One of my staff members pointed me to an article by Mikko Hyppönen in Foreign Policy. In this article Mikko argues that a new top level domain (TLD) like .bank for some reason would prevent on-line fraud, at least partially. Mikko seems to be arguing that with a dedicated TLD registry for financial institutions and a fee high enough to act as an entry barrier you would have a trustworthy bank domains that would be immune against today’s phising attempts.

I don’t believe in this for a second. If we decide to ignore the fact that creating a rule-set that would identify all the worlds known financial institutions would be really hard, and the fact that a barrier entry fee would most likely keep developing countries out - a fact that goes counter to all current Internet policy related development - it still can’t be made to work.

First of all, Mikko suggest that $50,000 somehow would deter criminals. I don’t think it will, it just raises the price for production of phising sites.

Second of all, with the suggested system, a “compromised” domain that managed to get registered under this TLD would be invaluable to the criminals as it would come with automatic trust to the end-users.

Third, without a wider look at security, route monitoring, signed web-sites (why are only the part of the bank’s web-sites where I do my transactions signed?), DNSSEC etc, any form of validation at the point of registration is more or less meaningless.

No, I think the proposal is trying to reach higher end-user confidence levels through security obfuscation. This will work until the registry gets compromised (and it will), and then the effects are much worse and far reaching.