anti-phising solution is totally wrong. Why? Because black listing is useless. In my opinion, the only possible solution to this comes from an approach where banks take an active role. Both giving more education to their customers and also with an easy to use and good technnical solution. It should be as simply as providing them with a secure and easy way to access their accounts having few or none ways to make a mistake. Yes, I know, it sounds too good, but ... there is hope...

    I recently heard about a company in Spain offering such a solution. I think their way to accomplish this is very clever: They offer the bank an application based in a cd-card which can substitute the usual key-table card given by the bank to the customers. This cd includes its own web browser and includes a simplified version of a pki solution which assures with a white list that the bank website is the real one.

    If anyone is interested just have a look at this pdf (in spanish, I think there is no english version)
    http://www.egarante.com/documentacion_garante.pdf

    I don't know if this is being used. Never seen this until now with any bank in Spain, I wonder if this is because any possible fault with the solution (I doubt it) or more because of some obscure interests in the financial sector. I tend towards this last option.
    • ^
    • v
    It is my personal opinion that many of you are approaching this from a wrong perspective. Would .bank prevent phishing entirely? Of course not. Would it make it harder to target big banks with phishing? Probably. Would that in effect reduce the amount of successful phishing? Most likely.

    You see, we do not need to prevent phishing entirely. We just need to make it hard enough, that the success stories will be decimated from what they aretoday. Just like we have made it hard but not impossible to steal cars or break into premises. Making it difficult though will reduce the amount of attempts and especially the success stories.

    Throwing the education card into this discussion is frankly naively idealistic. There are hundreds of millions of people on the internet to educate, many with non-technical backgrounds. Surely simple technical means to reduce the amount of succesful phishing is far more cost-efficient solution than giving lectures to all of those people today. And the problem, like it or not, is today and not a generation from now.
    • ^
    • v

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus