Lack of DNSSEC Deployment on Financial Services Web Sites
It comes as a real surprise that one of the industries (financial services) that should be most interested in the security of their web sites has not implemented a key piece of protection, Domain Name System Security Extensions (DNSSEC). DNSSEC is a technology that was developed to add critically needed security to the domain name system. Without DNSSEC, internet users cannot be certain that they are reaching the web site they intended to, or that their email is going to the intended recipient. With DNSSEC, internet users can trust that their internet communications are being directed to the correct servers and are not being hijacked by attackers or a man in the middle. DNSSEC complements other technologies such as SSL (https:) that protects the privacy of web communications by encrypting the entire conversation.
The primary type of attack that DNSSEC prevents is DNS hijacking. In this type of attack, an attacker is able to compromise the mechanism that our computing systems use to translate domain names like www.mybank.com to IP addresses that are used to communicate information from sender to receiver. By compromising this mechanism, attackers can redirect web communications to servers that they control in order to steal confidential information and commit fraud. The recently publicized DNS Changer virus is one example of this type of attack. Given its potential for internet fraud, DNS hijacking should be of extreme concern for financial services companies and customers of those companies doing business online.
In fact, financial services companies say that it is important. According to a Forester Consulting report from July 2010, of the financial services companies interviewed, 47% intended to improve DNS Security. The Forester Consulting report also stated that of those companies familiar with DNSSEC 90% planned implement it within the next 18 months. Recently Secure64 ran a test on the Internet to see what progress had been made by the top financial services companies in the world (just under 300 companies) in implementing DNSSEC. In our results we could only find one company that had taken the first step to deploy DNSSEC and that one company still needed to complete the process. This study comes two years after the Forester report was published. Unfortunately, it appears that the deployment of this important security technology is happening very slowly even within an industry that should be the most concerned about it.
One barrier to DNSSEC adoption has historically been that the top level domains (TLDs) like .com or .org had not deployed it, and until they did, there was little protection that DNSSEC realistically was able to offer. This is no longer the case. Virtually all of the largest generic TLDs such as .com, .org, .net and .gov now support DNSSEC, and many of the largest country-specific TLDs like .uk, .de and .eu also support it. The bottom line is that there is no technical reason why financial services companies cannot effectively use DNSSEC to increase the level of user trust in their online transactions.
Perhaps it will take a real financial loss to provide the necessary motivation. According to the Forrester report, 100% of the companies that lost greater than $5 million experienced a man-in-the-middle breach.
What are the takeaways from this study? Financial services companies need to deploy DNSSEC in order to protect their brand and their customers from fraud. Customers should only feel comfortable doing business online with sites secured with DNSSEC. Today DNSSEC can easily and effectively be deployed.
For more information on DNSSEC visit Secure64.