Authentication , Fraud , Phishing

How '.bank' Improves Email Authentication Experts Explain Ancillary Benefits of the New TLD
How '.bank' Improves Email Authentication
Dave Jevans, Doug Johnson and Craig Schwartz

Adoption of ".bank", the financial services top-level domain, can help ensure banking websites are not easily compromised or spoofed, backers say. But the new TLD also is setting the stage for ancillary benefits, such as enhanced email authentication capabilities, say Dave Jevans of the Anti-Phishing Working Group, Craig Schwartz of fTLD Registry Services and Doug Johnson of the American Bankers Association.

In this second part of an interview with Information Security Media Group about the recent rollout of the .bank TLD, Jevans, Schwartz and Johnson explain why stronger email authentication could improve communications between banking institutions and their customers, between banking institutions and regulators, as well as among banking institutions.

"We're very happy that the .bank TLD is going to be requiring various forms of email authentication," says Jevans, co-founder and chairman of the APWG, which recently found that many other top-level domains are not only susceptible to fraud, but also are easily spoofed (see Phishing Campaigns Harder to Mitigate).

Jevans says .bank is "leading the charge" on enhanced email security. But until all email senders and receivers implement similar authentication controls, the banking industry won't be able to reap the benefits of the enhanced email authentication benefits baked into .bank, he says.

Johnson, who oversees cybersecurity efforts for the ABA, says c-level executives at banks throughout the country are asking questions about how they can best utilize the .bank TLD.

The .bank TLD "provides a more secure level of communication with our customers, between financial institutions and between financial institutions and the regulatory community. ... And CEOs are asking questions about email and site spoofing, and how they are going to be able to integrate their core processors into the process as well," Johnson says.

As a result, the fTLD Registry Services is developing an implementation guide for .bank, he adds.

During this interview, Jevans, Schwartz and Johnson also discuss:

  • How Architelos, a firm hired by fTLD Registry Services to perform analysis of .bank activity, is working to ensure security;
  • Why they believe bank brand protections under .bank are superior to other TLDs; and
  • Incentives the ABA and fTLD Registry Services are offering to banks that are early adopters of .bank.

In part one of the interview, Schwartz and Johnson explained the stringent vetting process required for registration of the .bank domain.

Jevans, who also serves as chief technology officer of mobile security firm Marble Security, has 20 years of experience in Internet security. His previous positions include senior management roles at Tumbleweed Communications, Valicert, Teros, Differential and Iron Key. While serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy.

Schwartz is the managing director of fTLD Registry Services, which was chartered to oversee the security and trust of TLDs. He is responsible for developing the organization's strategic response to ICANN's generic Top-Level Domains Program and leads the team in achieving fTLD's mission and objectives. Schwartz previously spent five years with ICANN, where he served as chief gTLD Registry Liaison.

Johnson leads the ABA's enterprise risk, physical security, cybersecurity, business continuity and resiliency policy and fraud deterrence efforts. He represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues.




Around the Network