The Dutch banking industry is doing a terrible job of online security, according to the company that runs the country’s .nl internet domains.
In a new report published Tuesday, the internet registry SIDN was surprised to find that just six per cent of banks using .nl internet addresses have the security protocol DNSSEC in place to protect their digital assets and their customers.
“Banks should be the main users of DNSSEC security,” said SIDN CEO Roelof Meijer, “but they scored – for the second time in a row – the worst of all investigated domains.”
He also pointed out that with online banking becoming ever more important, it was contingent on the industry to adopt the latest security standards. “With the closing of physical bank branches and a reduction in the number of ATMs, the online front door of the banks is becoming increasingly important,” said Meijer. “Moreover, of all companies, they suffer the most from phishing and spoofing, something DNSSEC in conjunction with DKIM and DMARC can protect against.”
SIDN looked at just over 7,000 .nl domains owned by a range of industries from government to business to banking and telecoms to determine whether they were using the security protocol.
Top of the list, unsurprisingly, came the internet infrastructure industry, with 64 per cent of internet addresses secured by DNSSEC. But government came an impressive second with 59 per cent – something SIDN says is a direct result of policy.
Last year, the Dutch interior minister directed all local government websites to adopt DNSSEC by the end of 2017, and new security standards that build on top of DNSSEC for email (STARTTLS and DKIM) have also encouraged take-up.
Business has a passable take-up of 30 per cent (up from 23 per cent in 2014) and the internet/telecom industry was surprisingly low with just 25 per cent take-up.
While there has been a significant pick-up in the use of DNSSEC, it is still below what internet engineers want to see – although it is still doing much better than IPv6.
If a domain name is secured with DNSSEC it makes it much harder for criminals to misdirect people to a different address, as the DNS system itself checks on its validity.
The technology has been a long time coming and was, initially at least, very expensive and complicated to install. It is still far from simple or cheap, but internet infrastructure companies have been working with it for some time, and most recently ICANN determined that all new internet registries would have to work with DNSSEC, giving the protocol a boost.
Partly as a result of the recent take-up, DNSSEC has started to become a foundation on which other applications are being built, securing both communications and email: examples being DKIM, SPF, DANE and DMARC.
“It’s hard to think of any good reason for not implementing DNSSEC protection,” Meijer argued. “We believe that it’s now up to the big internet service providers to act.” ®
Source: SANS ISC SecNewsFeed @ February 22, 2017 at 12:21AM