Tuesday, May 08, 2007

phishing solution, .bank tld, Riiiiiiiiight!

Mikko Hyppönen, Chief Research Officer of F-Secure, publish an article entitled "Masters of Their Domain" (with /. coverage), suggesting a phishing solution that says financial institutions should be served from a reserved .bank tld. Oh, and also that it would be expensive ($50,000) in order to keep phishers away. The logic goes that users would be assured that .bank sites are safe and to conduct business with. OK, leaving aside browser vulnerabilities, potential flaws in the domain registration system (like the SSL Cert system), and website vulnerabilities .... you can't be serious!?!?

The users who are getting phished are not those analyzing the domain name in the URL, reading the SSL Certs, or even double checking links before they click. The users who are getting phished are the same ones who would ignore a big red banner on the page that says "THIS IS A PHISHING WEBSITE!" And statistically thats A LOT of people and a .bank tld isn't going to help them.

We really need a place on the Web where stupid ideas go to die. I bet I could donate several of my own.


Will Stranathan said...

While I think the 50,000 USD is a little bit arbitrary and might eliminate some smaller firms from being able to participate, and that it's by no means a complete solution, and that you're right, people won't check the domain anyway, and that for those who do, you'd still better not have any XSS.......

Does it not being a complete solution mean we shouldn't do it at all? I have two questions:

1) Does it make the problem worse?
2) Can it make the problem better?

Andy Steingruebl said...

If you read the recent paper on Sitekey and how it was broken and some of the other studies that people simply ignore the picture they've chosen, what makes anyone think people would pay attention to the domain name of the site?

Maybe we could modify IE and Firefox so they won't let you enter something that looks like a username and password if the site doesn't have an EV-Cert? :)

Seriously - let's see how many stupid ideas we can come up with that don't actually improve security but make people feel good.

Though I suppose if you look at the TSA maybe thats the whole game. Making people think there is security so they stop worrying.

Anonymous said...

I expressed similar arguments in a blog post from earlier this week. I totally agree this isn't the right approach...

raknak said...

I'm agreed that it's not complete.

What if there were also browsers that were updated to do the inspection of these items that most users don't (in a more convenient and user friendly way than browsers do it today). Would it help? That way the person who was clueless but knew they were clueless might have a option that would work for them.

Anonymous said...

I find it hard to believe that this suggestion came from a security expert. As another comment suggested a little XSS would defeat the whole thing. Also, users will still fall the hidden link where the text of the URL says something like www.mybank.bank while the a href points to something else like an IP number. They're use to major websites redirecting them to other URL's. The whole idea is silly.

Tokens or one-time password sheets would be much better even though they're susceptible to man-in-the-middle attacks.

John @ http://NIST.org

Jeremiah Grossman said...

@Sylvan: "Does it not being a complete solution mean we shouldn't do it at all? I have two questions:"

Certainly not. Incomplete solutions are fine if they supply a "good-enough" amount of value for the trouble it takes to implement them. In this case, I don't think so.

1) Does it make the problem worse?

It could potentially, but I would be heavily theorizing.

2) Can it make the problem better?

I HIGHLY doubt it.

@Security Retentive: As fas as the TSA goes, there job is make people "feel" safe, with Phishing scams, thats more of a day-to-day scam that needs to be handled differently. I take your meaning though. :)

@raknak: If all we're talking about is having GUI access to help the user make an informed decision, we have that power already. The new anti-phishing interface stuff in FF and IE7 are little more than nuisance to pishers. Clueless is clueless, and that who is getting phished. Its the whole click to do evil syndrome.

Anonymous said...

Ugh...OMG... yeah right on. That's seriously the worst idea I have seen this year.

Ronald van den Heetkamp