By Paul Benda
A key component of any bank’s cybersecurity posture is securing your bank’s domain name. Your domain is where your customers engage and transact with you online, making it critical that you remain in full control over it and that you do everything you can to ensure customers aren’t duped into engaging fraudulent domains acting as your bank.Domain name security is such an important priority that ABA invested in the creation of the .bank top-level domain—carving out a piece of the internet to be used exclusively by banks, preventing bad actors from having access to domains for use in cyberattacks. (Thanks to the expert-developed .bank security requirements, banks using a .bank domain employ several additional layers of cybersecurity to enhance the protection the domain provides.)
But regardless of what domain your bank uses, ensuring it’s secure is critical. Here are seven top domain name security measures—measures that overlap with the .bank security requirements—that ABA recommends banks have in place. These measures can prevent access to, and abuse of, websites, online banking tools and email systems—the same way you have security measures preventing and monitoring unauthorized access to your bank and areas within it.
1. DNSSEC. DNS is like a phone book for the internet. It has a list of site names (for example, Google.com, CNN.com, or MyBank.com) and their corresponding IP addresses. DNSSEC uses something called digital signatures to ensure that the list of names and numbers is accurate by preventing unauthorized changes to them. This is a critical measure that ensures customers visiting your URL arrive at your site and aren’t redirected to a spoofed website controlled by hackers. These spoofed websites, designed to look like real bank websites, are used for credential harvesting, where customers attempt to log in with their usernames and passwords giving the hackers credentials to their real bank account.
2. Email authentication (SPF, DKIM and DMARC records). Authentication ensures the legitimacy of emails by authenticating the sender and confirming the email was not altered during transit. As more internet service providers and receiving mailboxes adopt stricter policies to protect their customers, senders without authentication will see difficulties with inbox placement and may find themselves and their customers at risk of phishing attacks. SPF is a whitelist of who can send email as your bank (for example, employees, cores and marketing platforms). DKIM adds an encrypted signature to every outbound email enabling email receivers to confirm the email was sent by you and that its content was not altered while in transit. And finally, DMARC is instructions for email receivers (Outlook, Gmail) on what to do with emails from senders not approved in your SPF record or that fail DKIM authentication. (Without DMARC instructions, most malicious emails will be delivered.)
Proper email authentication prevents phishing and email spoofing by ensuring only your bank and those you authorize can send emails as your organization. Email authentication also protects your email against tampering while in transit to the receiver via encryption. And authentication improves deliverability, since all leading email receivers detect the SPF and DKIM records of any incoming message as a feature. If you send an email without authentication protocols, there’s a good chance your users will find your messages in their spam. Properly authenticating emails enhances your sender reputation among email receivers and ISPs, reducing the number of messages labeled as spam and lowering email bounce rates.
3. TLS certificates. TLS, previously known as SSL, is a security protocol that encrypts data transmitted between a website and visitors’ devices. By installing an TLS certificate, organizations can help protect against eavesdropping and tampering.
5. Monitor DNS activity. Regularly monitoring DNS activity, via DNS logs and network monitoring tools, can help detect and respond to potential threats in a timely manner.
6. Use a reputable DNS provider. Choosing a reputable DNS provider can help ensure that DNS records are managed securely and that the provider has the necessary security measures in place to protect against cyber threats.
7. Use Registry Lock. This service (which is available for .bank domains) can prevent unauthorized DNS record updates (used to redirect website traffic or grant permission for the hacker to send email as your bank), unauthorized transfer of your domain to a new owner or registrar, or the deletion of your domain entirely. All requested changes require your registrar to request the domain to be unlocked by the registry, forcing a manual verification of the changes by the registry with the authorized registrant and ensuring that only authorized personnel are ever able to make domain and DNS changes.
Each of these steps—drawn from cybersecurity experts and overlapping with the security requirements that help make .bank domains secure—is part of a multilayered strategy to secure your bank’s online banking transactions and communications with customers.
Paul Benda is SVP for operational risk and cybersecurity at ABA.
