Internet: another bank fraud shows why Nominet is right

For the second time in less than six months, criminals have registered domain names which have enabled them to fraudulently represent themselves as UK bank LloydsTSB.

The domain ukloydstsb.co.uk has been registered and apparently active for almost a year. It is currently being used in a large scale phishing attack on customers of the UK's largest retail bank.

In July, another attack used the name "account-lloydstsb.com."

In November 2011, Nominet, the UK's lead domain name issuer, announced that it intended to adopt strong powers to allow it to respond quickly and effectively in such cases: it announced that it intended to change its policy in cases where it "domain names [are] used in connection with criminal activity."

The plan, developed in conjunction with the UK's Serious and Organised Crime Agency, would allow Nominet to simply block access to websites used for criminal purposes, even those hosted outside the UK. The police have been focussed on websites that generate profits for organised crime including the selling of counterfeit goods. But the security and credibility of the financial sector is of major importance to the UK economy which is now almost totally dependent on services of one sort of another.

But there are strong objections to the Nominet/SOCA scheme with internet libertarians arguing that domains should be taken down only if there is a Court Order.

There is merit in that view where there is some argument as to the site. In the case of counterfeit goods, that merit has strength.

But there is no merit in arguing that a domain created for the sole and obvious purpose of defrauding customers and of allowing unauthorised access into accounts at banks should be allowed.

This is not, for example, the same as where hackers have found an insecure directory and inserted their own web pages - by far the most common device used by phishing scammers. In that case, taking down a domain without warning could cause considerable harm to the owner and, ironically, because the domain is down, e-mails explaining why it is down would not be delivered.

Those opposed to the Nominet / SOCA plan include LINX, an IP network provider's group. It is difficult to understand their opposition: the taking down of fraudulent or other criminal sites with speed and brutality would reduce the effectiveness of spamming and that, surely, has to be in the interests of all internet users and service providers.

The Open Rights Group argues a position under the EU's Human Rights legislation, saying that "an open, fair and public hearing by an independent tribunal" should be given.

Actually, the solution is legally simple: those rights can be contracted out of by converting the use of domain names from ownership to a form of licence. That would have the additional advantage of removing much value from domain names which are often used to inflate the balance sheets of businesses.

Also, it is a simple matter for the power to suspend (as distinct from kill) a domain to reside in an approved authority - be it Nominet or the police in the form of SOCA or otherwise. There just needs to be an appeals process. In a parallel from the USA, where a person is found to be in possession of a substantial amount of cash, it can be seized on suspicion that it is related to crime. The person from whom it is seized can apply to have it returned on proof that it is not related to crime. Such applications are made in considerably less than 50% of cases.

In the case of obviously fraudulent domains, there is little likelihood that anyone will apply to have the domain restored.

But there is another solution for which the technology also exists - and also draws on the fight against financial crime and, in particular, money laundering.

It would be a relatively simple matter for domain registrars (at the top level, not at individual registrar level) to apply name-matching software. Any name that conflicts could be blocked at the registration stage. At its simplest, there is no legitimate reason for anyone that is not LloydsTSB to be registering a domain name containing that expression.

As a second line of defence, the opponents argued that there should be a two-speed system: a fast-track for urgent cases and obvious fraud and another for cases where evidence should be sought.

That, it is here argued is right. A phishing scam happens within 36 to 48 hours. A counterfeit products site takes weeks or even months to gain critical mass. However, there are cases that fall in between where the internet site is set up to sell a product which may or may not be authentic and may or may not be delivered but the ultimate aim is to obtain credit card information. Those are promoted by spam and also have a useful life of about 36 to 48 hours.

However, in the case where the "landing page" for the phishing, etc. e-mail is in an insecure directory of a legitimate domain the situation is much more complex. Usually, the landing page is nothing more than a redirection to another site where the data is actually collected. It is, therefore, that other site that has to be taken down. But often the second site is not identified by a domain name but simply by an IP address.