Interesting opinion on a proposed .bank TLD.

Short story, a top level domain (.bank) would give banks and customers a more secure means of online banking, forcing verification of physical addresses and tying the ownership of the domain back to an actual charter (ok, the process is still up in the air… but that’s the gist of it). I’m not a fan. I ‘m not even a fan of the .biz, .info, and other “new” TLD’s. Why? I think the simplicity of the original domains worked just fine, and if controlled and used as intended, we wouldn’t have the mess we have now.

Long story:
.com, .net, .gov, .edu, .mil, .org plus the country specific extensions, like .uk, .ru, .jp made sense. A commercial company? You get a .com. A school? .edu for you. A non-profit? .org sounds great after nearly anything. I really don’t want to go down the road of “back in my day” but I have to. Domain registration used to be a standardized process, $35 and you registered the domain. The ability for anyone to register a domain caused problems, and the process of domain resellers also added to the confusion. Now anyone can register a domain, (any available domain) for only a few dollars.
Adding a new TLD won’t fix this. The process to register .bank could be just as diluted in a few years, there is no guarantee. It won’t really stop phishing or url obfuscation, someone with malicious intent could still set up a site with the url “bigbank.bank.phishanyway.com”

Tinfoil hat time: it’s because of “internet marketing”, “new media”, and the “first dot com boom” Marketers took a technical concept and forced it into marketing glitz. The purpose of a URL wasn’t so it could be turned into a business name. Anyone remember pets.com? (Eric’s pet peeve here- business that use url’s as the actual names of their businesses. Don’t get me started.) URL’s were simply a way to ease the confusion of IP addresses and a rational way to organize DNS records.

So do I have a better solution? Yes.

Strengthen the process to register a domain. Keep .org’s for provable non-profits, .com’s for businesses and require proof of such (a tax id, articles of incorporation etc.) Instill the process of verification to a physical address to domain registration. Use sub-domains. Yes, it’s a big world and there are more than one Third State Bank’s competing for the precious thirdstatebank.com. Creative URL’s could fix that. Well placed hyphens and underscores could too. But I digress.

What do you think? Would it be worth it to your organization to change all of it’s marketing, letterhead, embedded url’s, connections to vendors and everything else that has your .com to .bank?

Most banks in America have one serious problem. Customer information flows in and out of the bank in clear text e-mails. Millions of dollars a year are spent to properly protect and destroy documents, protect networks from threats and vulnerabilities. But what does all of this matter if customers and bank employees still send sensitive information through e-mail. E-mail is very insecure because it flows over the internet in clear text. Employees are encouraged to not use CD’s and USB drives to take information home, but what if employees are emailing information to a personal account to use at home. Anyone with a sniffer and malicious intent can do some serious damage by monitoring bank web traffic. Nobody wants to see fraud or identity theft increase because customer information is so easily accessible by e-mail sniffing. This article from Bank Technology News has some good information about the insecurity of banking emails.

Customers, accountants, attorneys are always going to send sensitive information to their personal bankers. And no matter how much you try to stop them customer service personnel, loan officers, personal bankers are going to send requested information right back to the customer. Yes some files are password protected but these passwords are just imbedded as part of the file.

Now there are services available that will notice strings of what could be customer information and encrypt it coming into or out of the bank. These services will either send the customer an e-mail to go to a secure site to download the message or it can just automatically encrypt it straight to the customer. There are several services out there to protect your reputation and your customer’s privacy. Just Google ‘Email Encryption Services’ and you will get several firms that will protect your emails for you.

“My voice is my passport, verify me.” Quick, name the movie that’s from…. That phrase was used as a voice identification password in a movie a few years back, and it’s stuck with me. Passwords are interesting things in and of themselves, we rely on them so much for our digital lives that the very complex and nebulous world of information security is often boiled down into the simplistic rule of good security equals good passwords. But is that all there is? Is your online banking account secure if you use W+UwRe!AYach3su* as your password? Sure it is, unless your spouse, your child, or someone other than you, and only you, have access to it. This is one of the areas where there is so much confusion, most of it generated by ill given advice on account management, it creates a less secure environment while making the user think they are doing exactly the opposite. Like spotting counterfeits, it’s easier to see the pitfalls if you look at correct examples first, so here’s a few rules of thumb that can get you started.

One entity equals one account. The more people or systems that share access, the less secure that system will be. For a long time we’ve heard the advice “rename or disable the Administrator account” and I’ve seen plenty of organizations that do just that. Administrator becomes Myadmin or something like that. Bob, Steve, and Jim in the IT department share that account and password; because they are the administrators, so how do you know who did what? You can’t. Allowing their named accounts access to an Administrators group gives them the access that they require to perform their functions, but also provides the accountability to demonstrate who has done what.

Passwords don’t have to be gibberish to be strong. You’d have to have an amazing memory, or very creative mnemonic to remember the password example given earlier. Most people don’t so they tend to use passwords they can remember like birthdays, their children’s names, addresses, or something that is both easy for them to remember and easy for them to type. If it’s more complex than that, they often will write it down….on a sticky note… stuck to their monitor. Good bye password security. Here’s an easy solution: train your users to forget passwords and train them to use passphrases that adhere to complexity requirements. It creates a longer string, with non- alphanumeric characters, and it’s easier to remember.

More technical does not mean stronger. RSA tokens, biometrics, and other multiple factors are only as strong as the controls around them. If you have implemented, or plan to implement two or three factor mechanisms, don’t be lulled into a false sense of security generated by marketing hype. I love the RSA tokens. They are very effective and aren’t that hard to deploy, but the learning curve can be steep for end users. While biometrics truly identify the user is who they say they are, some consumer grade biometrics can be easily defeated with something as simple as rubber cement. And both could be subject to man-in-the-middle or replay attacks.

The bottom line: Passwords are your first line of account security. Make them strong and make them long. Monitor failed logins to identify patterns. Finally, don’t rely on a technical controls alone.

Oh the movie? Sneakers, 1992. By the way… what’s the password on your NetFlix account?

I never thought I would have my identity stolen…..but you should know a little about me first. I shred all the credit card applications I get immediately. I keep all my sensitive documents stored in a locked box at home. I secure all online password and monetary transactions through a secure VPN connection. I change my passwords, semi-frequently. I monitor my credit, at least quarterly. I don’t give my personal information to ANYONE, well almost.
I am currently trying to lease a house and needed to fax my application to my Realtor, but she gave me the wrong fax number. The application has just about anything you need to steal an identity (SSN, address, previous address, employment, salary, truck, etc.) except for my bank account numbers. Oh but, there is an addendum in the application authorizing a credit check and available funds in all financial institutions. When she asked me where my application was and told her I faxed it, I knew immediately I may be in trouble because I kept the fax confirmation for the wrong number. Now what do I do? Send another fax to that number asking, who is this? Will you shred my info? Please don’t run up a million credit cards in my name? I tried reverse number lookups, but to no avail. Any suggestions? It looks like freecreditreport.com is about to get another customer for monthly monitoring. It is just frustrating to do everything I can to protect myself and just one number off on a fax will send me into paranoia. It just goes to show you that you can do everything possible to protect yourself, but you still might get bitten by the identity theft bug. Hey, if I sent you a lease application recently, will you shred it please?
Nobody has stolen my identity yet, and I would like to keep it that way.