Home / Blogs

Phish or Fair?

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
John Levine

It shouldn't be a big surprise to hear that phishing is a big problem for banks. Criminals send email pretending to be a bank, and set up web sites that look a lot like a bank. One reason that phishing is possible is that e-mail has no built in security, so that if a mail message comes in purporting to be from, say, accounts@bankofamerica.com, there's no easy way to tell whether the message is really from bankofamerica.com, or from a crook.

Mail authentication schemes like DKIM and the new dmarc.org group use cryptographic signatures to help authenticate mail and prove that it really is from who it purports to be from. So, if the mail can authenticate the sender, the phishing problem goes away, right?

Unfortunately not. One huge problem is that even if you have all the crypto stuff so you can be 100% sure that a message really is from, say, BANK-AMERICA.COM, you don't know whether BANK-AMERICA.COM is actually your bank or not.

I've made a little game called Phish or Fair. It shows you a domain name, you guess whether it belongs to Bank of America. Try it out and see how you do.

Then see if you can figure out why a bank would use over a thousand different domains. My example here is Bank of America, but they're no worse than other big banks; I picked them because their name is easy to search for.

If banks were serious about phishing, they'd pick one name, one domain, and use that consistently. But they don't.

PS: BANK-AMERICA.COM belongs to some guy in France.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cybercrime, Domain Names, Email, Cybersecurity

 
   

Comments

Not "little". The Famous Brett Watson  –  Feb 07, 2012 9:19 AM PDT

That's not a "little" game: I called it quits with 105 right, 0 wrong.

For all its untrustworthiness, WHOIS is still great for cheating on tests like this — and this is one of the few tests on which I recommend cheating as much as possible.

Really "great"? Alessandro Vesely  –  Feb 08, 2012 1:51 AM PDT

If WHOIS is such a great tool, why don't registrars like MarkMonitor put it somewhat more prominently on their web site, possibly explaining what can it be useful for?

Stupid Unnecessary Domain Names Daniel R. Tobias  –  Feb 07, 2012 7:03 PM PDT

It's all those idiot marketing types, at banks just like other businesses, that insist on using a zillion different domains for every marketing gimmick.  Line the marketing people against a wall and execute them by firing squad, then change the bank's web structure to use logical subdomains of their one main domain.

Maybe The Famous Brett Watson  –  Feb 08, 2012 2:54 AM PDT

It's hard to tell in this case, just by looking at the domains, as to whether they were registered with marketing intent, or registered by others then seized with the force of law (and held in perpetuity so it won't happen again). Some of them are clearly the latter kind; others, not so much.

It's also not clear whether "using a zillion different domains" is intrinsically a bad idea, particularly for a large organisation. This can be used to produce an illusion of choice. There may be so many brands in a given market that the consumer limits his evaluation to a small number of prominent ones. Under those conditions, a seller is at an advantage if he floods the market with brands, none of which are obviously related to each other. In this way, a consumer may decide to evaluate five "separate" brands, not realising that three of them are just different entrances to the same shop.

Marketing deals with people's perceptions and desires, and is thus far removed from structure and logic.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Better Late than Never: ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web