[gnso-acc-sgb] Re: Fw: [gnso-whois-wg] F-Secure Responds To Criticism of .bank

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

Palmer and all sgb members,

  Your proposals checks and balances are in some instances weak
as stated, or entirely not adequate.

  For instance:
1.  Only banks would have access.  Such access would have to be obtained
through the bank's primary bank regulator to prevent impersonators from
gaining access.

  Which banks and how are those banks determined of selected?  Any and
ALL banks?  Surely not.

2.  To gain access, banks would have to certify to their primary
regulator that the access would be used for customer protection from ID
theft, fraud and other abuse.

  What other abuse or abuse's?  Whom determines what other abuse or
abuse's?
  If the bank itself becomes or has been involved in phishing for
instance by
  a disgruntled employee, what compensation to any and all effected
parties
  is or does the bank have to compensate said parties?

 3.  Bank regulators are in banks constantly (and in large banks they
are on premises permanently).   As a result, bank regulators would be
able to monitor that proper use was being made of such access.

  I have done security audits for a number of banks at the request of
banking
regulators and never was a official bank regulator present.  So your
first statement
is grossly inaccurate and leaves your second statement false and
therefore
moot.  Secondly, which bank regulators are you referring to, state,
national?


4.  If a bank failed to honor its obligations to its regulator in this
regard, the bank would be subject to potentially harsh penalties from
its regulator and could lose further access.

Oh I see, " potentially harsh penalties" not definitely harsh penalties,
eh?  Well
that's weak.  And "could close further access"?  Well this is also weak.

Palmer Hamilton wrote:

>    In anticipation of Subgroup B's call tomorrow,  I am forwarding the
> email string below per Eric's suggestion.
>
> Thanks, Palmer
>
>
> -----Original Message-----
> From: Hugh Dierker <hdierker2204@xxxxxxxxx>
> To: Palmer Hamilton
> Sent: Mon May 21 15:21:54 2007
> Subject: RE: [gnso-whois-wg] F-Secure Responds To Criticism of .bank
>
> I am impressed and I am having a serious pause. You should put this
> exchange on the list.
>
> With a little more about international norms and an explanation how
> these regulators would take on the extra work - or why. Assuming that
> the regulators are acting properly it seems close to something I would
> endorse. But as I say, I must pause ;-)
>
> Eric
>
> Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
>
>         Given your level of sophistication, the risk of ID theft
> through fraudulent websites may not be as substantial as it is for
> other consumers.  The phishing that is occuring on a daily basis
> produces significant risk to internet users.  Under the circumstances,
> consumer protection should not be ignored.
>
>         Furthermore, contrary to your email, the proposal relating to
> bank access does not permit access "without a check and balance."
> There are numerous protections set forth in the proposal.
>
>         1.  Only banks would have access.  Such access would have to
> be obtained through the bank's primary bank regulator to prevent
> impersonators from gaining access.
>         2.  To gain access, banks would have to certify to their
> primary regulator that the access would be used for customer
> protection from ID theft, fraud and other abuse.
>         3.  Bank regulators are in banks constantly (and in large
> banks they are on premises permanently).   As a result, bank
> regulators would be able to monitor that proper use was being made of
> such access.
>         4.  If a bank failed to honor its obligations to its regulator
> in this regard, the bank would be subject to potentially harsh
> penalties from its regulator and could lose further access.
>
>         Thus, there are checks and balances.  Consumer protection,
> therefore, can exist alongside privacy protections.  As I understand
> it, our Working Group is charged with finding ways to protect the
> consumer while providing safeguards.  This proposal is designed to
> meet that charge.
>
> ________________________________
>
>         From: Hugh Dierker [mailto:hdierker2204@xxxxxxxxx]
>         Sent: Monday, May 21, 2007 11:42 AM
>         To: Palmer Hamilton
>         Subject: RE: [gnso-whois-wg] F-Secure Responds To Criticism of
> .bank
>
>
>         Now explain to me again why giving Banks easier access to my
> personal data without a check and balance, protects me as a consumer.
>
>         Eric
>
>         Palmer Hamilton <PalmerHamilton@xxxxxxxxxxx> wrote:
>
>                 I think the concept of a new gTLD may be worth
> exploration; however, I
>                 think the challenges before our Working Group are
> ample at present
>                 without taking on the question of adding an entirely
> new gTLD. Further,
>                 realistically, it could be years before such a gTLD
> could be established
>                 and domains transferred to it. In the meantime,
> consumers need
>                 protection from identity theft and other fraud and
> abuse.
>
>                 The question before us is how do we provide that
> protection for
>                 consumers while simultaneously addressing the privacy
> issues. I have
>                 been trying to meld into the bank proposal some of the
> thoughts that Dan
>                 Krimm gave a week or so ago. It is my hope to possibly
> submit a revised
>                 proposal in the next week or so. Hopefully, Dan's
> suggestions will
>                 provide at least some comfort for those most concerned
> about the latter
>                 half of the equation.
>
>                 -----Original Message-----
>                 From: owner-gnso-whois-wg@xxxxxxxxx
>                 [mailto:owner-gnso-whois-wg@xxxxxxxxx] On Behalf Of
> Jeff Williams
>                 Sent: Monday, May 21, 2007 4:30 AM
>                 To: gnso-whois-wg
>                 Subject: [gnso-whois-wg] F-Secure Responds To
> Criticism of .bank
>
>                 All WG members,
>
>                 "F-Secure recently offered a solution
>
> http://www.foreignpolicy.com/story/cms.php?story_id=3798 to the
> problem
>                 of bank-account phishing, and the discussion here
>
> http://it.slashdot.org/article.pl?sid=07/05/07/2247244&tid=172
>                 of a .bank TLD generated some criticism. In their
> latest blog
>
> http://www.f-secure.com/weblog/archives/archive-052007.html#00001195
>                 entry F-Secure has responded point-by-point."
>
>                 =================================================
>
>                 It is clear that many on sub group B regarding access
> when discussing
>                 access and phishing clearly don't understand that the
> phishing problem,
>                 which is growing especially in the banking sector, is
> mainly a technical
>
>                 security problem which as I posted in regards to in an
> earlier post,
>                 rather than one of policy. In regards to Whois, it
> seems nearly foolish
>
>                 to believe that the banking/financial industry as a
> whole should be
>                 given full access to Whois data unless or until they
> have taken
>                 significant security steps to clear up their own
> security holes, which
>                 are many.
>
>                 Regards,
>                 --
>                 Jeffrey A. Williams
>                 Spokesman for INEGroup LLA. - (Over 134k
> members/stakeholders strong!)
>                 "Obedience of the law is the greatest freedom" -
>                 Abraham Lincoln
>
>                 "Credit should go with the performance of duty and not
> with what is very
>                 often the accident of glory" - Theodore Roosevelt
>
>                 "If the probability be called P; the injury, L; and
> the burden, B;
>                 liability depends upon whether B is less than L
> multiplied by
>                 P: i.e., whether B is less than PL."
>                 United States v. Carroll Towing (159 F.2d 169 [2d Cir.
> 1947]
>
> ===============================================================
>                 Updated 1/26/04
>                 CSO/DIR. Internet Network Eng. SR. Eng. Network data
> security IDNS. div.
>                 of Information Network Eng. INEG. INC.
>                 ABA member in good standing member ID 01257402 E-Mail
>                 jwkckid1@xxxxxxxxxxxxx Registered Email addr with the
> USPS Contact
>                 Number: 214-244-4827
>
>
>
>
>
>
>

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827