Every organization stands to lose a lot when it comes to cyber-attacks, but because they’re managing customer money and operating in a heavily regulated industry, financial services institutions have their own set of challenges. They’ve got a lot at stake on the cybersecurity front. So when ICANN announced it was expanding the number of generic top-level domain names (TLDs) from fewer than 25 to what will likely soon number in the thousands — banking associations didn’t want to take any chances with the .BANK and .INSURANCE TLDs.
In his 2015 CyberCrime Symposium session, Doug Johnson, SVP and chief advisor, payments and cybersecurity policy at the American Bankers Association (ABA), discussed the hard work and financial investment that the ABA, along with the FSR, ICBA, and other trade associations, put into not only securing control of .BANK, but in making it much more secure than the traditional TLDs like .COM, .ORG. and .NET. “We're proud of .BANK and what we've been able to do over the seven years since we've started this process,” said Johnson.
To ensure that the banking industry controlled .BANK, the ABA and its partners created fTLD Registry Services LLC to operate the domain. When fTLD made .BANK generally available on June 23, 2015, on a first-come, first-serve basis. Johnson said they estimated they’d have 2,300 applications by year-end. That turned out to be a conservative prediction — they had 3,000 registration applications within the first 20 minutes, and at the time of the symposium in November of 2015, had more than 6,000.
fTLD faces a number of challenges as .BANK rolls out, both in reducing the opportunity for what Johnson calls “funny business” by duplicitous parties and in creating the robust cybersecurity infrastructure the domain requires. One of the big challenges will be customer confusion with new TLD names that appear to be industry-backed financial domains like .BANK, but aren’t.
“It cost us $3.5 million in equity to capture .BANK and .INSURANCE, so we couldn't capture all the other potential financial domains out there,” said Johnson. These include domains like .LOAN, .CREDIT, .CREDITCARD and a number of others. .MORTGAGE, Johnson believes, could be particularly dangerous.
“There's high potential that individual customers are going to believe that .MORTGAGE is a financial domain. It isn't,” said Johnson.
This is among the educational challenges fTLD has going forward, said Johnson. “We need to make sure that customers are aware that .BANK and .INSURANCE are owned and operated by the industry and these others aren’t, so they can protect themselves.”
They also had to address the need for defensive filings so organizations can protect their trademarks against those that register misspelled or other false versions of domain names to deceive customers and redirect them to possibly malicious sites.
To overcome these and other challenges, fTLD has established a substantial vetting process for anyone applying for a .BANK registration, Johnson said. “When we're talking about financial domains, we want to ensure that those entities in those domains actually have the bona fides to operate them.”
Challenges aside, fTLD has made significant headway on the .BANK front. The mission now, Johnson said, is to establish processes that make it as easy as possible for banks to transition to the new domain. With the help of external industry and security experts, technologies, and processes they’ve got in place include:
- VeriSign on the back end. With VeriSign powering .BANK and eventually, .INSURANCE, banks take advantage of the provider’s existing global infrastructure, with all the scalability, security, and performance technology — like load-balancing — and core infrastructure services it’s built over the years running .COM and other TLDs.
- A two-step registrant verification process managed by Symantec. Symantec will verify, one, that the applicant is a financial institution, and two, that the individual filing has the authority to apply for the domain. Johnson believes this front-end process is one of the most important security measures they’ve implemented as it “ensures that you don't have to go through the defensive filings that you would in .COM because we've got your back.”
- Partnerships with core bank processing system providers to help institutions implement the domain. Among other advantages, this will help ensure that all site pages will have the same level of security as the landing page. “It makes absolutely no sense for you to have high levels of security for landing page, and then redirect users to an Internet banking page that has lower levels,” said Johnson.
- Partnerships with FI technical and security experts to determine the best architectural approach for enhanced cybersecurity. .BANK has, for example, DNSSEC at the second level. Among other functions, this ensures that users are visiting the bank’s website and not getting re-directed to possibly malicious sites. Sites will also get advanced encryption.
- The “Guide to Leveraging .BANK” to help FIs implement the domain. The guide provides a deep-dive view into security requirements and other technical provisions. It also helps security professionals communicate with internal staff, from C-suite execs to lower-level employees, as well as with customers, about their deployment of .BANK and its importance. All the enhancements in .BANK will be not address security concerns, but will be great tools for bank marketing professionals to tout to customers and prospects, said Johnson.
This is the 5th in our series presenting key takeaways from Sage Data Security’s 2015 CyberCrime Symposium, held November 5-6, 2015. In case you missed the filled-to-capacity event, “Collaboration & Information-Sharing,” read the entire series here.