Slashdot linked to an interesting story today about a possible foolproof way to end bank account phishing. I think its a step in the right direction, but I don’t think it would be a sure fire way to prevent them.
For those of you who aren’t sure what bank account phishing is, have you ever gotten one of those emails from a bank, probably one that you don’t even have an account with, asking you to click a link in the email and provide some information for update purposes? Most of them use really official looking HTML emails with valid logos and images from the site they’re spoofing. They have usually hacked the site of some innocent company or individual and are using it to sucker you into entering information. A couple days ago I got one from ‘Bank of America’. The URL was http://www.24hourinkjet.com/www.bankofamerica.com/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/sessiondid=2335454893_…. So it looks sort of official. Unfortunately when I went to http://www.24hourinkjet.com to alert them, I was greeted with an explitive laced web page indicating that the hacker was proud of what he had done.
If you are traversing the ‘blogosphere’ then you are probably smart enough to avoid phishing attacks, but a huge amount of the online population probably is not. I think of my grandparents. They don’t do a whole lot online. I only signed them up for a webTV account a couple of years ago so they could keep up with the family abroad using emails. If they happened to get a phishing attack email from a bank they actually deal with they’d probably go right to the link and enter their info. Its unfortunate, but the phishers do this for a reason – they obviously land some ‘phish’. So it’s important to come up with countermeasures. I like general idea that Mikko offers, but you can’t take the ignorance out of the internet user.
I’m no internet security expert, but I have opinions on the matter. The first problem with this is the ‘ignorant human’ one. For instance, my grandparents wouldn’t know the ‘rule’ about only giving your bank information to a site at a *.bank domain name. Second, as was apparent with the 24hourinkjet.com example I posted above is that the *.bank sites have to be hackproof. Certainly today the major banks are very secure, but I’m guessing that if this idea went through then every small bank and credit union would need to get a .bank domain name. The fact that they’d be spending a large part of their normal annual software/IT budget on a domain name means they have to spend less on stuff like paying a decent hosting service (i.e. one that is actually secure) or paying an admin that knows how to secure against such attacks. Plus I’d hate to see the small banks and credit unions forced to spend that kind of dough on a domain name effectively hurting their ability to compete with ‘the big boys’.
I definitely think this is a step in the right direction, but I would say that the ‘cost’ of the .bank domain name cannot be the barrier to entry. To me, I think the barrier to entry should be some form of proof that the applicant is actually acting in the interest of a bonified financial institution. I can’t offer a solution other than some governing body (warning – possible ruination of the entire point) that decides what applicants are worthy of the .bank domain name.