Anti-virus company calls for creation of .bank domain

gallery

Finnish anti-virus firm F-Secure has stepped up its campaign for the introduction of a .bank domain it believes could help to cut down on phishing and identity theft.

The security company is seeking a sponsoring organisation that is willing to promote the domain as part of ICANN's recently announced public consultation on possible new top-level domains (TLDs).

As things stand there is nothing to prevent fraudsters registering a URL containing a bank's name - as F-Secure has noted before - and that is unlikely to change.

The company does not believe that a .bank domain would provide an instant fix for the widespread problem of phishing, but argues that if properly and rigorously controlled it could completely eliminate it in many instances. Not because users would suddenly wise-up and start carefully checking Web addresses, but because the issuing of .bank domains could be restricted, enabling browsers and security applications to better identify phishing sites, by providing a means of clearly identifying legitimate sites.

"There are no rogue sites on .gov domain names," the Finnish company noted. "Why? Because you can only get a .gov domain if you really are a US governmental organisation. Or how about .fi? The .fi (Finland) domain has very few malicious websites. Why is that? Because the registration process involves mailing a verification code to a physical mailing address. Just that extra step makes it less convenient to use for the bad guys. With all the extra verifications steps that we would have in the registration of a .bank domain, scammers just wouldn't be able to do it."

The TLD would also make it easier for security researchers to figure out which sites are not phishing sites.

"This really isn't as obvious as it sounds, as banks themselves use tons of different domains," F-Secure explained. "We often spend precious time trying to confirm whether a particular phishy-sounding domain really belongs to a real bank or not."

The company rejects concerns that small banks and financial institutions could not afford to register a new domain.

"Small banks are not currently the ones losing the most money," it noted. "It's the big banks. And the domain doesn't have to be '.bank' literally. The TLD could be along the lines of .account, .verified, .safe, etc. It would be a TLD for "big players" that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn't a traditional bank [though it is registered as such in Europe] but they certainly do get phished. They might want to have a secured TLD for account access."

Scammers, on the other hand, would have to prove that they were a genuine financial institution before a domain is granted - even if they could afford the estimated $50,000 registration fee.

"And in the worst case, a rogue domain would be shut down quickly," F-Secure said. "The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals."

Email to a friend

Print this page