One of the essays in FP's 21 Solutions to Save the World package that has attracted the most attention online is Mikko Hyppönen's solution for preventing the growing problem of online banking fraud, specifically the "phishing" technique of luring trusting users to fake bank websites and then stealing their information. Hyppönen proposes to create a special Web domain just for banks, and make securing such a domain so costly and difficult that only genuine banks would be able to obtain one. I asked Hyppönen, who is chief research officer at F-Secure, to respond to critics of his idea. Here is his response.

Hyppönen: We've been pushing for an initiative to get a secure top-level domain (like ".bank" or ".safe") for some time now. We've received lots of questions and just plain criticism over the whole idea—most notably, from Larry Seltzer in his prominent blog.

So let me collect the most typical challenges to the idea, and answer them in turn. (below the jump)

New top-level domain will not solve the phishing problem once and for all, so it's not even worth considering.

This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of phishing completely. 

But .com works just fine!
 
Today, anybody can get a .com domain with a fake name and fake address, with a fake credit card. That's just fine with everybody? Don't we really need a TLD where you could actually trust that you know who owns the domain?

Phishers could still create realistic-looking fake domains. For example a look-a-like for www.citi.bank could be www.citi.bank.account.yadayada.com.

Yes, phishers would still be able to do this; this new TLD would not be able to do anything to stop this problem.

People are stupid and would not notice such a new address scheme.

The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with.

What about security researchers?

A .bank domain would make life easier for security researchers to figure out which sites are not phishing sites. This really isn't as obvious as it sounds, as banks themselves use tons of different domains. We often spend precious time trying to confirm whether a particular phishy-sounding domain really belongs to a real bank or not.

Small banks and/or credit unions couldn't afford it.

Small banks are not currently the ones losing the most money. It's the big banks. And the domain doesn't have to be ".bank" literally. The TLD could be along the lines of .account, .verified, .safe, et cetera. It would be a TLD for "big players" that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn't a traditional bank, but they certainly do get phished. They might want to have a secured TLD for account access.

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

Extended Validation (EV) certificates largely address the same issues.

These new high-security web certificates are a good idea, and we recommend them too. However, a secure top-level domain would still be a good idea: It would authenticate the domain as trusted by the name alone. There's no way to know if a site has a high-security certificate without visiting it. 

Banks don't deserve their own domain.

We already have a TLD for museums (.museum) and airlines (.aero). Isn't it a bit odd we don't have one for banks? Even though they are the ones that get attacked all the time? 

Would this be a global domain?

Probably. Then again, nothing prevents local governments from setting up domains like .bank.uk, .bank.jp, .bank.au in their own jurisdictions.  

Would it work?

There are no rogue sites on .gov domain names. Why not? Because you can only get a .gov domain if you really are a US governmental organization. Or how about .fi? The .fi (Finland) domain has very few malicious websites. Why is that? Because the registration process involves mailing a verification code to a physical mailing address. Just that extra step makes it less convenient to use for the bad guys. With all the extra verifications steps that we would have in the registration of a .bank domain, scammers just wouldn't be able to do it.

OK, I'm convinced. What's next? 

This initiative won't move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.