A recent press release from F-Secure again urges ICANN (Internet Corporation for Assigned Names and Numbers) to introduce a .safe top-level domain to be used by registered and verified financial institutions. The call comes as the UK payments association (APACS) released data showing that compared to the first six months of 2005, online banking fraud had increased by 55% in 2006. At the same time UK credit card fraud is in decline. Over 17 million people in the UK now bank online and that figure is set to continue rising over the next few years. The trend is similar in other countries.
But would introducing a new top-level domain really prevent phishing? Chief Research Officer at F-Secure Mikko Hyppönen says “While a .safe domain name won’t prevent phishing attacks, it will help banks and security providers to keep their customers safe… ´Banks need to take on some of the responsibility for protecting their customers and using a secure domain name such as .safe will give customers the reassurance they need when banking online.”. He continues with “Right now, customers have no good way of automatically being able to tell whether or not a bank website belongs to the bank.”
To be honest I’m not sure I agree with this at all. Sure, simply looking at the URL doesn’t guarantee that the site is not a fake but then surely even a .safe domain could be spoofed with dns cache poisoning tricks etc. If online banking customers simply check the SSL Certificates before logging in to their online banking website then they can be sure that the website belongs to their bank.
Would a new top-level domain really improve online banking security? What do you think?