In an era of ever more-integrated online banking, financial institutions have a security problem. Con artists have been trolling for vulnerable account holders through phishing and site-spoofing since the start of online banking. These issues have persisted over time with hacking and unauthorized access to clients’ account information occurring frequently enough that bolstering security is always at the top of banks’ to-do lists. Efforts to make online account access more secure have included various forms of two-factor authentication (e.g., B of A’s SiteKey and Chase’s Identification Code), along with the addition of security Information to email messages to alert clients that the email is legitimate. These features have helped protect clients from hackers and educate them about popular scams but security issues remain a concern.
Chase Identification Code Verification
As reported recently in the Wall Street Journal, one of the newest fronts in the war against scammers is dedicated Internet domain extensions. The new extensions, which the Internet Corp. for Assigned Names and Numbers is currently considering, would enable banks to assign firm-based endings to their web addresses, such as dot-citi (.citi) or dot-amex. The approval of such extensions would mark a major departure for the web as a whole, as traditional .gov, .edu, and .com address endings continue to dominate (at least in the U.S. market).
The idea behind these new extensions is that ID thieves will find it more difficult (if not impossible) to fake a site address that has a dedicated domain extension. For example, con men currently create knock off sites to prey on unsuspecting card users through misspellings of traditional banking sites, like www.capitolone.com. With the introduction of these new extensions, online banking users will be provided with an easy way to check for the legitimacy of a private site login page.
The potential of this new anti-fraud solution seems to have attracted attention from most of the big banking and credit card companies. Most of the major banks, with the notable exception of Wells Fargo, have submitted a registration request to the non-profit company that regulates internet naming conventions.
While more security in online banking is almost always a good thing, one aspect of the new web address extension plan falls outside of the banks’ control: the attentiveness of account holders. For spoof sites to lose their bite, and phishing in general to pose a smaller risk to accounts, banks need their users to pay more attention to the site addresses they are visiting.
Considering that a surprising portion of online users still believe that they have received an email from a Nigerian prince in need of help transferring money, it is important that firms educate clients about the new web address changes and encourage them to be diligent online. Without proper education, the new site extensions and the subsequent rebranding of banking sites, may end up being more of a marketing initiative for tougher security measures than a genuine enhancement in the security users enjoy online.