.BANK domain is the future of online security - so why have so few heard of it?

The real battle isn't about rolling out secure domains. It's about getting people to trust them.

With the arrival last week of the brand new .bank (or .BANK) top-level domain (TLD), everything to do with global online banking is about to get more expensive, more complex but, the experts claim, a lot more secure for both banks and consumers.

Never heard of .bank or have any idea how it or any other secured .TLD will improve the world? Join a long queue made up mostly of consumers who have grown used to a chaotic world in which telling real bank domains from fraudulent ones is pretty much impossible. Today’s .com, .co.uk and .org TLDs are for the most part just inscrutable Internet furniture so any improvment that might arise by adding a new one could strike one as moot.

Undeterred, advocates of .bank have high hopes that this is about to change and according to reports from the company set up to manage registrations, fTLD Registry Services, things have been going well during the domain sunrise which began in May, with a reported 700 applications submitted. With general availability from last week this has risen to 3,000.

Banks seem to like the idea, or perhaps are so terrified of the chaos wrought by ICANN’s massive expansion of domain possibilities and its potential effects on fraud and phishing that they are running scared to anything that offers a safe haven against an expected avalanche of spoofing.

What they are being offered with .bank is on the face of it a major step up in security. Anyone trying to register or renew a .bank domain (or .insurance, another one worth watching) will have to work for a regulated bank associated with that domain or trademark, be able to prove they work for them and have permission to carry out this action, a verification process that has sub-contracted to security-to-services firm Symantec.

The basic registration costs a reported $1,000 to $2,000 per application (perhaps £1,300) which includes the cost of ongoing verification (making sure nothing bogus slips through the net). Added to this will be the cost of complying with the strict technical requirements for running a domain in a secure state, such as adopting technologies such as DNSSEC (Domain Name System Security Extensions), a way of authenticating domains, and perhaps most important of all, email authentication standards many still don’t use such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance).

This has always been the bit that has stresses banks - not so much the why as the how. Buying all this infrastructure will take time and money. For the time being it looks as if many banks will apply for .bank domains while continuing to operate conventional .com domains alongside them. This could turn out to be one of those paradoxical-sounding revolutions that happens so slowly nobody notices.

Secure domains are not a new idea as anyone familiar with the short history of the much-vaunted .secure and .trust domains (the latter launched by UK firm NCC Group last year) will tell you. It is early days but it’s hard to escape the impression that interest in paying high registration fees to buy into a world of expensive mandatory security upgrades has so far proved less than alluring for businesses.

Let’s not be too churlish about this. Banks today are a sitting target for fraudsters, phishers and bogus domains, a situation made even more toxic by something they didn’t ask for, ICANNS’s big idea that the world needed and was going to get thousands of new domains at a time when the expansion of mobile computing has made these less important anyway.

The arrival of .bank is a rational reaction to a big problem: how to tame chaos and make the space banks inhabit on the Internet as simple as possible even if that means raising costs in the short term.

“While trust is fragile and will need to be built and nurtured over time, today is a major step forward in restoring vital trust in the banking industry and taking a stance against rising cyber threats and attacks,” said Robert Holmes of email security provider Return Path, only one of a selection of generally positive comments sent out to journalists in recent days.

However, there remains a small problem - almost nobody outside the bank industry has heard of .bank let alone grasped the concept that a secure verified domain offers enhanced security compared to anything else. Consumers will continue to receive phishing emails without a clue that the domain might offer them some hope of verification. As with so much of the way the domain expansion has been handled, consumers are once again the last to hear about any change.

Unless banks put some effort into publicising .bank and its benefits - and quickly - it will turn into yet another confusing initiative people take five years to get to grips with. With cybercriminals attacking banks from every direction, and the Internet's middlemen making a packet from domains nobody asked for, the industry might not have the luxury of time.