Alex Hutton

About

Hi. This is my personal weblog. I also write at:

http://www.newschoolsecurity.com
http://securityblog.verizonbusiness.com

Twitter

    Following

    http://jonrobinson.tumblr.com/
    Designed by Josh. Powered by Tumblr.

    Still An Idea I Wouldn’t (dot)Bank On…

    Mikko has responded to the criticism leveled at his idea to make financial institutions pay $50,000 per for a .bank domain name.
    On this very weblog, I raised an issue with his proposal that he addresses in that response.  Now if you recall, I wasn’t necessarily against the idea of a .whatever domain, but thought that the hefty price tag was unnecessary.  Banks tend to be regulated, so there must be some body that could oversee the domain to make sure that a .bank domain didn’t get in the wrong hands.  Mikko, apparently not willing to accept any critique of his vision, writes in his rebuttal:

    Small banks and/or credit unions couldn’t afford it.

    Small banks are not currently the ones losing the most money. It’s the big banks. And the domain doesn’t have to be “.bank” literally. The TLD could be along the lines of .account, .verified, .safe, et cetera. It would be a TLD for “big players” that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn’t a traditional bank but they certainly do get phished. They might want to have a secured TLD for account access.

    Um, OK.  So we’re going to exclude regional F.I.’s  and create a Banking Caste System

    So if this .bank idea is adopted and works (I know, .bank a bad idea for other reasons, bear with me),  wouldn’t we then be driving the bad guys to the F.I.’s that can’t afford to protect themselves as well as larger F.I.’s can?  Wouldn’t the bad guys go for the “low hanging fruit”?  In other words, if the big F.I.’s are protected, won’t the attacks then drop to the next most valuable targets that necessitate the least amount of effort?  You know, the banks and credit unions that *can’t* afford big dollar security controls?

    But Guess What?  It’s Too Expensive For Big Banks, Too!
    I kind of am starting to object to this whole notion of “big companies can afford $50,000″, anyhow.  It is either a “stick it to big business” sentimentality, or the idea just hasn’t been thought through well enough.

    For example:  Do you have any idea how many domains a Fortune 500 F.I. has?  Well, it’s a small sample size, but I know of one that has, oh, 3,000.  So yeah, even for a big company $150 million is a little much for a control that has limited real value.

    Mikko - no doubt you’re brilliant, F-Secure is a really great company.  But we all have clunkers for ideas every so often.  This idea is a clunker.

    Tags: , , , , , , , , , , , , ,

    (via RiskAnalys.is)



    May 22, 2007, 2:13pm   Comments