[BreachExchange] How's your online bank security looking? The Dutch studied theirs and... yeah, not great

Audrey McNeil audrey at riskbasedsecurity.com
Wed Feb 22 19:33:49 EST 2017


https://www.theregister.co.uk/2017/02/22/dutch_banking_
industry_security_bad/

The Dutch banking industry is doing a terrible job of online security,
according to the company that runs the country's .nl internet domains.

In a new report published Tuesday, the internet registry SIDN was surprised
to find that just six per cent of banks using .nl internet addresses have
the security protocol DNSSEC in place to protect their digital assets and
their customers.

"Banks should be the main users of DNSSEC security," said SIDN CEO Roelof
Meijer, "but they scored – for the second time in a row – the worst of all
investigated domains."

He also pointed out that with online banking becoming ever more important,
it was contingent on the industry to adopt the latest security standards.
"With the closing of physical bank branches and a reduction in the number
of ATMs, the online front door of the banks is becoming increasingly
important," said Meijer. "Moreover, of all companies, they suffer the most
from phishing and spoofing, something DNSSEC in conjunction with DKIM and
DMARC can protect against."

SIDN looked at just over 7,000 .nl domains owned by a range of industries
from government to business to banking and telecoms to determine whether
they were using the security protocol.

Top of the list, unsurprisingly, came the internet infrastructure industry,
with 64 per cent of internet addresses secured by DNSSEC. But government
came an impressive second with 59 per cent – something SIDN says is a
direct result of policy.

DKIM Dotcom

Last year, the Dutch interior minister directed all local government
websites to adopt DNSSEC by the end of 2017, and new security standards
that build on top of DNSSEC for email (STARTTLS and DKIM) have also
encouraged take-up.

Business has a passable take-up of 30 per cent (up from 23 per cent in
2014) and the internet/telecom industry was surprisingly low with just 25
per cent take-up.

While there has been a significant pick-up in the use of DNSSEC, it is
still below what internet engineers want to see – although it is still
doing much better than IPv6.

If a domain name is secured with DNSSEC it makes it much harder for
criminals to misdirect people to a different address, as the DNS system
itself checks on its validity.

The technology has been a long time coming and was, initially at least,
very expensive and complicated to install. It is still far from simple or
cheap, but internet infrastructure companies have been working with it for
some time, and most recently ICANN determined that all new internet
registries would have to work with DNSSEC, giving the protocol a boost.

Partly as a result of the recent take-up, DNSSEC has started to become a
foundation on which other applications are being built, securing both
communications and email: examples being DKIM, SPF, DANE and DMARC.

"It's hard to think of any good reason for not implementing DNSSEC
protection," Meijer argued. "We believe that it's now up to the big
internet service providers to act."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170222/60b20ba9/attachment.html>


More information about the BreachExchange mailing list