By Pablo Benda
TO The key component of any bank’s cybersecurity posture is securing your bank’s domain name. Your domain is where your customers interact and transact with you online, so it’s critical that you maintain full control over it and do everything you can to ensure that customers aren’t tricked into participating in fraudulent domains that operate like your bank.
Domain name security is such a high priority that ABA invested in creating the Top level domain .bank—Create a part of the Internet for the exclusive use of banks, preventing bad actors from gaining access to domains for use in cyberattacks. (Thanks to expertly developed .bank security requirements, banks using a .bank domain employ several additional layers of cybersecurity to enhance the protection provided by the domain.)
But no matter what domain your bank uses, ensuring it’s secure is critical. Here are seven main domain name security measures, measures that overlap with the .bank security requirements, that the ABA recommends that banks implement. These measures can prevent access to and abuse of websites, online banking tools and email systems, in the same way that you have security measures in place that prevent and control unauthorized access to your bank and areas within it.
1. DNSSEC. DNS is like a phone book for the Internet. It has a list of site names (for example, Google.com, CNN.com, or MyBank.com) and their corresponding IP addresses. DNSSEC uses something called digital signatures to ensure that the list of names and numbers is accurate by preventing unauthorized changes to them. This is an essential measure that ensures that customers who visit your URL land on your site and are not redirected to a fake website controlled by hackers. Designed to look like real bank websites, these spoofed websites are used for credential harvesting, where customers try to log in with their usernames and passwords, giving hackers their account credentials. royal bank.
2. Email authentication (SPF, DKIM, and DMARC records). Authentication ensures the legitimacy of emails by authenticating the sender and confirming that the email was not modified during transit. As more ISPs and receiving mailboxes adopt stricter policies to protect their customers, unauthenticated senders will have a hard time locating the inbox and may put themselves and their customers at risk. risk of phishing attacks. SPF is a whitelist of who can send emails as your bank (for example, employees, cores, and marketing platforms). DKIM adds an encrypted signature to each outgoing email, allowing email recipients to confirm that you sent the email and that its content was not modified during transit. And finally, DMARC is instructions for email recipients (Outlook, Gmail) on what to do with emails from senders that are not approved in their SPF record or that fail DKIM authentication. (Without the DMARC instructions, most malicious emails will be sent.)
Proper email authentication prevents phishing and email forgery by ensuring that only your bank and those you authorize can send email as your organization. Email authentication also protects your email from tampering while in transit to the recipient through encryption. And authentication improves deliverability, as all major email recipients detect SPF and DKIM records of any incoming messages as a feature. If you send email without authentication protocols, your users will most likely find your messages in their spam. Properly authenticating emails improves your sender reputation among email recipients and ISPs, reducing the number of messages tagged as spam and reducing email bounce rates.
3. TLS certificates. TLS, formerly known as SSL, is a security protocol that encrypts data transmitted between a website and visitors’ devices. By installing a TLS certificate, organizations can help protect against eavesdropping and tampering.
Learn more about the .bank domain and how it can help strengthen a bank’s cybersecurity posture and customer trust in bank.aba.
4. Multi-factor authentication. Widely used to prevent the use of stolen credentials, MFA requires users to provide additional evidence of their identity, such as a code sent to their phone, to access a system. This can help prevent unauthorized access and changes to DNS records and other sensitive information.
5. Monitor DNS activity. Regular monitoring of DNS activity, through DNS logs and network monitoring tools, can help detect and respond to potential threats in a timely manner.
6. Use a reputable DNS provider. Choosing a trusted DNS provider can help ensure that DNS records are managed securely and that the provider has the necessary security measures in place to protect against cyber threats.
7. Use Registry Lock. This service (which is available for .bank domains) can prevent unauthorized DNS record updates (used to redirect website traffic or grant permission for the hacker to send email such as your bank), the unauthorized transfer of your domain to a new owner or registrar, or removing your domain entirely. All requested changes require your registrar to request that the registry unlock the domain, forcing a manual verification of changes by the registry with the authorized registrar and ensuring that only authorized personnel can make domain and DNS changes.
Drawn from cybersecurity experts and layered with the security requirements that help protect .bank domains, each of these steps is part of a multi-layered strategy to protect your bank’s online banking transactions and communications with the clients.
Paul Benda is Senior Vice President of Operational Risk and Cybersecurity at ABA.
