A new domain to combat phishing
OUT-LAW Radio, 24/05/2007
We hear from a leading light in the security industry on a
planned top-level domain that aims to scupper phishing attacks.
A text transcription follows.
This transcript is for anyone with a hearing impairment or who
for any other reason cannot listen to the MP3 audio file.
The following is the text spoken by OUT-LAW journalist Matthew
Magee.
Hello and welcome to OUT-LAW Radio the weekly podcast that keeps
you up-to-date on all the twists and turns in the world of
technology law. Every week we bring you the latest news and
in-depth features that help you to make sense of the ever-changing
laws that govern technology today.
My name is Matthew Magee, and this week we talk to one of the
top men at F-Secure who has a plan that could make online banking
safer for all of us.
But first, the news:
- European Commission proposes anti-ID theft law;
- Google wins thumbnail image copyright dispute; and
- new European litigation agreement skirts defamation
controversy
The European Commission is considering new legislation against
identity theft. The proposal is contained in a just-published
policy on EU-wide plans to fight cybercrime.
The European Commission's policy on fighting cybercrime in
Europe is the product of many years of consultation and focuses on
greater co-operation between European police forces.
Though the Commission said that it did not believe that new
legislation would be useful at this stage in stopping the fast
growth of cybercrime, it said that it will consider anti-ID theft
laws later this year.
Overall, the Commission said that its cybercrime fighting
policies would depend on improved co-operation and communication
between law enforcement bodies across Europe.
A US court has ruled that Google's creation and display of
thumbnail images does not infringe copyright. It also said that
Google was not responsible for the copyright violations of other
sites which it frames and links to.
The US Court of Appeals for the Ninth Circuit overturned a
preliminary injunction that was imposed against Google in March.
But it left some significant questions open, and sent them back to
the lower court to be ruled on there. That court must decide
whether or not Google was given sufficiently specific notice of
infringing images and whether or not it should have taken them
down.
The case had been taken by Perfect 10, a subscription internet
service whose business is selling access to pictures of nude
models. It had alleged that Google's Image Search service infringed
its copyright in those pictures.
The wording of a new European law controlling where cross-border
disputes can be heard has been agreed by two warring EU government
bodies, but only after the most controversial part of the new law,
known as Rome II, was set to one side.
The European Parliament and the Council of Ministers have been
in dispute since 2003 over rules that would govern what court
should hear disputes where no contract is in place. Typical
disputes are traffic accidents, product liability, environmental
damage and defamation.
Privacy and defamation have been the focus of disputes between
the bodies but the agreement skirts that issue; it has been
excluded from the agreement altogether and will form part of the
"review" to be conducted at a later date.
The European Commission has been asked to produce a study on the
defamation issue by the end of 2008.
That was this week's OUT-LAW news.
When someone says they have been a victim of a phishing attack –
with a p-h – they don't mean they have been punched by a trawler
man who can't spell. What they probably mean is that someone has
emailed them pretending to be their bank and has directed them to a
fake online banking website.
There, they make you type in your username and passwords which
they record and use at the real bank site to clean you out.
It is a massive and growing problem, but Mikko Hypponen, the
chief research officer from Finnish information security firm
F-Secure, thinks he has an answer: a new internet domain reserved
only for banks, called ".bank".
A domain would cost thousands rather that just a handful of
dollars, and an applicant's credentials would be fully checked out.
It could, he says, put a serious dent in the number and seriousness
of phishing attacks.
First, Hypponen told OUT-LAW Radio what the problems are with
.com addresses. It all starts with domain names that appear as if
they should belong to banks, but don’t:
Mikko Hypponen: Domains like
PayPalLogin.com or BankofAmericaverification.com, these are
registered with big names, non-existent addresses and typically
stolen credit card numbers. The problem is because of the way .com
works and has always worked, nobody bothers to check out who you
are and if your data actually checks out. If you are paying with a
valid credit card you get the domain, its yours and of course what
they are doing next is that they set up a fake bank website on that
domain name and then sending out phishing emails redirecting people
there and since the transfer is realistic and the domain looks okay
people fall for it.
No matter how many reminders, threats or guides that banks send
out about odd-looking emails that seem to be from them, people are
still being scammed in their thousands. Hypponen says a radical
solution is required.
Mikko Hypponen: We are not going to be
able to fix this with .com. It’s way beyond the stage where it
could be fixed so why not set up totally new top level domain like
.bank or .safe, .secure, something like that where you
couldn’t just get any domain? If you want, lets say Citibank
domain, you have to be Citibank and they will double check that you
really are who you claim to be and they will double check that your
registration data and address are valid and really exist which
would result in a situation where if you see a domain like
www.citi.bank you would know that this is the real domain, this
belongs to who it looks like it belongs because no one else can get
it.
A dedicated domain would help online banking users to avoid
dodgy fake bank sites, but could also prove a boon to the computer
programs that check all the world's emails for spoofing, phishing
and fraud.
Mikko Hypponen: This system of having a
secure trustworthy top level domain wouldn’t just be there to
benefit the users, it would also help the work of security
companies like ours and it would help security programs like
anti-phishing tools and anti-phishing filters work. For example a
phishing filter sees an email which talks about banks things and
accounting and has key phrases like please log in and there is a
link to a site, and its linked to a .bank site well then this part
is real because it’s a real domain and its then true. If its
something else then its suspect.
Domains would cost up to $50,000 a time, partly as a
disincentive to fakers and partly to pay for the checks and
administration involved in making sure that an applicant for a
domain was a legitimate financial institution.
There are problems, though, that Hypponen's proposal would not
solve. A bank may well operate a .bank domain, but they are very
unlikely to stop operating their .com one. Customers who habitually
use the .com address and will still be vulnerable to .com based
phishing. Hypponen recognises his plan's limitations.
Mikko Hypponen: It would help for the
users who care about the URLs and who know how to read the URLs but
the vast majority don’t have the skills and they wouldn’t know the
difference in any case. So that’s not really the main point of the
whole thing. My main point is, do we think that we don’t really
need a top level domain where we could actually trust the
information on who says its registered to, because right now we
don’t have a system like that. Anybody can register any available
domain for five bucks and claim to be anyone else and register
a fake name or the wrong organisation’s name and that’s okay. So do
we really think we don’t need a system where we could trust the
information on the domain names. There are people who start to poke
holes into immediately because it wouldn’t be a cure-all, it will
not take away phishing as a problem, and like we discussed it
won’t, it will solve a particular subset of the problems and it
would help solving the rest of the problems but we would still have
phishing as a problem. There are commentaries out there opposing
the idea because it wouldn’t fix the problem once and for all but
I’m afraid we will never be able to find a solution that would fix
this problem once and for all.
Another problem is that domains can be 'spoofed', which means
that people who don't own a .bank address could make it seem as
though they do. Again, Hypponen says that his plan is not a
catch-all solution.
Mikko Hypponen: There are ways to do that
and a very typical way we actually see being used in phishing email
today is for example if they wanted to spoof you to go to Barclays
for example, the URL would be
www.barclays.co.uk.something.something.com so it will look to you,
it looks, it says, www.barclays but it actually continues so the
real domain is something.com and there just are sub-hosts in the
domain name that makes it look like a real domain and even if we
have the new top level domain system like the one we are now
suggesting, this problem would still be there.
The body in charge of top level domains is ICANN, which would
need any proposal to be sponsored by industry. Hypponen thinks that
it would be more appropriate if it were sponsored by the banking
industry than the security one, so the idea has some way to go yet.
Hypponen says he just wanted to get the plan off the ground.
Mikko Hypponen: What we are really doing
right now at this stage is to ring the bell and wake different
parties up and see if they agree with us that this would be a good
idea and then try to find someone to take the ball and take it to
Icann and get this done.
That's all we have time for this week, thanks for listening.
Why not get in touch with OUT-LAW Radio? Do you have a
technology law story? We'd love to hear from you on radio@out-law.com.
Make sure you tune in next week; for now, goodbye.
OUT-LAW Radio was produced and presented by Matthew
Magee for international law firm Pinsent Masons.
