The .Bank Debate Part I
Here is the situation: F-Secure’s Mikko Hypponen has proposed that we fight phishing by creating a new Top Level Domain (TLD), called .Bank. One would have to prove that they are a legitimate financial institution to get one. Additionally, the domains would cost a substantial amount, such as $50,000, to prevent all but legitimate businesses from being able to afford one.
At a glance this may appear to be a great solution, but there are a number of problems. First, it still requires educating users about paying attention to their browsers. If users already watched their address bar we wouldn’t have a phishing problem in the first place, so clearly that alone would be nearly impossible. Although, even if users knew to look for ".bank" in the address, many would still be fooled by long URLs. For example, if your address is "wamu.bank," many users would be fooled by "wamu.bank.fake.ru" or "fake.ru/wamu.bank."
The second problem is that this method would not be more effective than Extended Validation (EV) SSL certificates, which already exist. These type of certificates are highly recognizable in modern browsers like Internet Explorer 7, and prominently display the name of the company that owns them:
The owner of the SSL certificate, "Woodgrove Bank [US]," and the Certification Authority that issued the certificate is easily identified. I don’t see how ".bank" is any more effective than this. What do you think?
I agree completely. The EV SSL certificates are sufficient for any type of domain name. And the EV certificates are much more difficult to obtain requiring much more documentation. Just for kicks, I applied for one this morning to see exactly what they require. I recently saw one of these certificates in action when shopping online. It really did catch my attention when the address bar turned red. I left that site before browsing any longer.
This is an interesting debate. I also do not think that by adding another TLD Phishing would be reduced.
This is like adding fuel to a fire. If people are already confused or about domain names, ie. http://www.CU.com versus http://www.cu.com.yadayada.com or even http://www.yada.com/www.cu.com, what makes them think that adding another TLD would help. By adding another TLD things could only get worse and confusing for our members. Let’s use the technology that is already in place and make more efforts to educate members to combat this problem.
EV SSL certificates
And Secure Science has some products out there that can help with Phishing also. http://www.securescience.net