Wednesday, March 21, 2018

Phishing, Banks and .BRAND new gTLDs

I recently tried to complain against a phisher using Register.it as the phisher's Registrar and I also followed a procedure at the ICANN to see if anything would happen, but, as expected, nothing happened: the ICANN created a case and offered to fill-in another form and the Registrar did not even confirm he received my complaint. Note that I could also have complained at the Registry but  I did not because...you know...time consuming?

Another approach for Banks
Below are examples of recent phishing emails I received in the name of a French bank. These are issues banks have to deal with on a daily basis and in volume: not only because it hurts their image but also because it causes serious problems to some of their customers. For these two reasons, and also because it is useless thinking that procedures exist at (some) Registrars to fight phishing, here is another approach banks can have to protect more their customers from phishing.

Phishing is this:
  1. The end user receives an email with a fake link to click onto: the email says that it is sent from service@banquepopulaire.fr but it is not, and at this level, you cannot learn who is the sender (because it is so easy to send an email using a fake one).
  2. The link to click onto is either some text (ie: "Confirmer votre PassCyberPlus" in my case) or a link which looks like it is a known link (domain name) from our bank (ie: "www.banquepopulaire.fr"). In both case, the link is a fake one, or an IP address (my case) offering to go to another website where the fraud is installed. Sometimes, it will ask for your login and password or it will try to automate the installation of a program to encrypt your hard drive (ransomware) or it will ask for more information.
End users are more trained than before but...
More end users receiving phishing emails do not click on their links anymore: they check before clicking. The real link appears down in the browser when passing (but not clicking) the mouse onto, so they can learn if the email is legitimate or not. Phishing has now become so common that end users have become familiar with checking a link before they click. Note that there will still need a few more generations before phishing becomes completely useless.

Banks can fight fishing another way
Trying to explain their client to be cautious with phishing is negative and trying to solve these problems with registrars, which often demonstrates to be completely useless and endless, is a total waste of time. ICANN will answer that it has no responsibility into this, and Registries...well...try to complain at a registry and tell us more about your experience ;-)

Another way for banks to fight phishing - and better protect their clients - is to "work on words": when building a website, navigation has to be simple, if there's more than two clicks to reach out to the information, you lose your reader. It is the same for banks' names: with too many names for branches, inline services, banks confuse their customers and that also takes them to click on the wrong link. Working on words is called branding. Banks want their clients to:
  1. Recognize their name;
  2. Go to the right website and not another.
With dozens of subsidiaries, trademarks, legal entities, names and other brands, it is impossible for a Bank to gather under a same name and under the same domain name but using a .BRAND new gTLD is a solution to this with an enormous advantage: thank to words, it reduces the risk of phishing and definitely kills any homograph attack in the egg. Here are the advantages to use a .BRAND domain name extensions, instead of a ".com" or any other country code Top-Level Domain (a domain name extension for a country).

The number one advantage to remember for a Bank is that when it controls the registration of its domain names, it also means that a phisher will never be able to register one of them: anyone can register a domain name ending in ".com", in ".fr" or any other domain name extension available to the general public: but not a ".brand".

Let's talk about my case figure, the "Banque Populaire" one
When you hit "banque populaire" in Google, you get a full list of words: banque populaire, bred, bred banque populaire sa, groupe bpce, casden banque populaire, etc...there are dozens of names belonging to Banque Populaire and dozens of websites:
    1. How do you expect clients not to be confused when receiving an email about Banque Populaire? How does the bank ensure that her client knows if the bank's name and URL are legitimate?
    2. Can you imagine the pleasure a phisher can have when preparing an attack with such a confusing information sent to this bank's clients: it's wonderland for phishers because the bank's client WILL be confused.
Why it matters
In terms of Branding
Paying attention to the name and the URL clients will be sent to matters and as I previously wrote it, if it is impossible to gather under a same name and domain name, gathering under a same ".brand" name changes everything:
  1. In terms of trust for the client: all services from the bank will be easily identified behind an exact same domain name extension. For example:
    1. www.casden.bpce (or ".banquepopulaire")
    2. www.bred.bpce
    3. www.banquepopulaire.bpce
    4. etc...
  2. In terms of name for the Bank: the domain name extension becomes the seal which connects all services, trademarks, names, categories of clients, subsidiaries, branches, office locations, etc...to the same Bank. When seeing this seal, the client knows that he is on a website belonging to the bank: "can't be something else". Instead of using various confusing domain names (which none can be certified by the bank), the ".brand" domain name extension simplifies it all for the client: when passing his mouse onto a hyperlink prior to clicking, the ".brand" extensions from the domain name is the seal that confirms that he can click.
In terms of strategy (for the Bank)
Things take time and don't expect a client to understand why a domain name using a ".brand" extension might be less risky for him to click onto, also expect things to be more confusing...in the beginning at least; things take time and explanation.

Some banks have already migrated to their .BRAND new gTLD, there is even one in France: https://banqueentreprise.bnpparibas. Since 2012, 1,230 new domain name extensions have been created, and this also means:
  1. More confusion to consumers;
  2. More options for phishers to fool banks' clients;
  3. But also more training and adoption for users: the more new domain name extensions start to appear online, the more coming generations are used to them.
There are today 490 ".brand" new gTLDs. They are trademarks to have acquired and signed an agreement with the ICANN to be granted the authorization to create and use their personalized domain names. It means that from an old and non-secure use of domain names, a few brands have already started to change to more secured strategies for the benefit of their clients: aren't Banks concerned...by security?

Another alternative for Banks
Banks are the only one to have access to ".bank" domain names but in the case of a French bank, it does not match: you don't talk to French customers using an english web ending. Note that some French banks applied for a ".banque" new gTLD but then, withdrew their application.

Need help understanding all this? Contact Jovenet Consulting and ask for Jean.

Recent phishing emails received




No comments:

.BRAND new gTLD Reports are updated once a month: CLICK HERE !