Analysis: Will '.bank' Enhance Security?Experts Say .bank Will Be Difficult to Spoof
Those advocating the use of the ".bank" top-level domain contend that it offers better security than the ".com" domain now used by banks.
That's because only companies that have been vetted by ICANN and the fTLD Registry Services, which was chartered by the banking industry to oversee the security and trust of the .bank and .insurance TLDs, can register for the .bank name, says Craig Schwartz, managing director of fTLD Registry Services, during this first part of a two-part interview with Information Security Media Group about top-level domains.
Besides, launching a .bank domain is not cheap, Schwartz adds. Banking institutions will have to fork over roughly between $1,000 and $2,000 for a .bank URL. Those fees are not intentionally inflated, he says. But because of the heightened security measures baked into .bank, the expense of services is greater, Schwartz points out.
"The cost certainly makes it a much less attractive place for bad actors, especially when there are other top-level domains out there that you can register for under $10," he says.
Doug Johnson, who oversees cybersecurity, business continuity, resiliency policy and fraud deterrence for the American Bankers Association, says the financial services industry is taking steps to ensure that .bank builds trust in the online banking system.
"When customers [logging in to a .bank site] get a communication from their financial institution, the level of email communication authentication is such that they can have a high level of trust that that communication is coming from the financial institution," Johnson says. "That type of capacity is just not available to us in .com."
For example, because the registration of the .bank domain requires heightened scrutiny, it cannot be easily spoofed by domain squatters or others who buy domain names that are similar to try to fool consumers, Johnson says.
In fact, Johnson says the ABA initially recommended against the implementation of financial domains by ICANN, the Internet Corporation for Assigned Names and Numbers.
"There was a potential for customer confusion associated with those domains," he says. "But then, once it became clear that those domains were going to be deployed, we pulled together a group of individuals and companies to come up with a recommended set of security standards to have mandated within those financial domains. And we provided them to ICANN, and recommended that those security requirements be mandated for any highly sensitive domain."
During this interview, Schwartz and Johnson also discuss:
- How fTLD Registry Services was established as an industry watchdog for .bank;
- Why the fees associated with .bank registration are higher than they are for other TLDs;
- Why the industry wants to ensure .bank is vetted; and
- The status of adoption of the .bank domain among U.S. banking institutions.
In part two of the interview, Schwartz, Johnson and Dave Jevans of the Anti-Phishing Working Group discuss vulnerabilities being exploited in top-level domains, and how the financial services industry is proactively mitigating these risks with .bank.
Schwartz began work on fTLD's efforts in July 2011. He is responsible for developing the organization's strategic response to ICANN's generic Top-Level Domains Program and leads the team in achieving fTLD's mission and objectives. Schwartz previously spent five years with ICANN, where he served as chief gTLD Registry Liaison.
Johnson leads the ABA's enterprise risk, physical and cybersecurity, business continuity and resiliency policy and fraud deterrence efforts. He represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues. Johnson also serves on the BITS/Financial Services Roundtable Security Steering Committee.