Home / News I have a News Tip

ICANN Asked to Adopt Specific TLD for Banks

Security watchers are calling on net governance body ICANN to adopt a new top level domain name to be used exclusively by registered banks and financial organisations.

If ICANN introduced a .safe domain (or .sure or .bank), which could only be used by registered financial institutions, it would allow security providers to create better software to protect the public.

Read full story: The Register

Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: ICANN Asked to Adopt Specific TLD for Banks The Famous Brett Watson  –  Mar 30, 2007 8:44 AM PDT

As far as I can tell, the party issuing this call is F-Secure in a press release. It’s interesting that F-Secure is advocating this particular approach, but is the press release backed up by any intention to actually drive the process forwards, or is it just a little public posturing for marketing purposes?

Re: ICANN Asked to Adopt Specific TLD for Banks Karl Auerbach  –  Mar 30, 2007 10:11 PM PDT

If the banks are concerned about security, and I hope they are, then they can do what they want today.

They can simply find a domain - or spend a few dollars to buy one - and create subdomains in that.

For example rather than .safe they can do what they want under something like verysafebanking.com

This is a marketing ploy, pure and simple.  They want the sex appeal of their own TLD.

Now there is nothing wrong with wanting their own TLD - I have my .ewe and I'd like to be in the NTIA root zone too.

However, if the banking industry perceives a risk to security and they could fix this using a domain name that they control then they are simply being reckless by not deploying the fix today in a name under an existing TLD rather than waiting (and subjecting all of us who use banks) during the potentially infinite interim before they got their own TLD.

Re: ICANN Asked to Adopt Specific TLD for Banks The Famous Brett Watson  –  Mar 31, 2007 12:38 AM PDT

I think that's an unfair characterisation of this proposal.

The point of having a TLD like ".safe" is that it's much harder to spoof. Go ahead and register "verysafebanking.com"; the first phisher to come along will look upon it with scorn, copy the associated web page and put up his own clone at "verysafebonking.com" or similar. It just has to be similar enough to fool a small percentage of ordinary online banking users.

The idea behind ".safe" is that it would not be open to ad hoc registrations at the drop of a hat like the generic domains. A registrant would need to go through a somewhat lengthy registration process to prove that they are, in fact, a bank (or similar). There could also be stringent requirements that names be sufficiently different to other names already registered. The goal is to make a name that's hard to spoof, and the ".safe" part of the name is just as important as the registration restrictions within that domain. How do you spoof "www.usbank.safe"?

To answer my own question — and throw some cold water on ".safe" — you do it the same way you spoof "www.usbank.com" in actual practice. Register a completely irrelevant domain like "itprodll.hk", then create a subdomain like "www.usbank.safe.ebanking-services-id51968321.itprodll.hk". There will be plenty of folks who can't tell that this isn't the real deal in the context of a URL. That's the sophisticated approach. The cheap and nasty approach is to do it this way: http://www.usbank.safe/.

Note: the example domain "itprodll.hk" is from an actual recent phish in my personal spam corpus, not a fabrication.

I'd be intrigued to hear F-Secure's response to this, given as how they think ".safe" is such a good idea, but I'd also like to know whether they actually intend to do something towards the establishment of ".safe", or whether they were just making some noise about it.

Re: ICANN Asked to Adopt Specific TLD for Banks Karl Auerbach  –  Mar 31, 2007 12:54 AM PDT

Given that the same stringent controls over who is allowed to put a name into "verysafebanking.com" as would be the case for names added to ".bank", I don't see any difference in the degree of protection that can be obtained in that regard.

(I am assuming that the contents of the .com zone upon which verysafebanking.com depends are themselves relatively safe from manipulation - and I believe that that is a fairly solid assumption.)

I agree with you that the ".safe" TLD is hard for phishers to phish because a phisher simply could not realistically obtain a near-look-alike TLD.  And to that degree there is merit in the proposal and to that degree my comments should be discounted.

I guess what it comes down to is that given the lack of real end-to-end mutual identification and authentication we need to grasp at the thin straw of giving users a way to use their eyeballs to inspect domain names and hoping that they do.

Re: ICANN Asked to Adopt Specific TLD for Banks John Levine  –  Mar 31, 2007 11:28 AM PDT

Users basically don't understand domains names.  If there were a .bank TLD, you could advertise whatever.bank until you're blue in in the face and people will still type in whatever.bank.com or bank.whatever.com or bank.cm.

As Paul Hoffman's recent note points out, people type names into search boxes these days, not into address bars, so your choice of names is as much at the mercy of Google as it is of ICANN.

Re: ICANN Asked to Adopt Specific TLD for Banks George Kirikos  –  Mar 31, 2007 2:20 PM PDT

.safe would be a very poor choice of a string (.bank would be fine — I've even offered to run that TLD, if ICANN would hand it over to me!). Having a .safe would imply that if you don't use .safe, you're unsafe.

This is similar to what was argued in the .xxx matter, where they said that the sponsoring organization consisted of "responsible" adult companies, implying that those not in the sponsoring group were not responsible, as Demi Getschko and Rita Rodin mention in the Board vote transcript:

http://www.icann.org/meetings/lisbon/transcript-board-30mar07.htm

Re: ICANN Asked to Adopt Specific TLD for Banks Kieren McCarthy  –  Apr 02, 2007 7:10 AM PDT

I think this story is some clever PR by a company that wants to get coverage before the new gTLD round is opened.

And good on them. The more innovative and helpful ideas for new gTLDs, the better, as far as I am concerned.

I have no doubt whatsoever that ICANN would see a top-level domain that provided a technical solution to the significant problem of phishing as an excellent thing. The hope would be that the application came from some consortium of world banks so the TLD had the authority and the connections to make it stick.

There were two points in the comments about a) banks being able to give security already over existing domains (most likely dotcoms) and b) people not using a, say, .bank because they are used to .com.

To the first point, I think what people are missing here is that a TLD gives you control over a registry, so you can build and define how that registry works, and you can also do interesting things with the DNS that you can't do with an existing and heavily populated registry.

In this .bank case, you can not only restrict domain applications to recognised banks but you can also stick DNSSEC on the registry and so massively improve security.

This ties in with the second part. Will people use or get used to a .bank? Of course they will! If it is in the banks' interests to push a bank - because for example it saves them millions in phishing scams, they will promote the hell out of a .bank.

If every bank advertisement had, for example, "go to barclays.bank" for more information. If every poster had ".bank"; if your statements had .bank on them and - most importantly - if the online banking services were transitioned over to ".bank" - do you honestly believe people won't get used to it?

This is the future expansion of the Internet. To say the Internet won't grow beyond dotcom and people won't get used to anything beyond dotcom is to forget about the deep impact the Net is having in our lives. And one thing human beings are very good at is adopting things when it's in their interests to do so. We've just not had a new gTLD that does anything beyond what dotcom can already do — yet.

Kieren McCarthy

Re: ICANN Asked to Adopt Specific TLD for Banks Michele Neylon  –  Apr 02, 2007 4:40 PM PDT

I can see both sides of this argument.

We deal with end users every single day, so I can fully understand why people would be so sceptical of a new TLD for financial institutions. Most end users would not be aware of a site's domain or TLD. When I look at some of the phishing sites that I've spotted over the last couple of years I am always amazed that people are duped, but then I hear the media reports of how many people have fallen for it again.

However I also think that having a namespace for financial institutions would be a very positive thing.

As Kieran points out, if you run a controlled registry you can use all the technical measures available to avoid phishers etc., and if you back that with the marketing spend available to banks then people might eventually learn.

It's not the craziest TLD proposition I've heard and would probably get a lot more support than some of the other ones that are currently being proposed.

Michele

Re: ICANN Asked to Adopt Specific TLD for Banks Karl Auerbach  –  Apr 02, 2007 5:25 PM PDT

As I mentioned previously, the same level of care can be applied to applicants for .bank or for a subdomain of any of the existing TLDs.

But as was pointed out, because of the implicit assumption that ICANN will not allocate a TLD that would be visually confusing with .bank that it would be hard to perform a phishing attack at that level.

However, becuse that assumption is merely implicit it may not hold true over the course of time and changes (such as IDN names).

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC