Used to be phishing was a simple scam, easily spotted. If the domain name didn't match the site you were hoping to visit, you bailed out real quickly. Only idiots give their bank login details to www.fnb.mafia.ru.
However, an increasing number of attacks on the domain name system have been found in the last few years, which can convincingly forge someone's site. Now, a customer might be convinced he's looking at www.fnb.co.za, but in reality, he's at an entirely different server, with an entirely different IP address, run by “pharmers” that are bigger crooks than SA's big four banking moguls. (I don't mean to pick on FNB, you understand. By all means, substitute Nedbank, Standard Bank or ABSA in the aforegoing.)
There is at least a partial solution to this problem, in the form of secure DNS.
Regular domain name servers return an IP address on request, given a human-readable domain name such as www.mybank.co.za. This system was designed, however, when there were only a few thousand internet hosts, and they implicitly trusted each other. It scaled brilliantly as the size of the internet exploded, but one of the reasons is the delegation of that implicit trust. Anyone can run a domain name server, and others will happily query it. Viruses and trojans can easily be used to “poison” the system. There's nothing secure about it.
The more sophisticated among these phishing or pharming attacks have no simple defence that an average computer user would understand. Next time you get an SMS from your cellular company, or your bank, telling you to contact their call centre or go to their website to verify a transaction or register for online statements, think twice.
Some channels can be secured, and it seems criminal for banks and other commercial sites not to do so.
Ivo Vegter, freelance journalist and columnist
Not all channels can be secured. SMS, for example, is an unencrypted plain-text channel. Do you know the numbers from which your bank sends automated SMS messages? Didn't think so. Do you know their call centre number off by heart, or will you call the number in the SMS? Thought so. But some channels can be secured, and it seems criminal for banks and other commercial sites not to do so. In particular, extensions have been written for the domain name system that incorporate proper authentication and encryption, making it far more robust and secure.
Yet there has been a lot of resistance, worldwide, against implementing this substantially more complicated version of DNS. True, it is complex. True, it is a major upgrade. True, it presents technical difficulties, including issues at the client side. True, the return on investment is hard to quantify. True, it isn't a silver bullet - though it is a pretty effective slug.
Can one blame customers for thinking that failing to use all available defensive strategies suggests that banks don't really have their interests at heart? Can one blame those who are reluctant to bank or buy online, when they can show plausible attack strategies that even technically savvy people can't spot? Can one blame technically savvy people for sneering at banks who think “educating customers” will solve phishing, pharming and other security problems?
One proposal has been to establish a new second-level domain, such as bank.za, which is entirely encrypted. A broader category might be even better. A sec.za second level, for example, could include the websites of telcos, ISPs, social networks and online shopping sites as well.
And please, don't call it DNSSEC, or some other baffling acronym. Call it the No-Phishing Zone, or the Anti-Fraud Zone, or something that both customers and business can understand and will want.
A secure DNS zone not only benefits the banks, by improving both the actual and the perceived security of online banking. Where banks lead, others will follow. Banks have the resources, for example, to establish a signed domain name registry, which can pave the way for other low-margin registry operators to learn and follow. Banks have the influence, for example, to convince search engines to prefer websites with signed domain name records, and search engines have the power to move the market.
It is unrealistic to expect the entire .za domain to be signed overnight. It is not, however, unrealistic to expect a gradual transition, starting with those companies that have the most at stake. And starting soon.
Ivo Vegter is a columnist, freelance journalist. He blogs at http://ivo.co.za/.
Share