Home / Blogs

The [Dot]Brand Tribes - Part 3

In part two of The [Dot] Brand Tribes we argued that introducing new branded generic Top-Level Domains (gTLDs) would bring value to brand owners and have positive effects on customer recognition. In this last post we’ll continue that theme and talk about how brand owners can come together to provide shared spaces using the banking industry as an example.

The digital age has provided both banks and consumers with new opportunities to create relationships and entanglements beyond the traditional high street branch. Money is now electronic. We save time by paying bills online, trading stocks, checking balances all from our computers or mobile devices. Banks save money on physical locations and create new products and innovative services that add to their bottom line. It is a win-win. But there is risk.

I’m not talking about the banking practices of certain institutions with our money, which I am no expert in. I’m talking about the risk faced online. Most commonly this risk is called “identity theft” which is enabled by a practice (amongst others) called “phishing”.

Phishing is big business. The modern day equivalent of stealing your credit card from your pocket, it has become a worldwide financial concern. The Anti Phishing Working Group (APWG) in a study of attacks during the 1st half of 2009 stated that phishing “remains a dangerous criminal activity involving great losses of money and personal data”. Domain names and the domain name system are intrinsically linked to phishing. The study suggests that phishing attacks in the 1st half of 2009 came from over 170 individual TLDs, with malicious registrations in 57 TLDs and the majority of those in just the 5 top TLDs. 3.6% of malicious registrations contained a brand or variation of a brand. Most concerning was that the majority of attacks came from hijacked domain names where the owner was almost always unaware of the activity.

The banking industry has come together over the past few years and made considerable strides to reduce the volume of phishing attacks in order to stem the loss of consumer confidence in online banking. Along with marketing and education, technology has helped. SSL Encryption has secured the flow of information. Tokens allow only the right people to gain access; passwords and CAPTCHA have limited hacking. Even browsers are now designed to flag suspicious sites. However criminals are innovative, technology is cheap and because of the potential ROI, are often well funded. So what are the next steps for financial institutions when it comes to protecting consumers and ultimately their ability to make money?

I believe that new gTLDs will be able to help banks. As previously discussed, a Dot Brand TLD for an institution such as HSBC (and for that matter all top brands) will promote the brand but it will also protect it. Combined with existing authentication technology and controls, the ownership of their own TLD registry will allow banks to control all interactions online between themselves and their customers. As discussed in previous posts it will take education, adoption and commitment. But in the long run it will be a win-win.

Think of the following slogan “If it’s not a [dot] HSBC it’s not [dot] Safe”. Now consider the opportunities.

Product Domains – www.checking.hsbc
Location Domains – www.hongkong.hsbc
Marketing Domains – www.theworldslocalbank.hsbc

Your tribe needs the ultimate battlements and this gives you that, a moat, bows and arrows, and even a wizard. Maybe even think a little outside of the box and consider account number domain names. What if customers were given their own banking URL with their account number (e.g.www.45869302.hsbc)? This would directly navigate to a secure login for their account. Am I blowing your mind yet?

What about the idea of coming together for a common goal to fight identity theft. Remember we are only as strong as the sum of our parts. We’ve seen this work well in the .mobi extension. Global telecommunications companies coming together to back an innovative solution to mobile browsing. Together you can cultivate, share ideas and innovate. Bringing .bank for example to the domain space gives you the ability to control the security policies and innovations as a group. Here are some examples:


... you get the idea.

Now think “If it’s not [dot] bank it’s not [dot] safe”. Having control allows you to implement the highest levels of security, create dedicated spaces and protect your tribes. Stringent rules and criteria will promote trust within customers. Of course the naysayers will no doubt shout that “criminals will find a way past this!” Maybe, but at least it will be on your playing field and remember if we don’t innovate we die.

These will not suit all sectors but some are ideally suited to this. Remember that tribes that came together become empires. In the next series of posts we’ll discuss some ideas for prospective TLD applicants to consider.

By Robert Rozicki, One of those domain name types

Filed Under


Security Theatre The Famous Brett Watson  –  Jun 10, 2010 1:31 AM

You’re pitching this as something to do with security? Security theatre, perhaps—a song and dance of men in uniform to give the impression that things are being secured—but actual security, no.

Here’s why.

I will concede that a top level domain can impose restrictions on membership. The effectiveness of this will vary with the diligence and practices of the registry (”.pro” serves as a poor example), but given the right constituency and incentives, the membership can include and exclude appropriately. In short, you can (in principle) have a “.bank” under which all the second level names represent bona fide banks. So far, so good.

In order for this to translate into any kind of net security gain, however, two conditions must apply. First, the domain name must represent a significant point of attack. There’s no immediate gain in strengthening a point that’s not being attacked to a significant degree. Second, the change to the domain name must result in a net improvement. In this case, that means that the end users must demonstrate a greater ability to recognise “hsbc.bank” over its fraudulent alternatives than they already do for “hsbc.com”. The overall effectiveness of the scheme is the product of these two factors, so if 10% of attacks rely on a confusingly similar domain name, and a “.bank” TLD results in 10% less confusion than “.com”, you can achieve a 1% overall reduction in successful phishing incidents against customers of banks.

I don’t have any reliable figures to hand to fill in these gaps—but neither do you. Can you quantify the security benefits of your proposal by gathering some current data? Your gut feel for the matter is one of optimism; mine is one of scepticism. Even back in 2006 or so when “rockphish” was state of the art and confusingly similar domain names were in vogue, they were using domain names like “hsbc.com.blah.blah.blah” with some effectiveness. They could have done the same for “hsbc.bank” with equal ease. I can see no reason to think that “.bank” would improve end-user detection of the fraud at all in these conditions. Furthermore, the importance of domain names has waned. Today’s threats don’t pretend to be your bank—any lure will do. It’s still phishing of a sort, but not the kind that is relevant to “.bank”.

Can you quantify the anticipated benefits of “.bank” using real-world data, or is it just a security theatre song and dance?

As for the marketing possibilities presented by “.bank”, I note that “45869302.hsbc.com” and “hsbc.com/45869302” are every bit as simple to implement as “www.45869302.hsbc”, but I don’t profess to know which is the more attractive from a marketing perspective. Subjectively, I think I’d rather put the account number on the right hand side of the slash, keeping it out of the domain name. My preferences are no substitute for a market survey, however.

Wow Robert Rozicki  –  Jun 10, 2010 2:41 AM

Thank you for taking the time to write such a lengthy and interesting response, it is very much appreciate. I am glad my ideas provoke a reaction even from people who live in the realm of "skepticism". I hope those that might be interested in introducing the .bank extension read your comments. I am sure they will find them useful in putting on their song and dance.

Banks' use of domain names Daniel R. Tobias  –  Jun 15, 2010 11:52 PM

The “marketing types” at banks have not always helped matters, with their insistence on using all sorts of cutesy domains instead of sticking to consistent use of the main domain of the bank.  Citibank doesn’t just use citibank.com, but has a whole profusion of other domains, some of which (citi.com, citicards.com, etc.) have “citi” in them, and others (accountonline.com) that don’t.  Hence, even savvy consumers can’t always be sure which domains are legitimate and which are “phishers”.  If they made a rigorous practice of using only citibank.com (and subdomains of it like cards.citibank.com, etc.), then people would be able to be educated about what addresses can be trusted.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global