The failed plan to bring an added level of accountability to the more risqué neighbourhoods of the net by fixing a .xxx suffix to adult websites was a good idea directed at the wrong industry.

Forget about would-be gangster pornographers. The introduction of a designated triple-X zone may work in the real world, but it’s foolish to think it will keep minors from gaining entry to racy websites. The Internet Corporation for Assigned Names and Numbers, or Icann, the non-profit group that ultimately decides which top level domains are in use, was right to vote it down. Still, it took years to kill off the measure, stealing attention away from more pressing net governance issues such as taking on fraudsters.

For a fiver, anybody can register a domain name that resembles a neighbourhood bank, credit union, PayPal, eBay or some other retailer. Just add a popular high street bank brand – HSBC, Barclays, Natwest, Bank of America – and the words ‘verification’, ‘payment’, or upgrade into one elegant URL, and you are in the increasingly lucrative online fraud game. Scammers do so everyday, no questions asked.

Want to buy a trademarked name and get into the phishing trade? No problem. To any one of the hundreds of domain re-sellers, no identification or verification need be presented. Just a credit card number is all that’s required to begin defrauding unsuspecting consumers.

“I look at this every day,” Mikko Hyppönen, chief research officer at the online security firm F-Secure, says. “Somebody comes onto these domain re-seller sites every day and snaps up PayPal or eBay or a big bank like HSBC and adds the words ‘verification’ or ‘upgrade’. This happens maybe five times a day. It boggles the mind that nobody is doing anything about it, or that a registrar doesn’t even ask if the person can prove he’s from Bank of America.”

This no-questions-asked transaction, not surprisingly, has triggered an alarming amount of online fraud. Apacs, the UK payment processing trade body, reports that 14,000 attempts to snare customers’ bank or credit card details were made using fake websites in 2006, an 800 per cent year-on-year increase.

Mr Hyppönen has a simple solution: create a top-level domain such as .bank or .safe and sell them to reputable banks, credit unions, and perhaps, in the future, retailers. Under such a system – in which an online banking customer at Barclays went to www.barclays.bank, for example – a higher level of accountability would be established. The consumer would have a clear indication that it is, in fact, an authorised bank site they were visiting, not a slick, dressed-up version set up by a scammer.

It’s not a foolproof plan, Mr Hyppönen admits. A canny phisher could set up a re-directing spoof URL, e-mailed to the masses, that appears to carry the dot-bank or dot-safe suffix. But, the chances of pulling off the fraud would greatly diminish as a customer clicking on the legit-looking URL could see that he or she had been directed to a site that ends in some letters other than .bank or .safe. If banks and only banks could secure such a top-level domain, it would help browser makers add layers of defence designed to alert unsuspecting victims that they may not be transacting with their friendly neighbourhood bank.

F-Secure has begun to lobby Icann to take up the long-overdue cause. Whether they heed the calls in a timely fashion (this is Icann, after all) is anybody’s guess. Distributing trademarked domains to the first bidder has created headaches for rights-holders over the years, but in the banking industry, the practice is costing us all. It has given rise to one of the most lucrative scams ever – phishing fraud – that will only grow without some level of regulation.

Controversially, Mr Hyppönen suggests that the dot-bank or dot-safe domain be sold for a good bit more than a fiver. He suggests $500,000 (£254,000). Banks, he says, can afford such a fee, particularly if it means a more secure online banking environment. He also recommends that a single registrar handle the transactions, doling out domain names to banks once they prove they are in fact the high street brand we know, and not some Nigerian scam artist with a poor grasp of grammar.

While it was a misguided effort, the defeated plan to introduce an .xxx domain may prove to be an important milestone in the development of the net. There is need for some select industry-specific regulation of distributing domain names, but the porn industry is no place to start.

---

Bernhard Warner, formerly Reuters' internet correspondent in Europe and senior editor for The Industry Standard Europe, writes about technology, the internet and media industries. He can be reached at techscribe@gmail.com