F-Secure answers .bank criticisms

Security company F-Secure has answered criticisms of its suggestion that a .bank top-level domain (TLD) be created to improve the protection of online financial services.

Mikko Hypponen, F-Secure's chief research officer, first suggested the .bank TLD at the beginning of May. Hypponen said that to buy a .bank domain name should be prohibitively expensive to anyone but banks, and would make online banking more secure.

Hypponen caught flak from various people for this suggestion. Criticisms included that the domain would do nothing against DNS cache poisoning, which involves hacking into domain name servers and replacing the numeric addresses of legitimate websites with the addresses of malicious sites. Other criticisms were that average users may not recognise a potentially dangerous URL, and that organised criminals would have the funds to buy the domain name while smaller banks may not.

Now Hypponen has answered these criticisms. In blog post on Saturday, Hypponen admitted that this proposal was "not a silver bullet", and that a .bank TLD could not do much against DNS poisoning or phishers creating realistic looking fake domains.

However, Hypponen said the .bank domain name would allow browsers to create a whitelist, making the general users' lack of security awareness less of a problem. He also said that organised criminals' sites could be taken down quickly even if they managed to somehow prove they were a bank, and that currently smaller banks are not targeted — this would be a scheme for "the bigger players".