By Craig Schwartz
The domain name system — .com, .org, .net and more — is the framework on which the internet is built. It creates single, unique identifiers so that you don’t end up with two competing Amazon.coms.
These domains are run by registry operators, which then work with registrars for individuals and companies to purchase those domains. Some domains, like the best-known .com, are public domains where anyone can buy an address. Others, like fTLD Registry Services, which operates .bank and .insurance, set standards for which entities can register a domain.
With public domains like .com, anyone can go to a registrar like GoDaddy and register any domain that they want and in a matter of minutes set up a website, set up email and do whatever they want with it.
Let’s say there’s a bank called Pine Creek Bank — the fictional bank ABA uses in its #BanksNeverAskThat campaign. I register a domain with an extra “e” on the end. I can copy Pine Creek’s original bank website. I can copy their emails, and I can pretend to be the bank and say, “Hey, submit your credentials here.”
Website spoofing happens all the time. One way to fight back against it is to use a top-level domain whose registrations are controlled. Spoofing doesn’t happen in .bank because of the controls that we have in place. Public domain registry operators may not even take down a spoofed website unless they get a court order.
Two key pillars that make .bank better are the verification that we do before we give out domain names, and the annual reverification and the security requirements that mandate and monitor daily for compliance. When you combine verification, security requirements and monitoring, it becomes a domain that can be trusted.
One of the controls we require and monitor is email authentication. It lets email service providers like Google and Microsoft know that when an email is purporting to come from the real deal — from a bank name — it does a check. If it passes the check, it delivers the email. We monitor daily to make sure that those controls are complied with, and if a bank is not doing something properly, we will contact it and work on a plan to get it into compliance.
fTLD Registry Services launched 10 years ago, and we have about 19% of U.S. banks online right now. We see anywhere from six to eight banks every month switching to .bank.
There’s an educational component that banks need to do when they switch to .bank. Banks that have moved recently will put a banner on the top of their website and redirect their .com domain to their new .bank site. That redirect also preserves a bank’s search engine optimization.
Learn about accessing a bank domain at register.bank.
Craig Schwartz is president of fTLD Registry Services. This article was adapted from a recent episode of the ABA Fraudcast.
