Spoof-Proof: Will '.Bank' Domain Build Cyber Trust?

Register now

The American Bankers Association, which initially opposed ".bank" domain names on the Web, is now promoting them as a way to enhance security and trust amid growing cyber risk concerns.

Late last month, an industry consortium that includes the ABA won the job of overseeing .bank. The consortium, fTLD Registry Services, is working to make the suffix an unmistakable signal to consumers that the entity behind a website is a bank.

fTLD said it will let only financial institutions with appropriate charters use the .bank extension, as well as related tech companies like FIS and Fiserv. This requirement is meant to make access much tighter than the widely used .com addresses, which are more easily obtained and theoretically vulnerable to spoofing.

The ABA decided to get ahead of the issue after the Internet Corporation for Assigned Names and Numbers, the governing body for domain names, forged ahead with a plan to auction ".bank" over the trade group's protests. In 2011, the ABA joined forces with the Financial Services Roundtable and other industry members to form fTLD and vie for the authority to operate and govern .bank and .insurance — two of several hundred generic top-level domains, or gTLDs, that were being put up for sale by ICANN.

ABA thought it "was incumbent" on the association to govern those addresses so outsiders couldn't, said Doug Johnson, senior vice president of risk management policy at the trade group.

fTLD said it will contract with several registrars, which will fulfill domain requests for approved financial services applicants.

Craig Schwartz, managing director of fTLD, said .bank will give a financial institution a new way to help consumers trust websites. To license a .bank domain, a company must adhere to 31 standards. For instance, a registry operator must re-evaluate at least semi-annually that the registrant is who he or claims to be, in a bid for better security.

But building trust may take time. The bank extension won't be available for banks to license from fTLD-approved registrars until next summer. The pricing is not yet set, though it's certain to cost financial institutions more than .com domains.

And some banks may have little impetus to get a .bank address. Some banks, like Citigroup and Bank of America, have paid tens of thousands of dollars to apply to the nonprofit to have their name sitting to the right of the dot. (Think ".citi" and ".bofa".) How they would use those URLs remains to be seen. They might just want to prevent others from squatting on the addresses, or for business-to-business communications.

Some banks, however, may not have that personalized option.

The majority of financial institutions' names would fail to pass the requirements spelled out in ICANN's gTLD program, said Naseem Javed, founder of ABC Namebank, a consulting firm that, as its name implies, specializes in corporate branding.

"Bank names around the world are mostly city names or dictionary words, making them dysfunctional in the digital age and social media," Javed said.

A good gTLD should be a short simple name like .canon, he said. A ".PhiladelphiaSavings," for example, would be clunky and do little to promote a bank's brand.

Jim Simpson, a senior vice president and the chief technology officer at City Bank Texas, said it's appealing to have the ABA and Financial Services Roundtable involved in the vetting process as they work to protect the financial services industry and help maintain trust.

City Bank Texas, in Lubbock, will continue to look to acquire domains that will serve the bank's identity and brand, he said. A host of addresses have piqued its interest.

"While .com and to some extent .net are still considered the 'authoritative' naming convention, I think over time, the new TLDs will gain momentum and trust," said Simpson. "The average user has to have a level of trust before the new TLDs become a household item."

The idea of migrating away from the well-known .com addresses has elicited mixed emotions from banking industry members over the years. Some have voiced concerns about consumer confusion opening up security risks while others have worries about marketing costs.

At a recent marketing conference, ABA's Johnson got a warm response when he said the new domain names could be used to send authenticated email to customers, and thus reduce spoofing risks.

"An enhanced opportunity to communicate with people via email: that excites marketers," said Johnson.

In some cases, a .bank address might open the doors for a bank to get a better name.

It would be time-consuming and expensive for a bank to obtain its own top-level domain from ICANN, said Alfred Williams, chief operating officer at Dollar Bank in Pittsburgh and a member of the fTLD's board

"It's not something a bank our size could do on our own," said Williams, whose institution has $6.8 billion in assets.

The fTLD could simplify the process of applying for a .bank domain, among other cost-savers (ICANN's evaluation fee for an application alone was estimated at $185,000 for the first round of new domains). And, Williams envisions a day when consumers, regulators and business partners associate ".bank" with better security.

Dollar Bank plans to make the transition to .bank after seeing the kind of traction other generic top level domains (think .insurance) gain with consumers in the coming months.

"We want to be in the early part of this," he said. "It's not just a defensive posture."

Still, some in the industry have security concerns. Low-tech threats always emerge when a new technology, system or term is introduced to the public, said Al Pascual, senior analyst of fraud and security at Javelin Research & Strategy.

"One of my most immediate concerns would be phishing," said Pascual. "Alternative domains [to .com] are still relatively unpopular, which will lead to phishing attempts synchronized with banks' efforts to get the word out on their new .bank sites."

For reprint and licensing requests for this article, click here.