偽銀行サイト警報

米国のOCC(米国連邦通貨監督局/Office of the Comptroller of the Curency)が2000年7月19日に、本物の銀行サイトとそっくりの偽の銀行サイトを開設し、数人のユーザーが偽の銀行サイトを本物と思いこみ、自身の金融情報を与えるという事故が発生しているという警報を発表した。Olympicというドメイン名称は、一般では使えなくなっていることから、ソフトバンクには申し訳ないが、Bankというドメイン名も混乱を避けるため、銀行以外は使えなくするといった国際法が必要になる可能性も出てきている。詳細情報はURL(http://www.occ.treas.gov/ftp/release/2000-53.txt)または、URL(http://www.occ.treas.gov/ftp/alert/2000-9.txt)で知ることができる。イギリスのFSA(Financial Services Authority/金融サービス機構)は2004年11月11日に、18機関で調査した結果、犯罪組織がなりすましなどの金銭犯罪や情報盗難を目的にして金融機関に関係者を潜入させ、インスタントメッセージやPDA、USBペン、携帯電話などが悪用される恐れもあると、報告書「Countering Financial Crime Risks in Information Security Financial Crime Sector Report」を公開した。詳細情報はURL(http://www.fsa.gov.uk/pubs/press/2004/095.html)で知ることができる。内閣府は2006年2月2日に、「金融商品・サービスに関する特別世論調査」の集計表を公開した。詳細情報はURL(http://www8.cao.go.jp/survey/tokubetu/h17/h17-kinyuu.pdf)で知ることができる。米国のGAO(General Accounting Office/米国連邦会計監査院)は2006年7月17日に、 金融犯罪取締執行ネットワーク「FinCEN's」のBSA Direct R&S(BSA Direct Retrieval and Sharing)プロジェクトの報告「 Information Technology Management: Observations on the Financial Crimes Enforcement Network's (FinCEN's) BSA Direct Retrieval and Sharing (BSA Direct R&S) Project. GAO-06-947R」を公開した。詳細情報はURL(http://www.gao.gov/cgi-bin/getrpt?GAO-06-647)で知ることができる。

[リリース]
NR 2000-53
FOR IMMEDIATE RELEASE
Contact: Dean DeBuck (202) 874-5770
July 19, 2000

OCC Warns that Some Web Site Names May Confuse Bank Customers

WASHINGTON, D.C --- The Office of the Comptroller of the Currency today issued an alert outlining steps national banks can take to protect their customers from problems arising from web sites with names similar to those used by banks.

The alert was prompted by recent cases in which bank customers provided confidential account information to web sites that they mistakenly thought were maintained by their bank.

In today's alert, the OCC recommends national banks carefully select and protect the names of their Internet web site addresses. To avoid potential customer confusion, the alert suggests that a bank take appropriate actions to protect its on- line identity and to ensure customers use the appropriate Internet address when communicating with the bank.

The alert reminds national banks that they can dispute the use of the similar domain name under the terms of the domain name license agreement, which protects a domain name against other identical or confusing domain names. In addition, a bank may also initiate action in federal district court under the Anticybersquatting Consumer Protection Act if it believes the name was acquired in bad faith.

National banks should protect against unauthorized changes to their domain names by selecting a secure means of communicating with their registration service that ensures an adequate level of authentication.

Suspected thefts or other crimes involving similar domain names should be reported by national banks on Suspicious Activity Reports filed with law enforcement authorities.

The OCC charters, regulates and examines approximately 2,400 national banks and 58 federal branches of foreign banks in the U.S., accounting for more than 57 percent of the nation's banking assets. Its mission is to ensure a safe and sound and competitive national banking system that supports the citizens, communities and economy of the United States.

[警報]
ALERT: 2000-9
Subject: Protecting Internet Addresses of National Banks
Date: July 19, 2000

TO: Chief Executive Officers of All National Banks; All State Banking Authorities; Chairman, Board of Governors of the Federal Reserve System; Chairman, Federal Deposit Insurance Corporation; Chairman, National Credit Union Administration; Conference of State Bank Supervisors; All Examining Personnel; Service Providers

PURPOSE AND BACKGROUND

This alert highlights the need for banks to carefully select and protect their Internet addresses. Recently, several banks discovered Internet Web sites with Internet addresses similar to the addresses of their national bank Web sites. This confusing situation resulted in some bank customers mistakenly transmitting confidential information to these other similar Web sites.

Banks and others establish Internet addresses by registering a domain name through a domain name registration authority. Domain name registration information typically consists of the name of the registered owner, contact information, and technical information necessary to operate the domain naming system. Since domain name registration services are primarily concerned with establishing unique names, they do not impose restrictions on the registration of similar names.

A hypothetical example of a domain name is examplebank.com, which can coexist with examplebank.net and examplebank.org. Country suffixes also can be used to create similar names, (e.g., examplebank.de for Germany). Although the prefix of ''www'' is often used to denote a Web address (e.g., URL(http://www.examplebank.com), it is possible to include ''www'' in a domain. To avoid customer confusion, banks should consider the following actions in establishing and monitoring Internet addresses.

DOMAIN NAME SELECTION AND REGISTRATION

Banks should ensure their domain name is registered to them, under their control, and clearly communicated to their customers. In order to avoid customer confusion, banks should consider registering similar domain names. When another entity holds the registration to a similar domain name, banks should consider the risk of customer confusion between the two names. Where the risk of confusion is unacceptably high, the bank can take actions such as increasing customer education efforts, selecting a different domain name, or seeking to acquire the similar domain name from its owner. The bank also can dispute the use of the other domain name under the terms of the domain name license agreement. Under those terms, registered domain name owners are required to abide by the policy located. In general, the dispute policy provides for a mandatory administrative proceeding when a domain name is identical, confusing, or similar to trademarks or service marks; is registered to someone with no legal right or legitimate interest in the domain name; or is used in bad faith. For this reason, banks should consider establishing a trademark for their domain names. The bank also may be able to initiate immediate action in federal district court under the recently enacted Anticybersquatting Consumer Protection Act, 15 USC 1125 (d). In the event the similar domain name remains registered to someone other than the bank, the bank should consider surveying the domain periodically to ensure that the use of the domain does not pose an unacceptable risk to the bank or its customers.

CONTROLLING CHANGES TO DOMAIN NAME REGISTRATION

Domain name registration authorities will change registration information upon request. An unauthorized change to the bank's registration information, however, could result in the loss of a bank's on-line identity and a misdirection of its customer communications. To limit the risk of unauthorized changes, banks can select a method of communicating with their domain name registration authority that ensures an adequate degree of authentication. In addition, banks should consider establishing internal procedures to ensure that bank communications with the registration services are authorized.

PROTECTING AGAINST DOMAIN NAME SERVER INTRUSIONS

An intrusion into a domain name server can result in a bank losing its on-line identity, even if a bank carefully selects and protects its domain names. Banks should protect against domain name server intrusions using the guidance provided in the OCC Bulletin 2000-14 ''Infrastructure Threats -- Intrusion Risks'' (May 15, 2000).

SUSPICIOUS ACTIVITY REPORTING

Banks that become aware of identity theft or similar crimes perpetrated in conjunction with the use of similar domain names, unauthorized changes to domain name registrations, or other actions should file a Suspicious Activity Report in accordance with Regulation 12 CFR 21.11 and the instructions of the Suspicious Activity Report form.

Questions regarding this alert should be directed to Clifford A. Wilke, director, Bank Technology Division, at (202) 874-5920 or via E-mail: clifford.wilke@occ.treas.gov.
_____________________________
Clifford A. Wilke
Director, Bank Technology Division