By Peggy BresnickCyber attacks and data breaches continue to wreak financial havoc for organizations around the globe. The grim news is that online attacks are only going to become more numerous and more sophisticated in the future.
Says Ponemon Institute in a recent research report, “2014: A Year of Mega Breaches,” 2014 saw a series of mega security breaches and attacks that resulted in the exposure and theft of literally millions of customer and employee credit and debit card numbers and personal data. “2015 is predicted to be as bad or worse as more sensitive and confidential information and transactions are moved to the digital space and become vulnerable to attack,” says the report.
While organizations of all types and sizes are taking measures to stop data breaches, banks are working hard to shore up cyber defenses to minimize damage. Online fraud can injure a bank’s brand and reputation, erode customer trust and threaten customer loyalty. The financial damage is potentially enormous; the costs of successfully detecting fraud and thwarting a wide and expanding array of cyber threats are rising. Financial institutions today know they must address security concerns proactively, rather than simply address and react to issues after they occur.
Unfortunately, with increasing customer use of the mobile and online channels, banks are finding it challenging to stay one step ahead of cyber criminals, who are becoming more and more sophisticated in their attacks. Criminals can create email communications that appear to have been sent by the recipients’ financial institution, but contain corrupt Web links that are designed to extract personal and financial information from the unwitting customer. Cyber criminals using “spoofed” IP addresses that are disguised as trustworthy sources trick victims into clicking links that will install malware on their machines and extract personal information.
.BANK offers security, inspires trust
Securing customer information is a priority for all organizations today, yet banks are finding it challenging to protect customers from online crooks who pose as legitimate financial institutions—and ultimately steal customers’ account information. Within the next few months, however, banks will have a new way to improve online securityand proactively mitigate the risks of phishing and spoofing attacks while inspiring greater customer confidence and presenting new marketing and branding opportunities. ABA members and other verified members of the banking community can take advantage of .BANK, a new banking-specific top-level Internet domain with a variety of enhanced security controls.
The new domain is offered by fTLD Registry Services LLC, Washington, D.C., an entity formed by the ABA, Financial Services Roundtable and other banks, insurance companies and financial services trade associations to apply for the .BANK and .INSURANCE domains and to operate them securely. fTLD now includes a Board of Directors and an Advisory Council that currently includes financial institutions and financial services trade associations.
Not merely a new domain, .BANK will offer the banking community and its customers a trusted, protected and easily-identifiable space on the Internet to conduct banking business. Banks that utilize the new domain will help prevent users from being redirected to fake bank websites. .BANK also will make it difficult for cyber criminals to be successful with spoofed emails, since banking customers will know to look for and trust communications from email addresses that include the specific domain. The .BANK domain also provides a high level of encryption designed to protect communications that banks and their customers send through email, making it much more difficult to intercept, eavesdrop on or manipulate those conversations.
“In the current environment, there’s concern in the ability to trust that an email actually comes from a financial institution you’re doing business with,” says Doug Johnson, ABA’s SVP for payments and cybersecurity policy. “Because of the enhanced security measures that we’ll have in place with the .BANK domain, including email authentication, customers will have a higher level of confidence that when they get a communication from their bank, that it’s actually from their financial institution.”
Although .BANK is currently just in the process of being rolled out, plans have been in the works for some time. In 2008, the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit organization responsible for IP address allocation, as well as managing domain name system management, approved a program that opened the Internet to thousands of new generic top-level domains (gTLDs), in addition to the ubiquitous .com and .org extensions.
fTLD Registry Services was formed in 2011, but only after organizations like the ABA and Financial Services Roundtable had lobbied ICANN rigorously to prevent domain names like .BANK and .INSURANCE from becoming available. “We initially thought it would be more confusing to consumers, and we felt it would create more issues for brand holders while increasing the possibility of cyber attacks,” explains Craig Schwartz, managing director, fTLD Registry Services LLC, Washington, D.C. ABA and Financial Services Roundtable later decided to join together to establish and protect the .BANK and .INSURANCE domains.
Extra security, added value
“The value of getting the .BANK domain is the extra security that’s required to be in the space and the trust and confidence that comes with knowing that others in the space are legitimate and have been verified,” says Schwartz. “When you’re talking to someone with a .BANK extension, you know that entity is legitimate and has been verified before it gets to use the name.”
A key benefit of the .BANK domain is that only members of the global banking community will be eligible to register domains. Registration follows a very rigorous authentication process, including charter verification by the registrant’s regulator—so it’s not possible for just anyone to receive the .BANK domain by simply applying through an Internet domain registrar and Web hosting company, such as Go Daddy.
“We’re the gatekeeper,” says Johnson. “In order to even play within the domain, any individual attempting to secure a .BANK domain has to prove that he or she is requesting the domain on behalf of a legitimate financial institution or other core processors and service providers to the bank. The person also has to prove that he or she has the authority within the bank to be making the request.”
Besides legitimate financial institutions, the .BANK domain is also available to vendors that work in the banking space. “Companies that provide core processing have to be able to operate through .BANK domains and have the same level of security as the bank,” Johnson explains. “Many banks are dependent on core providers to provide a significant amount of services that are vital to the bank so it makes sense that they are behind the same security wall.”
fTLD has partnered with security firm Symantec to prevent financial firms from registering if they don’t meet eligibility requirements. As the Registry Verification Agent, Symantec verifies companies when they initially register for the .BANK domain name, and also at each renewal. Symantec reviews all registrations and makes recommendations on which applications to approve or deny to fTLD, which is responsible for the final determination.
Registration is via registrars
Banks must register for and buy their .BANK domain names through registrars listed on the fTLD Registry Services website at fTLD.com, and acceptance isn’t immediate or guaranteed. Domain names are awarded on a first-come, first-served basis, and only after a strict verification process. Because costs are higher for fTLD to operate .BANK with increased security and other provisions, costs for the new domain name will be higher than for a typical domain. When evaluating potential registrars for their .BANK domain, financial institutions should be aware that some vendors bundle services like brand protection services along with the .BANK registration.
Banks that own the trademark on the name to the left of their .com address may be eligible to register the trademark with ICANN’s Trademark Clearinghouse and apply for the .BANK version of that name during the sunrise registration period. According to the registration process timeline, the sunrise period—during which only trademark holders who have registered their bank’s trademark with ICANN’s Trademark Clearinghouse may purchase domains— begins on May 18. Domain registration for founding members of fTLD will be from June 17-23 and general availability registrations will begin on June 24.
Dollar Bank, which is on the Board of Directors of fTLD Registry Services, has been active in the .BANK initiative. According to Al Williams, Dollar Bank’s executive vice president and COO, banks should also monitor the new financial-oriented new domains being launched. “We’ve registered probably 20 different domains, either because they’re useful or because we don’t want someone else to register them,” Williams explains.
“We’ve been dealing with domain names as an intellectual property since 1996 when we first registered dollarbank.com,” Williams points out. Dollar Bank currently owns at least a dozen domain names related to its company name. “In the early days of the Internet, companies needed the right domain names to be recognized by search engines used by those looking for a bank. And now, we own several domain names to protect the online world of Dollar Bank from others registering names close to ours.”
Says Johnson, fTLD exists to protect the .BANK domain for the industry to provide highly protective services for banking customers. “At the end of the day, we’re just looking for better ways to serve our customers,” he says. “We will have some measure of success when our customers actually recognize that and will look for the .BANK extension. We will have succeeded when our customers look for the .BANK domain and if they don’t see the .bank extension, and they question whether there’s appropriate security around the communication they’re currently having with the bank.”
Peggy Bresnick is a contributor to the ABA Banking Journal.
Banks that wish to purchase the .BANK domain for their institution can take the following steps:
- Assemble a team within your financial institution, including members from legal, IT and marketing and any outside provider that may run your banking platform.
- Think about intellectual property rights protection, and consider trademarking the name to the left of your .com extension. According to Johnson, most banks currently haven’t trademarked these names. “They can register that trademark within the ICANN clearinghouse, which gives banks not only the ability to dispute anyone attempting to use their name in other domains, but also to participate in the sunrise period, which is about a month before general availability.”
- Consider purchasing related names under financial domains. There will be about 1,500 new domains introduced within the next several years, many seemingly related to financial services and banking activities like .invest, .loan or .mortgage. However, since these domains are not owned or operated by the industry, bank names could be used by cybercriminals with unregulated extensions to reach out to customers on your behalf for nefarious purposes. A bank might choose to defensively purchase its names across all financial services-related domains, like .mortgage and .loan—not because it will actively utilize the extension, but to prevent others from misusing its name.
- Develop a deployment strategy to determine how you’ll use the .com and .BANK extension, when you’d like to roll out a new extension and what you’d like to register. “Every financial institution will be different in terms of how it goes about deployment, and every institution will have its own feel for what it will leave in .com or move over into .BANK, and in the timeline for the deployment process,” Johnson says.
- Consult the fTLD Registry Services LLC website at fTLD.com for updates on .BANK registration, registrars and additional information on policies and requirements.
- Consider contacting a registrar now to determine if you can enter a “pre-screening” process that will set up an account and collect application information early. Orders will still be processed on a first-come, first-served basis after the launch, but much of the application process will be out of the way early.