A warning issued this week about a fake banking website highlights the need for stronger domain-naming practices, especially in the financial space.
Once visited, the HelpWithMyBank.com URL directs users to a legitimate consumer information site, HelpWithMyBank.gov, attempting to convince users they are connecting to a legitimate site, according to the OCC. But connecting to the fake site before the redirect is believed to expose consumers to malware.
Doug Johnson, vice president and senior adviser of risk management policy for the American Bankers Association, says so-called typo-domains or domains that claim to offer legitimate consumer information in attempts to fool consumers into clicking malicious links are not new. "We have seen them from time to time, even purporting to be ABA," he says.
The problem is that there is little the banking industry can do to prevent these types of sites from cropping up. It's relatively easy for fraudsters to register malicious sites under existing Domain Name System, or DNS, standards.
Dave Jevans of the Anti-Phishing Working Group says anywhere from 2,000 to 4,000 fake websites could be online on any given day. "Fake websites continue to be a big problem," he says. "Many are used in phishing and spear-phishing campaigns."
The .bank Movement
Earlier this year, the ABA and BITS, the technology policy division of The Financial Services Roundtable, announced plans to get more involved in steps to protect the image of banking entities by working to regulate how sites affiliated with financial institutions and financial-services providers are registered. Generic Top Level Domains, also known as gTLDs, aim to offer more room for domain-naming innovation and brand-building. [See Banking on .bank for Security.]
"One of the advantages of the financial Top Level Domains [the] ABA and BITS are supporting will be higher levels of security," Johnson says. "These additional measures that are proposed for .bank would create a more protected environment," and could help protect consumers from being fooled into visiting malicious sites like HelpWithMyBank.com, he adds.
In cooperation with VeriSign Inc., an Internet infrastructure services provider, the ABA and BITS are exploring the possibility of being the gatekeepers in charge of managing and operating future bank-branded or financially affiliated domains. The two organizations are now working to establish an independent entity that will serve as the overseer of approved financial and banking domains.
The Internet Corporation for Assigned Names and Numbers, or ICANN, will accept applications for gTLDs between January 12 and April 12. At the end of that application period, the ABA and BITS expect to have a financially focused domain in place for banking institutions to use.
If BITS and the ABA are granted the ability to manage domains affiliated with bank brands and/or financial interests, generally, how the management and operation of those domains would be carried out remains to be seen. And no action is likely to gel until 2012, after the first approved gTLDs are set to launch.
"There seems to be the most interest in .bank, so that's been the primary focus right now," says Craig Schwartz, general manager for registry programs at BITS. "One of the aspects of .bank that will distinguish it from other TLDs relates to the security policies that will govern how it's operated. The problem in the .com space is that it's pretty much a free for all. If you go to a typical registrar like GoDaddy, for instance, you can buy any available domain name without having to prove you're legitimate."
Under the gTLD system, a site like HelpWithMyBank.com would not be approved for .bank use. "There would be an approval process," Schwartz says. "So you won't be able to register a fake site. ... With .bank, it will have more strict registration policies, so it will be a much smaller space than the common .com TLD is now. Having fewer names will make it safer."
But Jevans says the .bank gTLD won't solve all website security concerns. "It is highly unlikely that any banks will move over to .bank and abandon .com," he says. "There is just too much brand equity and ingrained customer behavior around .com domains. So, you can be sure that fake bank websites in .com, .info and all the hundreds of other TLDs will continue."