There’s a downside to the relative freedom and lack of gatekeepers on the Internet, including that most anyone can buy a Web address that ends in “.com.” Online, scammers can pay $10 for an address that looks like that of your bank, your favorite clothier, or your auto dealer and create a site that looks enough like the original to trick you into buying phony merchandise or revealing your login and password. Every day, almost 1,000 Americans file some kind of identity-theft complaint with the U.S. Federal Trade Commission, and about 750 report being scammed by an impostor, as in a phishing scheme.
That’s part of the reason hundreds of businesses, from Google to Wal-Mart, have paid $185,000 a pop to apply for the rights to Web domains that read, say, .google or .walmart. Companies buying these eponymous top-level domains from the Internet Corporation for Assigned Names and Numbers (Icann)—the nonprofit that runs distribution of domain names under the oversight of the U.S. Department of Commerce—will in theory be able to strictly limit who creates pages on them. Of the 1,930 applications for the new Internet real estate, 534 came from companies buying up their trademarks, according to Icann. Addresses that end in .com or .net will continue to be controlled by Reston (Va.)-based networking company Verisign.
Companies such as Chanel and Hermès say self-branded domains will help them combat the sale of counterfeit goods from imitation websites. “These sophisticated criminal activities cause reputational damage to businesses as Internet users lose consumer confidence and trust,” Chanel said in applying for .chanel. Companies filed applications in 2012, but contracts weren’t due until this past July, so most not-coms aren’t expected to roll out their new domains until later this year or next.
Barclays was an early mover, shifting its corporate home page from barclays.com to home.barclays in May. Troels Oerting, who heads the bank’s security, said in a statement announcing the move that the new domain should make it “crystal clear to our customers that they are engaging with a genuine Barclays site.” The more important customer-login pages haven’t switched over yet, and the bank wouldn’t disclose a target date.
Unsurprisingly, banks are especially interested in private, branded Web domains. JPMorgan Chase is awaiting Icann approval for .jpmorgan, .chase, and .jpmorganchase. They’ve also joined more than 5,500 companies in applying for .bank addresses through fTLD Registry Services, an organization backed by the American Bankers Association and the Financial Services Roundtable that works to secure generic domain names for banks and insurers. This is a sort of middle ground between an eponymous domain name and a .com. These new dot-categories, including .coupons, .city, and .meme, leave some room for the speculators known as cybersquatters, who buy up addresses to sell later at a marked-up price, though the application price tag should dissuade all but the most determined.
Companies are betting that operating their own domains will be more secure because they’re directly in control of the security and maintenance. The catch, says Ken Westin, an analyst with cybersecurity company Tripwire, is that they’ll have to take more responsibility for oversight of their private domains than they did in Verisign’s dot-com world. “They’re more in control of their brand and potentially more in control of their own security,” he says, adding that companies will need to make sure their domains’ underlying network architectures are functional and secure, which they didn’t before.
It’ll take time to retrain customers who’ve been typing “.com” for 20 years to make the new addresses their defaults, says Westin, and the interim confusion could provide an opening to scammers. In any case, some of the Internet’s security problems can’t be solved with new URLs, acknowledges David Conrad, Icann’s chief technology officer. Targeted attacks such as those against Target and Home Depot focused on weak spots in the underlying networks, like credit card readers, he says.
Icann’s own record on cybersecurity makes clear just how difficult it can be. The naming organization announced on Aug. 6 that its own website had been hacked and encrypted usernames, passwords, and e-mail addresses had been stolen. Icann declined to comment on the hack or on a December phishing attack that compromised its e-mail servers and internal network.
The bottom line: Eponymous private domains aren’t a cybersecurity cure-all but may help foil some phony merchandise or phishing scams.