.bank? .not!

Yet another proposed way to stop phishing: create a .bank top-level domain (TLD) and market it to banks exclusively, at a forbidding price per domain. Sounds compelling? It isn’t:

  1. It’s a static solution based on today’s most common attack pattern, phishing attacks against bank customers. The perpetrators, however, could easily change their behavior. They will stick to phishing only as long as it is the cheapest working method. They can choose different victims and alternative methods.

  1. It protects, if at all, only from a small subset of the attacks known today. Companions of phishing are pharming and Trojan Horses. A .bank TLD is not going to make ane difference for them. Pharming means to manipulate name resolution; the victim will see a .bank address as expected but network traffic is silently rerouted to a different site. Trojan Horses on a victim’s PC conceptually can manipulate anything.
  2. Who’s going to verify the address after all? We know that users largely ignore security indicators. If they wouldn’t, SSL were the solution to most of our problems. The browser cannot, since it does not know the user’s intent, and that would be required in order to create a warning if the user tries to perform bank transactions on a site the address of which does not end in .bank.

The .bank idea, like any other new TLD, is really just a business model. The Domain Name System (DNS) created a market for strings of characters. They are lent, not sold, guaranteeing a continuous revenue stream. To further increase revenue, however, one needs to produce new strings along with compelling reasons to buy them. Which turns out to be hard as technically nobody needs more than one of them. One approach is to open a new TLD, hoping for businesses to rent their own name in this TLD as well in order to protect it. Another one is illustrated by .bank: accept that one domain name is enough but raise the price for this one.

Ein Kommentar zu „.bank? .not!

Die Kommentarfunktion ist geschlossen.