Why Dot Bank Will Revolutionize Security for the Financial Industry
Within the first 10 minutes of general availability for .bank domain names, fTLD received more than 3,000 applications. These join the 782 applications filed during what managing director of fTLD Registry Services Craig Schwartz called the most successful “sunrise” period of all TLD (top-level domain) launches.
Why so much buzz? .bank is extremely attractive to the heavily phished financial sector due to the tight restrictions around who can apply, what types of domains can be registered, and the security measures mandated by the registry. When communicating with a .bank entity, users will have much greater confidence that they are communicating with a trusted financial institution and that their communications and transactions are secure.
As someone who has worked at the intersection of brand fraud protection and domains and DNS for over 15 years, I consider .bank as a pinnacle achievement of the new gTLD program. Domains have always had the capacity to provide enhanced trust and security. .Bank now makes that a reality.
Why .bank will be successful
It has meaning. First, if we are to build trust and security into a given TLD, the meaning of that TLD and its connection with the need for greater security must be both self-evident and unambiguous.
.xyz may be the most popular of new gTLDs, but a .xyz web address would not press an end-user’s security buttons. The meaning of .bank is unequivocal (to the English-speaking world) and users’ security awareness would be instinctively piqued. .Bank is therefore a suitable TLD for building trust and security.
It’s backed by the industry. The second reason why .bank will be successful is because it has industry backing. The main reason RegistryPro failed to get .pro up and running after it secured its registry agreement back in 2000 (new gTLDs are not so new) is that it lacked the backing of key industry associations. Without industry backing, a TLD that purports to speak for that industry will lack legitimacy and adoption.
It has procedural and technical teeth. So, .bank has both meaning and legitimacy. But the TLD also needs procedural and technical teeth if it is to provide a practical solution to preserving trust and security for banks and their customers.
At a procedural level, .bank’s eligibility criteria and verification process will ensure that only banks may register a .bank domain. As there will be no cybersquatting in .bank, fat fingers “to the left of the dot” will never resolve end-users to phishing sites. Over time, end-users will therefore learn to trust .bank addresses instinctively in a way that could never apply to the .com world where anyone can register any domain, regardless of identity, rights or intent.
“Over time, end-users will learn to trust .bank addresses instinctively” (Click to Tweet!)
Additional technical measures are required to preserve the trust established by this strict door policy. This is particularly the case as it relates to email where, even if you don’t own a given domain, there is nothing in the Simple Mail Transfer Protocol standard that prevents you sending an email from an address with that domain.
For this reason, the .bank registry mandates the implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC) to ensure that email attacks coming from spoofed addresses are blocked before they reach their intended victim.
The mandatory implementation of encryption practices and DNSSEC will further enhance the security of the .bank TLD by preventing various types of man-in-the-middle attacks.
A new era of digital trust
.Bank is poised for success because it has meaning and legitimacy. It also has procedural and technical teeth to bring enhanced trust and security. But could the same not be said of .trust, which was launched earlier this year? It certainly has meaning, and the procedural and technical standards that it mandates of its registrants exceed those of .bank. But what of legitimacy?
“.Bank is not a silver bullet but it does herald in a new era of digital trust for financial institutions” (Click to Tweet!)
Ultimately, legitimacy manifests itself in adoption and, while 3,782 applicants self-evidently believe in .bank, only 49 registrants have put the same belief in .trust (based on the latest numbers at ntldstats.com). The difference may have something to do with the $150,000 price tag to register a .trust domain (like any security investment, a domain will need to deliver the best possible return). It also reflects the legitimacy that stems from the commitment and backing that .bank has received from industry.
.Bank finally brings an industry-backed, domain-based solution to help solve a problem that has haunted banks since the world got online. As with all things security, .bank is not a silver bullet (watch this space for more content about edge cases that .bank will not solve) but it does herald in a new era of digital trust and security for financial institutions.
For more information and assistance in implementing DMARC to comply with registry requirements, contact us.
About Robert Holmes
Robert Holmes is General Manager, Email Fraud Protection at Return Path. Rob has been in the brand & fraud protection industry for 15 years, helping major corporations understand, quantify and manage risk across the digital channels. Having previously held global roles running the product teams at Corporation Service Company and Melbourne IT's Digital Brand Services, Rob is a frequent speaker at major security events, including RSA Conference, Gartner Security & Risk Management Summit, FS-ISAC, and the global eCrime series. Rob has a MA (Hons) degree in Philosophy, Politics & Economics from the University of Oxford.