In one of the first examples of a large company utilizing (and actually marketing) the .mobi extension, Bank of America launched bofa.mobi. The Bank is heavily promoting this with a retail merchandising campaign, including bofa.mobi window decals in their large branches in Manhattan.
I think this is a positive development for the .mobi extension, as the Bank could have simply used their standard domain name and detected the type of browser the visitor was using. They could have also gone to market with the domain name and only used it for protective purposes, so consumers or other companies couldn’t use the name. A heavy endorsement of this website is a positive sign for the staying power of .mobi.
I have one security concern with this, and I hope the Bank is mindful of it. What if someone set up a malicious website on a similar domain name that only had two lines asking for an account number and password? Since we are talking about mobile devices with small screens, unknowing consumers could accidentally submit their banking information, unaware that this wasn’t the Bank’s website. It’s one thing if someone did this with typos of the full Bank of America name and/or used the Bank’s logos, as that would be a federal offense. My concern is if they weren’t this sophisticated.
Bank of America needs to do a very good job of training their customers about what to look for on the bofa.mobi site so they know if they accidentally navigate to another website in error. They should also buy as many .mobi typos similar to their bofa.mobi domain name, so nobody has the opportunity to set up a malicious website.
I don’t have much of a stake in the .mobi extension with only two .mobi names in my portfolio, but I believe this is a good endorsement from a major corporation.
I do have a stake, with about 30 premium mobis, so I’m glad to see this development, but I can see how phishing would be a concern. They’ve already taken steps with their regular dot com website to prevent this, though. You enter your ID on one page, then you are taken to another page where you enter your password only if you see a “sitekey” that you have pre-selected. The sitekey might be an image of a skyscraper, or a cloud, for example. If you don’t see your sitekey, you know there’s a problem and you don’t complete your login.
***UPDATED BY ELLIOT***
I think most web-savvy people would know enough not to be confused. I am concerned that less savvy people will use bofa.mobi and not know what to expect. I think it would be difficult to successfully pull off, but phishers come up with various ways to scam people.
i second Domainer Pro in terms of the BOA giving mobile banking and phishing as a concern. Infact it might be more serious thing as there is Mobile operator, WAP Gateways, Over the air sniffer (phone to tower) can also get introduced as a potential threats and attackers.
BOA can give a hardware to all the mobile banking users to briing 2FA but as a user experience it will not fly as now i will have to carry phone + hardware token for banking.
Even said that – it is a good move by BOA to give mobile as it makes more sense to the customer and the bank as it will be more revenue generating.
cheers
vikram
Security Consultant + Founder – Eighth Intuition / EZMCOM