A Domain You Can .Bank On? - So Would it Really Stop Phishing?

If stopping phishers from committing successful scams is the true goal, would a .bank domain help achieve this goal? That’s difficult to say. If we’re trying to make sure that web sites are safe, secure, and don’t lie about what they are, then there may be some evidence that strictly limiting access to certain top-level domains is an effective approach. The Register cited “a recent study based on results from SiteAdvisor, a free ‘safe searching’ tool from McAfee that catalogues and warns users about unsafe sites.” The only tested domain for which SiteAdvisor found no risky sites was .gov.

Okay, putting any “Trust me, I’m from the government and I’m here to help you” jokes aside, a .gov suffix is available ONLY to government institutions. In the U.S., registration of .gov domain names is handled through the General Services Administration, which charges a yearly fee of $125 for a .gov domain name. Other countries have their own procedures. Not everyone qualifies; the registration process is laid out on the General Domain Registration and Services web site, and RFC 1480 gives you more information about the policy than you can shake a mouse at.

That said, strictly limiting the use of the .bank domain to financial institutions offers no guarantees to web surfers. A phisher could send an email that contained a link that looks like a legitimate bank URL, .bank and all. The link could be set up to re-direct to the phishing site, however. In that case, security comes down to the web surfer once again, to notice both that the link has redirected the browser, and that the URL at which they have arrived does not match the one they though they were going to visit.

CastrTroy on Slashdot expressed this point very well: “As long as people continue to click on links they get in emails, and not verify that they are actually at their bank’s website, then there’s going to be problems with phishing. It doesn’t matter if the url ends in .com, or .ca, or .safe, or .xxx. If you’re clicking on links in emails and getting scammed, then changing the domain name won’t help anything. I’m surprised there’s not more worms out there that change your hosts file, to show you a phishing site when you type in the actual url of your bank. I guess it really is that easy to get somebody to click on a link in an email, because they haven’t resorted to more complicated methods.”

There’s the answer right there. It’s possible that .bank could be a step in the right direction. But it’s not going to work at all without a major information campaign aimed at educating Internet users about what they need to do – and avoid doing – to keep themselves safe and secure online.