Home / Blogs

Customer Confusion over New(ish) gTLDs Targeting Financial Services

Gunter Ollmann

For the last decade and a bit, banking customers have been relentlessly targeted by professional phishers with a never-ending barrage of deceitful emails, malicious websites and unstoppable crimeware — each campaign seeking to relieve the victim of their online banking credentials and funds.

In the battle for the high-ground, many client-side and server-side security technologies have been invented and consequently circumvented over the years.

Now we're about to enter a new era of mitigation attempts, but I can't but help feel that they too will amount to nothing.

Since social engineering lies at the heart of so many phishing campaigns, it would seem that the multitude of businesses that constitute the financial sector vertical have departed on a journey of leveraging a growing spectrum of new generic top-level domain names (gTLDs) to prevent professional phishers from acquiring common business names (and misspellings) and using them in attacks.

New gTLDs

In the land rush of seeking to shutter out the phishers we've already seen new gTLDs such as .capital, .credit, .creditcard, .finance, .financial, .fund, .holdings, .insure, .investments, .loans and .tax become available.

And by Easter 2015 we can expect to see .bank, .banque, .buy, .creditunion, .gold, .insurance, .lifeinsurance, .loan, .market, .money, and .pay add to the pile and become available to organisations that want to secure their personal piece of the Internet.

Each of the new gTLDs have their own business justifications for existing and offer up mildly differentiated business proposals from one another.

While most individually tout the virtues of removing confusion for their financial services end customer, the collective gaggle of new gTLDs is clearly anything but.

There is little doubt in my mind that this growing cacophony of financial service's gTLDs will only improve the odds of a phishing attack being successful.

From what I understand, several of these new gTLDs will ensure that only verified members of the banking and insurance communities will be able register a domain name, and suitable guarantees will be offered that only legitimate brands and trademark operators will be able to acquire them.

Enhanced security controls

A handful of new gTLDs (e.g. .bank and .insurance) will be going a step further and offering enhanced security controls to limit a consumer's exposure to online fraud and attack — such as DNSSEC, email authentication, and multifactor authentication. That is comforting and generally quite appropriate given today's threat landscape, but the general confusion of so many financial services gTLDs will persist — likely until some consumer consolidation occurs over the next couple of years. Until then these organisations will continue to sow in fertile grounds that the phishers will reap.

It'll be interesting to see which of these new financial services gTLDs will percolate to the top and which will fade in to obscurity over the coming years — and how much money will be expended in the battle to reign supreme (if _any_ do survive).

Regardless of how this battle between competing gTLDs (and their phishing adversaries) unfolds, I'd like to ask just one thing from each of them — something that'll help secure the customer of their clients. Please read and adopt the newly released .trust Technical Policy.

Conclusion

If you want to help make the Internet safer for your customers, embrace the .trust Technical Policy rather than invent a watered-down variant — phishers and other cyber adversaries will then have no choice but to move on to easier targets.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft
Follow CircleID on
Related topics: Cybersecurity, New TLDs
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign