Domain system opens door to scams
Domain system opens door to scams
A system to make it easier to create website addresses using alphabets like Cyrillic could open a back door for scammers, a trade body has warned. The Internationalised Domain Names system has been a work in progress for years and has recently been approved by the Internet Engineering Task Force. But the UK Internet Forum (UKIF) is concerned that the system will let scammers create fake sites more easily. The problem lies in the computer codes used to represent language. Registering names that look like that of legitimate companies but lead users to fake sites designed to steal passwords and credit card details could become a whole lot easier for determined scammers, says Stephen Dyer, director of UKIF. Domain names are the “real language” addresses of websites, rather than their internet protocol address, which is a series of numbers. They are used so people can more easily navigate the web. So-called ASCII codes are used to represent European languages but for other languages a hybrid of a system called Unicode is used. So, for example, website PayPal could now be coded using a mixture of the Latin alphabet and the Russian alphabet. The resulting domain as displayed to the users would look identical to the real site as a Russian ‘a’ look just like an English ‘a’. But the computer code would be different, and the site it would lead users to could be a fake. This is more than just a theory. A fake Paypal.com has already been registered with net domain giant Verisign by someone who has followed the debate around the Internationalised Domain Name (IDN) system, said Mr Dyer. As the idea was to prove a point rather than be malicious the fake domain has now been handed back to Paypal but it sets a worrying precedent, Mr Dyer said. “Although the IDN problem is well known in technical circles, the commercial world is totally unaware how easily their websites can be faked,” said Mr Dyer. “It is important to alert users that there is a new and invisible and almost undetectable way of diverting them to what looks like a perfectly genuine site,” he added. There are solutions. For instance, browsers could spot domains that use mixed characters and display them in different colours as a warning to users. Mr Dyer acknowledged that it would be a huge undertaking to update all the world’s browsers. Another solution, to introduce IDN-disabled browsers could be a case of “throwing out the baby with the bath water,” he said. CENTR, the Council of European National Top Level Domain Registries, agrees. “A rush to introduce IDN-disabled browsers into the marketplace is an overly-zealous step that will harm public confidence in IDNs – a technology that is desperately needed in the non-English speaking world,” the organisation said in a statement.