4 Online Security Reasons for '.bank'

New DNS Initiative Gives Financial Services More Web Control
4 Online Security Reasons for '.bank'

It's been a year since the financial industry started talking about .bank - a generic Top Level Domain that aims to offer banking institutions, and consumers, more secure ways to interact and transact online. (See Banking on .bank for Security.)

Now, the American Bankers Association and The Financial Services Roundtable are moving forward with efforts to become the domain registrar of the .bank gTLD for websites is moving forward.

On June 13, the Internet Corporation for Assigned Names and Numbers, the overseer of the gTLD movement, is slated to reveal the entities that have applied to manage certain domains, like .bank. By the end of the year, the ABA and Roundtable should know whether they've been approved to manage the new domain.

Craig Schwartz, who is overseeing the gTLD initiative for the ABA and the Roundtable, says in addition to .bank, the two groups also have applied to manage .insurance. "Because insurance takes a lot of personal information online from consumers, in a way similar to banks, we thought it made sense to pursue it," Schwartz says.

The ABA and Roundtable initiative has been endorsed by the Australian Bankers' Association, American Bankers Insurance Association, and British Bankers' Association, European Banking Federation, Independent Community Bankers of America, the International Banking Federation and numerous financial-services institutions.

Backers of the new gTLD system say it will enhance online security by protecting consumers from spoofed websites, which often contain malware. If approved to manage .bank and .insurance, the ABA and Roundtable plan to take a variety of security steps, including carefully vetting applicants.

In 2008, ICANN introduced its plan for gTLDs, based on the notion that the new naming system would offer more room for domain-naming innovation and brand-building on the Internet.

"With the limited availability of .com domain names, some companies may opt to become early adopters of new TLDs to satisfy their marketing needs," says the Internet Corporation for Assigned Names and Numbers, better known as ICANN, in a summary about its gTLD program. "There will also be opportunities to apply for community and geographic top-level domains, such as .city, .brand, and .blog."

Within the next 30 to 60 days, Schwartz says the ABA and the Roundtable expect to announce the creation of a new business entity that will oversee the domain registry initiative. This entity, which will set the rules for .bank and .insurance domain registration, will have a board of directors that will oversee business operations. The name of the business will be announced next week, Schwartz says.

The initiative is moving quickly. By late 2013, .bank and .insurance domains could already be in use.

What it Means for Banks

In the financial-services space, the .bank and .insurance domains, if approved by ICANN, will have to adhere to the 31 security standards outlined by the ABA and the Roundtable in December 2011.

If approved, any entity that wants to use the .bank or .insurance domains would have to be vetted by the ABA and Roundtable first. All financial-institution registrants must be chartered by their home country financial regulators, and any other financial entities would be vetted to ensure compliance with strict registration requirements.

"Consumers need to feel confident that when they go to a .bank or .insurance site, that a trusted third-party has vetted these domains names," said Doug Johnson, vice president of risk management for the ABA.

4 Keys to Heightened Security

Schwartz says the new system will enhance online security within the financial and insurance sectors by:

  • Calling for stronger vetting of domain-name approval;
  • Requiring multifactor authentication for banks and insurance entities that register;
  • Employing DNS Security Extensions for all .bank and .insurance sites; and
  • Ensuring stronger site encryption standards.

"We're developing multilevel way for the users (the institutions) to prove who they are before they can request a domain name or make changes once the domain has been approved," Schwartz says.

By first authenticating the banking institution or insurance provider, the ABA and Roundtable can significantly reduce domain-name threats, such as website hijacking, Schwartz says.

DNS Security Extensions, a set of Internet Engineering Task Force standards created to address vulnerabilities in the DNS, call for coding domain names with keys that ensure urls and sites match.

"It's basically coding a domain name with a key that assures that when you type in www.fsroundtable.org, for instance, that you actually get www.fsroundtable.org, because the keys match up," Schwartz says.

The use of DNS Security Extensions has become a more standard practice in the last year, but they are still not widely used by financial-services sites. ICANN requires that all domain registrars employ DNS Security Extensions. Going forward, the ABA and Roundtable are proposing that any institution that requests a .bank or .insurance domain also employ DNS Security Extensions on their sites.

The final advantage: stronger encryption standards for online communications, between institutions and their customers and members as well as within the institutions themselves. Many institutions are already moving in this direction, but the ABA and Roundtable suggest certain standards be set for users of .bank or .insurance.

"We will have a team together to audit that functionality," Schwartz says. "It's a long way out, but we will be providing auditing details. When a customer wants a .bank name, they will have to sign an agreement, and that agreement will be used as a way to audit individual registrants."

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network