More On Phishing And Top Level Domains
Further to my posting on top level domains being registered with clear criminal intent (the example I used was paypal.de.com, in 'How to make a phish look real') I just received this from Joe Alagna, Manager, North American Markets for CentralNic, the registrar for the TLD in question. Here's his reply in full:
I wanted to respond to your blog article related to phishing. I am the Manager, North American Markets, for Centralnic and I want to assure you that we are very concerned about the problem of phishing as well.
There are a few issues in your article that concerned me...
1. Although we do not place restrictions on our domains, they are no more prone to phishing use than many regular ccTlds. I have personally received phishing messages based on Chinese, Polish, Czech, and other ccTlds. There are many ccTlds that do not have restrictions and the trend amongst County Code operators is to reduce those restrictions on residency, etc.
The reason for this is that ccTld operators have found that their sales increase when they reduce restrictions. It's a double edged sword; more sales, more potential abuse.
My point however, is this... You are correct about our domains being easy pickings for phishers, but I think it is unfair to have singled us out because of one example (which we will investigate).
2. Centralnic would like to make it known that we are very willing to help if someone thinks that our domains are being used for fraudulent purposes. We do manage a live whois registry which can be viewed by the public and by the authorities to determine registrant details and which can be queried by any anti-phishing tool. Our whois data can be publicly viewed here.
3. Regarding your contention on registrar responsibility, there are ongoing actions within the registrar/registry community to fight fraud and phishing. The most important of which is verifying whois authenticity. You can read about some of the ongoing work here (PDF).
The problem is that with over 60 million domains registered world-wide, it is very difficult to know that each registrant is real. The industry is trying to get better at that.
4. Finally, we work with a few world renowned brand managers like MarkMonitor.com who regularly try to educate financial institutions about these problems. Companies like Bank of America have registered most all of our domains to protect their customers. It's a little expensive, but definitely a bargain when it comes to the cost of fraud and phishing. See here.
Financial institutions have the largest risk and responsibility in this. I just want to assure you that they are not in this fight alone and that Centralnic is very sensitive to the problem.
Articles like yours are very important because when all is said and done, the best protection is an educated end-user. I just want you to know that Centralnic is committed to the important battle against this type of fraud.
Thanks for the comment, Joe. I notice the website in question has been removed.
Comments