News Stay informed about the latest enterprise technology news and product updates.

Proposed expansion of top-level domains generates security concerns

Financial industry worried that ICANN plan could mislead consumers and lead to more cybersquatting and phishing attacks.

A plan by Internet policymakers to expand the number of generic top-level domains (gTLDs) has generated concern in the financial industry over the security and trademark protection implications of a slew of new Internet domains.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit that coordinates the Internet's addressing system, is working to expand the number of gTLDs (.com, .org, .edu) from 21 to potentially hundreds. They could include industry sectors like .bank, places such as .paris, company names or sport franchises. According to ICANN, the expansion will allow for more innovation and choice to the Internet's addressing system.

But the program, which ICANN has been planning for more than three years and hopes to launch next year, has been controversial with a range of business groups expressing concern about trademark protection and the potential for malicious conduct like phishing attacks. In the financial sector, the concern has been acute, with the American Bankers Association (ABA), Bank of America Corp. and the Securities Industry and Financial Markets Association among those filing objections with ICANN.

Phishing attack uses pop-up message on bank sites: Security researchers have discovered a new phishing method that forces pop-up login messages to appear on legitimate banking websites.

Online scammers exploit bank brands and consumers' financial woes: MarkMonitor study shows rampant cybersquatting and phishing attacks against four top bank brands.

Phishing, malware to strain banks in 2009: Fraud remained an ongoing problem for financial institutions in 2008 as criminals continued to devise ways to compromise online bank account credentials and steal money.

Financial institutions "should be very concerned because new top-level domains introduce a huge opportunity for cybersquatting and consumer confusion that could advance the fraud committed against their customers, like phishing," said Fred Felman, chief marketing officer at San Francisco-based brand protection company MarkMonitor Inc.

Financial industry representatives have argued, in their filings with ICANN, that financial-related gTLDs -- if created without necessary security -- would produce a false sense of security to financial customers. They also said such gTLDs could lead to consumer confusion and more fraud while making it nearly cost prohibitive for financial institutions to protect their brand and trademarks online.

BITS, a division of the Financial Services Roundtable, has joined with other financial-industry organizations such as the ABA, to work with ICANN on the industry's concerns with gTLD expansion, said Paul Smocer, vice president of security at BITS.

"Our primary concern, assuming ICANN moves forward with the application process, which we expect it will, is that any global TLD to offer financial services be as secure, stable and resilient as possible," he said.

In an April 13 letter to ICANN, BITS suggested several requirements for financially oriented domains, including the use of DNS Security Extensions and minimum authentication. The organization also suggested controls over registry operators and registrars such as criminal background checks and approval by the financial community, and controls over registrants within financially oriented domains such as approval by an in-country financial regulator.

"Ultimately, we're trying to protect the public, our members and our members' customers," Smocer said.

He added that ICANN has been cooperative and "very interested in understanding what the financial-services industry's needs are." Some of the financial industry's interests may be shared by other industries with high security needs, such as energy, Smocer said.

ICANN is considering proposals that could assuage trademark protection and domain name abuse concerns. The proposals, developed by a committee of intellectual property legal experts and corporations, include the creation of a central database of trademarked names called an IP Clearinghouse, a Globally Protected Marks List, and a streamlined procedure for companies to stop the operation of a cybersquatting site.

Financial institutions spend a lot of money buying domains to protect their names and trademarks against common misspellings, noted Andrew M. Baer, an attorney and founder of Philadelphia-based Baer Business Law, LLC.

"Cybersquatting and phishing activities using URLs that incorporate financial institutions' trademarks or common misspellings are a frequent occurrence and a legitimate source for concern," he said. "I agree with the trademark owners who want to see ICANN build in some sort of upfront protection for trademark owners, such as blocking the use of trademarks or common misspellings in URLs under the new gTLDs, except where the URLs are being acquired by the trademark owners."

ICANN has been holding public meetings this summer in various cities to focus on the issues of trademark protection and the potential for abusive conduct with the new gTLDs. The next version of ICANN's guidebook for new gTLD applicants is due in September.

Dig Deeper on Spam, phishing and social engineering attacks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.