FairWinds in the Press

August 17, 2012

Print Page

No 'Phishing': Banks Try to Sink Scammers

the wall street journal 

If banks have their way, Internet scammers soon may have a tougher time deceiving people with bogus bank websites. Financial-services companies are snatching up new, exclusive Internet addresses in an effort to crack down on cybercrime, which one analyst said cost the industry an estimated $2.5 billion last year.

The companies buying up addresses include some of the biggest players in the industry: American Express Co., Capital One Financial Corp., J.P. Morgan Chase & Co., Barclays PLC, Bank of America Corp. and Citigroup Inc.

The firms have paid at least $3.3 million, or $185,000 per address, to the nonprofit organization that oversees the Internet to secure new exclusive domain extensions, the letters that appear at the end of a website address, such as dot-com or dot-gov.

The new addresses include extensions like dot-citi, dot-bofa and dot-barclays. The banks hope these extensions will help their online customers know they are actually dealing with the bank and not a scam website trying to pilfer personal information.

Web browsers won't see the new addresses online until the Internet Corp. for Assigned Names and Numbers, or Icann, the organization that oversees the Internet, approves them. Some may appear next year.

In 2011, the financial-services industry accounted for nearly half of all "phishing" attacks—attempts to steal customers' personal data like credit card information, email addresses and passwords—according to the Anti-Phishing Working Group, a corporate group that addresses cybercrime issues.

Besides just phishing, the financial industry is responsible for half of all online fraud, according to MarkMonitor Inc., a brand protection firm.

Hackers can buy domain names at registrars like Go Daddy Group Inc. that alter a letter or two in a company's brand name—replacing "of" with "at" in, for example—and trick consumers by sending them emails dressed up with Bank of America's logo, said Jeff Ernst, an analyst at Forrester Research who has advised companies on how to manage the new addresses.

Controlling their own domains with exclusive address extensions could help financial-services companies fight phishing because criminals won't be able to register domains that end in dot-jpmorgan, for example.

"When we start to put things under dot-discover, it will be tougher to spoof them," said Mike Boush, vice president of e-business at Discover Financial Services.

"For customers to be duped, someone must be convinced that they're Barclays," said James Greenwood, digital- and mobile-channel platform architect for Barclays. "It's far more difficult to pose as Barclays if they can't be part of the ecosystem that we've created."

The new addresses, on offer by Icann, have drawn requests for domain addresses from companies, entrepreneurs, cities and others vying for their own space in the Internet landscape.

Only 22 such domains currently exist, but that number could rise by more than 1,000 by the end of 2013. Anything from dot-democrat to dot-bible may soon roam the Internet.

The first of the new domain names likely will appear online during the second half of 2013, Icann said, giving companies time to clarify online strategies with customers. Icann decides which addresses will go online, and the organization hasn't publicly approved any domains yet.

Barclays's Mr. Greenwood said companies likely will transfer online services to their new addresses slowly so they don't disrupt customers. "One very obvious option is to have it be the single, top-level, global starting point or hierarchy" for Barclays's online presence, he said, adding that the company isn't making its plans public yet.

Other reasons banks may want to own their domain extensions range from brand promotion to customer service and the need to keep up with technological innovations. But some financial firms see the possible security benefits, in particular, as something they can't get with their dot-com presence.

Having the new addresses would give banks a "big leg up," said Roland LaPlante, executive vice president and chief marketing officer at Afilias, an Internet company that operates domains. "If someone goes to a dot-UBS site," he said, referring to UBS AG, UBS "you know you're getting to your account on UBS."

Not all financial companies are convinced. Wells Fargo & Co. didn't apply for one of the new addresses, citing investment costs and the potential for the dilution of its online brand, "When's the last time you used a dot-biz or dot-info?" said Beverly Butler, Wells Fargo's vice president for its digital channels group.

Phishing was related to $2.5 billion in financial-industry losses in 2011, said Avivah Litan, an Internet fraud analyst at Gartner Inc., a technology research and advisory company. To be sure, a criminal with a phishing website would still be able to send emails to customers with links that appear to be affiliated with a real company.

Fraud still will ensnare careless customers, and the new addresses probably won't enhance security, said Esther Dyson, who served as Icann's chairwoman from 1998 to 2000. "Having a really good lock one place doesn't help with the weakest lock or the weakest link," she said. 

But knowing, for example, that only Barclays can create domains that end in dot-barclays at least gives customers "a tool that they know is proof positive that is their bank" and may ultimately generate more trust in those addresses, said Josh Bourne, managing partner at FairWinds Partners LLC, a Washington, D.C.-based consulting firm that submitted 135 applications on behalf of 51 clients, including J.P. Morgan and Capital One. 

The key for financial services companies, experts say, will be to communicate with their customers that if a Web address ends in particular dot-brand, it can be trusted. Companies also will need to prevent customer confusion.

Global companies like PricewaterhouseCoopers hope that acquiring the new address will "eliminate confusion in the marketplace" by creating a "single nomenclature" online for the company's network of firms, said Jack Teuber, managing director for digital marketing at PricewaterhouseCoopers. 

"But we're not there yet," said Mr. Ernst, the Forrester Research analyst. "The average Web user doesn't know about these top-level domains yet."

Read the full article on The Wall Street Journal.