A new top level domain (TLD) for the banking sector – “.bank” – will begin making an appearance in our browsers and inboxes soon.
fTLD Registry Services is administering the .bank suffix which was made available to select banks in May and was made more widely available this week. It is one of hundreds of generic TLDs that were put up for sale by the Internet Corporation for Assigned Names and Numbers (ICANN).
Another TLD currently up for sale is .secure which may require identity validation to purchase.
Although it initially opposed the .bank TLD, the American Banking Association (ABA) is now firmly behind it, helping to set up fTLD and promote the new suffix.
The main selling point of .bank is its enhanced security features. Registrants will be expected to pay for this as the standard price for a two-year registration is reported to be in the neighbourhood of $1000 (£600). The cost is justified on the basis of the additional administrative overhead associated with vetting registrants and maintaining security.
The vetting process includes submitting organisational details including your regulatory ID number (if applicable), with all applicants vetted by Symantec.
A set of security requirements was developed by fTLD's Security Requirements Working Group and include:
- Mandatory verification and re-verification of charters and licences to ensure only legitimate banks are awarded domain names.
- Domain Name System Security Extensions (DNSSEC) to ensure internet users aren't being misdirected to malicious websites. DNSSEC is required of fTLD as the operator of .bank as well as its registrants, creating a chain of trust that is unique to .bank, fTLD said.
- Email authentication to control spoofing and phishing.
- Multi-factor authentication for any changes to registry data.
- Enhanced encryption for secure communications.
- Prohibition of proxy/privacy registration services to ensure full disclosure of domain registration information to expose bad actors.
Demand for .bank names has been high, according to fTLD, with more than 3000 domains requested in the past week.
However, this might be of more interest to American banks than European ones, as a casual browse of the www.register.bank website revealed that some key brands – including HSBC, Deutsche Bank, RBS, Worldpay, BNP Paribas, Barclay's and NatWest – had not reserved their domain names. However, given the vetting process, it's unlikely that domain squatters would get very far in trying to register these names.
The lack of take-up by major brands is recognised as a weakness of the .bank initiative. Doug Johnson, senior vice president of payments and cyber-security policy at the American Banking Association, said the adoption of .bank would be “a marathon”, not a sprint.
Another downside is introducing yet another TLD into the public consciousness and the titanic effort it will take to train billions of consumers how to recognise .bank suffixes.
“Of course, spammers and other cyber-criminals are past masters at the art of creating deceptive URLs,” Andrew Conway, security analyst at Cloudmark, told SCMagazineUK.com. “If .bank gains general acceptance, I expect to see phishing URLs that look like they are in .bank, but actually aren't. For example,
Conway added: “Success will depend on the banks themselves. If they are willing to adopt this new TLD and promote it to their customers as a way of avoiding fraud, then it will be a success. I think if one or two large banks adopt this and advertise it aggressively as the new secure way to do online banking, the others would follow suit, but a lot will depend on getting those first few adopters.”
Lawrence Munro, EMEA and APAC director of SpiderLabs at Trustwave, welcomed the introduction of .bank to protect against phishing attacks but warned it would not be a silver bullet. “Firstly, the TLD addition only seeks to protect users against attacks such as domain spoofing, typo-squatting and (spear)phishing campaigns, it won't actually improve the security of application code itself, in terms of vectors such as injection attacks that are still firmly placed within the OWASP top 10,” he told SC.
He echoed Conway's concerns about user education: “It will be interesting to see if this highlights the risk and is a tool to improve general online security awareness, or further confuses the public and causes an even greater issue.”
And he added that the industry will have to be very disciplined in policing the .bank TLD. “Continued, strict regulation on who can own the .bank domains should be at the top of the agenda and a living standard that's regularly updated will be key to responding to evolving threats,” he said.
Robert Holmes, general manager, email fraud at Return Path said that banking had suffered badly at the hands of cyber-criminals. “In the last year alone, it's dominated headlines with everything from millions of pounds lost to countless customer data breaches and as a result, trust has fallen to an unprecedented low,” he said.
He believes that .bank will revolutionise email communication for banks. “The mandatory implementation of DMARC (Domain-Based Message Authentication, Reporting and Conformance) the new domains require will ensure that spoofed attacks are blocked before getting to the inbox at some of the largest consumer mailbox providers in the world, including Gmail, Yahoo! and Outlook.com,” he said.
And he added: “While trust is fragile and will need to be built and nurtured over time, today is a major step forward in restoring vital trust in the banking industry and taking a stance against rising cyber-threats and attacks.”