After much effort on behalf of a coalition of organizations and individuals to build security requirements around the generic top-level domain (gTLD) “.bank”, banks will be able to register their unique gTLD starting today (June 24). Now it’s up to the financial services institutions themselves to ensure that customers and organizations benefit from the domain, which advocates assert is more secure than .com.
When ICANN announced plans to open up gTLDs beyond .com and .org, the financial services industry was worried. So much so, in fact, that the American Bankers Association (ABA) and the FDIC initially advised against releasing financial domains. The availability of financially oriented domains presents several risks. They can create customer confusion and increase branding issues for organizations. But perhaps more importantly, they can increase malicious activity from spoofing and phishing attacks. Luckily, after further review, the ABA took action to actually improve security for this new set of domain names.
fTLD Registry Services was formed to establish a set of security standards for the domains to help reduce risk and provide trust to customers. These standards were provided to ICANN with the recommendation that they be mandated for all highly sensitive domains. However .bank and .insurance are currently the only domains to have those mandated levels of security. This is a good signal for banks, if these domains are implemented correctly.
The security requirements focus on both security within the domain and the verification process when an entity applies for a domain. Verification controls are designed to help prevent malicious registrations and include the following requirements:
- The domain name applicant must be a chartered and supervised bank regulated by a government agency
- The person requesting the domain must be a full-time employee of the organization or bank and have the authority to register the domain name on its behalf
- Names must be in compliance with a name selection policy
These requirements, it is reasoned, should make it more difficult for threat actors to purchase a domain for the purposes of spoofing. Other requirements within the domain include the use of encryption, TLS, DMARC and DNSSEC – which should also reduce risk. At Easy Solutions, we are especially bullish about the prospect of a more trusted email ecosystem that leverages DMARC. However, only time will tell whether the security requirements make a difference. It will all depend on how banks use them.
With more than 700 applications submitted during the month-long sunrise period, it’s obvious that financial services institutions are set on purchasing .bank domains. But there’s no telling yet what they plan to do with them. Switching over completely will take time, and certainly will require a large customer education campaign to explain the benefits and help customers make the unfamiliar transition. Some banks may do this. Others may just sit on the domain, or run both .com or .bank simultaneously – neither of which will improve security. To be sure, the industry’s intentions are good. But what happens next is up to the individual organizations that register the domains.