Masters of Their Domain

Online banking fraud is rampant because it's easy. Here's a fix that will mean money in the bank.

By Mikko Hypponen

October 13, 2009, 2:38 PM

Computer security is a complex issue, and there is no simple cure-all. But one thing that continues to baffle me is the way we bank online. Think about the Web address of your bank. It probably ends in one of the common top-level domains: ".com" if you're in the United States, or, depending on your home country, in something like ".uk," ".de," ".jp," or ".ru." Which is why Web sites with such names as "bankofamerica-online.com," "lloydstsb-banking.com," "hsbc-login.com," or "paypalaccount.com" are so dangerous. They may look like the real thing, but they're operated by criminals. And these rogue banking sites are popping up every day. Hosted on Web sites with misleading names that read like a real bank's Web address, the domains are registered with fake contact information. These impostors then bombard consumers with "phishing" e-mails, luring them to these sites, where their financial information is stolen.

Computer security is a complex issue, and there is no simple cure-all. But one thing that continues to baffle me is the way we bank online. Think about the Web address of your bank. It probably ends in one of the common top-level domains: ".com" if you’re in the United States, or, depending on your home country, in something like ".uk," ".de," ".jp," or ".ru." Which is why Web sites with such names as "bankofamerica-online.com," "lloydstsb-banking.com," "hsbc-login.com," or "paypalaccount.com" are so dangerous. They may look like the real thing, but they’re operated by criminals. And these rogue banking sites are popping up every day. Hosted on Web sites with misleading names that read like a real bank’s Web address, the domains are registered with fake contact information. These impostors then bombard consumers with "phishing" e-mails, luring them to these sites, where their financial information is stolen.

How does this happen? At the moment, anyone willing to pay the fee of $5 or so can register any domain name they want, as long as the name is not already taken. So creating these look-alike pages is fast, easy, and cheap.

Why do banks and other financial institutions operate under the public top-level domains, like .com? The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason — something like ".bank," for example.

Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn’t be just a few dollars: It could be something like $50,000 — making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time.

The creation of a new domain for a specific industry is not unprecedented: We’ve already done it for museums, with their restricted ".museum" top-level domain. If we can manage to protect storehouses of precious works of art from the Internet’s most shameless thieves, surely we can find a way to protect our money.

Mikko Hypponen is chief research officer at the Helsinki-based F-Secure Corp.