Mikko Hypponen suggests in an article that’s getting a lot of press (“Masters of Their Domain“) that banks get their own domain space, ‘.bank.’ He argues that this would make phishing harder, and suggests we could charge banks a lot of money for the domains.
I have three problems with this:
- Crooks are already investing in their attacks. If that money will have a high return, by convincing more people that the URL is safe, then crooks will invest it.
- Some banks, such as credit unions, can’t really afford $50,000 for a domain name, and so won’t have one. (Thanks to Alex at RiskAnalys.is, “
.bank TLD, An Idea Whose Time Has Come?”
- Finally, and most importantly, it won’t work. People don’t understand URLs, and banks create increasingly complex URLs. The phishers will make foo.bar.cn/.bank/ and people won’t understand that’s bad.
The easy solution to preserving the internet channel against phishers is to use bookmarks. But that’s too simple for anyone to make money at it. Certainly, no one’s gonna make $50,000 a bank. That money is better spent on other things. .Bank is a bad idea.