Safeguarding Online Banking: The Power of State Bank of India's Exclusive gTLD
Note to Readers: Please keep in mind that this article is based on an event that occurred on 20 Feb 2017.
In this article, we're going to delve into the world of generic top-level domains (gTLDs) and explore the recent decision by the State Bank of India (SBI) to adopt its own gTLD for website security.
Despite occasional grumblings about changes in policies regarding savings bank accounts, the State Bank of India, India's largest public sector bank, has unveiled a significant upgrade to its website. This upgrade isn't merely about aesthetics; it's a proactive step to safeguard its customers against phishing scams.
Yes, we're talking about the recent news of SBI rebranding its website with its very own gTLD, transforming it from https://www.sbi.co.in to https://www.bank.sbi. This marks a groundbreaking move, as SBI becomes the first banking institution to have its own gTLD.
But what exactly is a gTLD, and how does it bolster protection against phishing attempts? Allow me to explain.
Deciphering gTLDs:
A gTLD, or generic top-level domain, is the last segment of a fully qualified domain name. To give you a clearer picture, a fully qualified domain name represents the complete web address of a site, like www.google.com or www.wikipedia.org. The labels "com" and "org" are examples of top-level domains, often called gTLDs. The term "generic" is a historical relic, distinguishing these domains from others that emerged during the early development of the internet.
You might wonder why they're called "top-level" when they appear last in the address. The answer lies in the Domain Name System (DNS), a directory service responsible for linking domain names to the appropriate websites. The DNS organizes domain names in a hierarchical order, reading them from right to left. Consequently, the rightmost label assumes the highest position in this hierarchy.
Diverse Roles of gTLDs:
Originally, gTLDs were introduced to signify specific purposes. For instance, "com" indicated commercial entities, "net" denoted network infrastructures, and "edu" signified educational institutions. However, due to a lack of restrictions, these entities—com, net, and org—are now open for use regardless of their initial goals, rendering them "unrestricted." Other gTLDs like "biz," "name," and "pro" are considered generic but remain "restricted" since their registration demands proof of eligibility.
Notably, the "sbi" gTLD is also designated as "restricted," which means no individual or organization outside of SBI is permitted to register under this domain. You might be wondering how this benefits us, the customers, in the battle against phishing scams. To unravel this, let's first understand what phishing entails.
The Phishing Challenge:
Phishing involves attempting to acquire sensitive information like usernames, passwords, and credit card details—often for nefarious purposes—by masquerading as a trustworthy entity through electronic communication.
Traditional phishing schemes typically involve a scammer sending an email informing the user of an unexpected windfall, like a $10 billion lottery win they never entered. The user is then asked to send a processing fee to claim the prize, but, in reality, no prize exists. In another scenario, scammers create emails resembling official communication from a bank, coercing users to provide their credentials for purported security reasons.
These deceitful emails contain links that redirect users to fraudulent websites mirroring the bank's official site. Unsuspecting victims enter their credentials on these fake sites, inadvertently sharing sensitive information with the scammers.
Protecting against the first type of scam often involves marking the sender's email address as spam. However, the second type necessitates more vigilance. Users should verify the sender's email address for authenticity and scrutinize the website's address in their browser, watching for any subtle misspellings or inconsistencies. A useful tactic when encountering a suspicious site is to intentionally provide incorrect credentials; if the site doesn't respond with an error, it's likely fraudulent.
The gTLD Solution:
Here's where SBI's restricted gTLD, ".sbi," comes into play. This exclusive domain is reserved solely for SBI's use, making it easy to differentiate between authentic SBI websites and emails and potential phishing attempts. Official email addresses and websites from SBI now end with ".sbi."
As of now, only the bank's primary website sports this new gTLD. However, SBI officials have revealed plans to extend this security measure to other SBI businesses, including insurance. Additionally, they've assured customers that the previous web address, www.sbi.co.in, will remain operational during the transition, ensuring a smooth shift to the new web address, www.bank.sbi.
Summary of gTLDs:
.com: Initially for commercial entities, now unrestricted.
.org: Initially for organizations not clearly falling within other gTLDs, now unrestricted.
.edu: Originally for educational use, now primarily for U.S. third-level colleges and universities.
.gov: Intended for governmental use, now primarily for U.S. governmental entities and agencies.










