Hacking attacks at major companies like Target and JPMorgan Chase have brought worries over Web security to the forefront. And while nothing is foolproof, the banking industry is trying to make it more secure and less confusing for consumers by eventually utilizing the domain “dot-bank,” a generic domain that the Internet Corp. for Assigned Names and Numbers, or ICANN, is set to release in mid-2015.
“We knew if we didn’t do something, someone else would,” says Doug Johnson, senior vice president for American Bankers Association, the Washington, D.C.-based trade group, about the industry’s move to secure a dot-bank domain. “If we didn’t control it as an industry, dot-bank would be less secure.”
Web thieves trick you into going to fake sites
There are many ways for criminals to trick Internet users into supplying their private information such as logons, passwords and Social Security numbers, but a common way is to set up a bogus website that looks like the real deal.
For example, the bad guys can create a Web page that appears identical to a bank and then trick users into logging in there instead of the real bank’s website. Without even realizing it, the consumer provides all their private information to the bad guys, and before they know it, their account is wiped out or their identity is stolen.
News of ICANN’s push to open all these generic domains has gotten the security world in an uproar and prompted the ABA and Washington, D.C.-based Financial Services Roundtable — another industry trade group — to act.
In a February 2012 report by Stamford, Connecticut-based market research firm Gartner Inc., a team of analysts said the move by ICANN would make phishing, spoofing and malware attacks against brand-name companies easier and detection much harder. In fact, Gartner predicted that by the end of 2014, use of new generic top-level domains, or so-called gTLDs, would increase the success rate of phishing attacks to 6 percent, up from 4 percent in 2011.
Dot-bank aims to create more secure Internet
“The initial pursuit of dot-bank and dot-insurance was to protect the industry from someone else operating in a way that was viewed negatively,” says Craig Schwartz, managing director at fTLD Registry Services LLC, the Washington, D.C., company that will operate the dot-bank and dot-insurance registries and ensure compliance with strict registration, use and security policies. “But what we are really looking to do with dot-bank is create a more secure and in time recognizable space on the Internet for institutions and their consumers.”
According to the ABA’s Johnson, the dot-bank domain will include 31 security measures that give it a higher level of security than other domains. Some of those measures include putting protections in place so that not just anybody can make changes to the domain and additional authentication measures to prevent users from being redirected to fake bank websites. It also will make it harder for scammers to create spoofed emails.
“We can’t make anything 100 percent secure, but we do believe the mechanisms that we will have in place will be able to withstand the attacks or attempts to do bad things,” Schwartz says.
Consumers will see a slow rollout
While not every bank in the country will embrace dot-bank as their second domain name, Johnson says many community banks, particularly, have expressed interest in using it. Johnson expects dot-bank websites to start rolling out in the second quarter of 2015. He says it will likely be a gradual adoption rather than every bank moving to the new designation on the day it becomes operational. After all, it’s going to take some awareness and education on the part of banks to get consumers to use dot-bank websites.
For consumers, the industry hopes dot-bank will provide them with another level of assurance that their personal data is protected. That’s particularly important these days, given the recent breach at JPMorgan Chase, which compromised the accounts of 76 million households and 7 million small businesses.
Dot-bank will provide more assurances
When consumers visit a dot-bank website, they can be assured that it’s an authentic bank, according to Schwartz.
“One of the key elements that makes it a more trusted place is the fact that we will verify the legitimacy of every organization that seeks a domain name,” Schwartz says. “They also can only have domain names that correspond to their trademark, trade name or service mark. The bad guys can’t come in and get BankOfAmerica.bank.”
While security is a big driver behind the push to adopt dot-bank, the new domain also will enable more innovation on the part of the banking industry. These days, consumers are pretty much trained not to believe any email or text they receive from their bank. Because of all the Internet scams perpetrated by fake banks, the banks, in turn, have shied away from communicating with their customers over the Internet or via instant messenger.
With this new domain, banks someday will be able to securely communicate with their customers via email or through other online tools, Johnson says.
Confusion may rule the early adoption
At the end of the day, the banking industry couldn’t sit back and do nothing. If it didn’t acquire that domain label for the industry, consumers would have an even tougher time figuring out what is legitimate and what’s a scam.
Still, Avivah Litan, a vice president and distinguished analyst at Gartner Research in Potomac, Maryland, is skeptical about the ease in which a transition will happen. In fact, she thinks having the dot-bank domain will serve to confuse consumers in the beginning.
“This will confuse consumers more than help them initially,” says Litan. “Even if someone is vetting the domain, they can still be spoofed. Anything can be spoofed.”