Security Firm Says It Can't Fight Phishing, So Banks Should Move To A New Domain
from the now-there's-a-solution dept
Our friends at anti-virus firm F-Secure have managed to combine two of our favorite things — security FUD and useless top-level domains — in a single story. The company says that ICANN should create a “.safe” TLD as a way to stop phishing. It contends that the domain could only be made available to registered banks and financial services firms, then users would know that they should only use sites from such companies that are hosted in the domain. It also contends that such a domain “would allow security providers to create better software to protect the public”. The flaws in this concept are pretty obvious. Not only would it require every bank, credit-card company and financial services provider in the world to buy a new domain name and transfer their sites to it, but it doesn’t do anything to get around the actual problem with phishing — that people enter their personal information into sites they think are legitimate. Plenty of phishing attempts use domain names that are fairly obviously fake, but they’re either masked by phishers some how, or victims simply don’t pay enough attention to notice. Trying to move banks to a new domain won’t help stop this at all, and won’t provide any advantages over the current system. F-Secure says the change is needed to help security firms fight phishing, but that seems like little more than a comment about its own inadequacies rather than a convincing argument.
Comments on “Security Firm Says It Can't Fight Phishing, So Banks Should Move To A New Domain”
from the me-too-me-too dept
Hey, theres no reason to exclude anyone from security, everyone wants to be secure.
As soon as anything like .safe got created, it would be inundated with complaints from those that are not allowed to be a part of .safe.
customer: Why isn’t your web based email client safe?
customer service: because ICANN denied us the right to offer you safe email.
yeah, that would go over well.
Oh, and ebays paypal is officialy not a financial service (or at least not a bank) so who, exactly would get to decide who is allowed in or not?
Sounds to me like someone trying to create a paycheck out of thin air.
policiing issue
Phishing is a policing issue.
Successful phishing attempts leave an electronic trail.
Phishing efforts are so common that it should be trivial for the police to set up accounts, respond to a phishing attempt and then watch who accesses the account and where they move the small sums of money that the police would put on deposit.
DIBS
Dibs on http://www.un.safe
...
DAMNIT ^^
Dibs!
I’m calling dibs on: cracked.safe and is.safe.
policeing issue
Phising is not a policeing issue, it is an idiotic users issue. the only way to get some people to learn is an object lesson. If people fall for a phising attack, they probalby did something stupid. I myself have (once) fallen for as phising attack, back at schol, but that ws entirely stupidity, and since then, I have never been fooled for a moment by scams.
I think its a good idea. Lots of people use online banking, and whatever can be done to make it more secure should be done. Sure, people can be foolish, and dumb. But whatever we can do to stop the criminals who prey on them without giving up our own privacy or rights, I’m for.
More Dibs
Dibs on
http://www.not.safe
http://www.was.safe
http://www.aids.safe
http://www.locked.safe
http://www.cracked.safe
http://www.crackthis.safe
http://www.impenetrable.safe
http://www.fireproof.safe
http://www.3littlepigs.safe
and
http://www.whois.safe
Re: More Dibs
dibs on
http://www.fail.safe
http://www.marginally.safe
http://www.nearly.safe
http://www.almost.safe
http://www.your.safe
http://www.im.safe
http://www.areyou.safe
http://www.home.safe
The problem isn’t the URL, it’s the ability to change the text on a link. The average computer user is an idiot, they see a link that says “Bank of America” and click it, without looking to see if the actual link under it is 24.56.134.12/bankofamerica/stealyourshit.php
If we get rid of the ability to mask links with text then maybe less people will be tricked. It probably won’t reduce it much but for security firms that .5% is a win, they could sell useless stuff to people and claim the reason they didn’t get scammed was the program instead of the fact that browser makers removed a feature.
Evil Bit
Why introduce a safe domain when we could just introduce the Evil Bit and protect everyone…
Xanius
Dude, thats old school. Whats coming out now is scary as hell. Php and Javascript Injections. ie using the webbrowser and code to break thru. so http://www.bankofamerica.com/followed by the script, will allow the attack to happen. very scary stuff. Google it.
Re: Xanius
Ah, well that’s neat. I was basing mine off of all of the bank scam emails I get , they are all just using the text masking in the href tag.
Not that I have a need to click on them since it’s for the wrong bank anyway.
I guess I don’t put my email in to enough random forms to get the cool ones.
idiots.
Sites that are required to be ‘Safe’ already have SSL certificates that verifies what company is going to be recieving your data.
If ‘Security’ firms want to protect users from phishing they should just check the SSL certificate against a list of ‘valid’ companies. eg. banks etc.
.safe domains are stupid as I’m not going to trust my data to the security of my ISPs DNS server.
False sense of security
I think the best this could offer is basically a false sense of security for users
As SimonTek states in post #12 there are more ways of obscuring web addresses than simply registering http://www.yourbank-madeupbit.com and any suck .safe solution would still be vulnerable to redirection as in post #13 or more likely by hosts file hijacking
I’m surprised at F-Secure as their advice is usually reasonably reliable
Only one way to stop fishing
The banks should realise that there is only one way to stop Phishing. Every day I receive emails telling me that I’ve paid $1000 to some party at Paypal to buy some item at ebay or that my Bank of America account has had abnormal activity and I must click on a given klink to fix the security. I receive such emaios on behalf of all the banks. Obviously the sender does not know if I have an account at a vendor or not.
The banks can only stop it by supporting my effort to redevelop a method of surfing the internet. In this new method the client would have very limited role of communicating with the server. Just sending information. The server will not supply any information.
I need a donation of $1 Million from each bank to hire enough systems engineer to write a new code. I want to raise a seed capital of $50 Million. My internet address is ffakir005@aim.com/