Friday, April 13, 2012

Dot-YourCo as a Branding and Security Strategy

Dot-YourCo as a Branding and Security Strategy
Frank W. Sudia, Esq.

In the world of branding and brand protection, the offering of custom top-level domains (TLDs, also known as dot-anything) by ICANN and major internet registrars has provoked comment and concern, notably that a proliferation of new dot-com’s may make an already bad situation worse. Isn’t the current collection of dot-com, dot-net, dot-org, dot-info, (now dot-xxx), and 250 national suffixes bad enough? What’s the benefit, if squatters and crooks can register your brand improperly in even more new, uncontrolled places? How many sunrise periods must we endure, shelling out fees to lock down our name and its variants?

While these concerns may be valid, I also believe that great good can flow from these new TLDs, for several reasons. In particular we need to rethink our legendary addiction to “dot-com” and realize that dot-com is someone else’s brand, namely a private company, Network Solutions (tagline: "The Dot-Com People"), which controls it and has profited mightily from our shared belief that dot-com is so necessary that our brands must be subordinate to it, so we can bask in its eternal internet sunshine.

Hence my first suggestion: Companies should consider refocusing their advertising dollars towards promoting their own brands, as dot-yourco, and phasing Network Solutions' “dot-com” brand out of the marketing picture.

At the technical level, dot-yourco turns your company into its own internet registrar. Anything in front of dot-yourco is there solely by your consent. Thus rather than: www.yourco.com/promotions or promotions.yourco.com, you can focus your dollars on promotions.yourco, service.yourco, sales.yourco, and so on. No dot-com required.

Assuming your brand is powerful enough that it doesn’t need to ride on the coattails of the world famous dot-com brand, and many are, dot-com will eventually become a memory. Why did we think we had to do it their way, and with every ad dollar spent promote another company’s brand?

Second, by switching your company’s internet servers over to dot-yourco, you can start to implant the message that ANY use of your brand on any other TLD suffix is improper. It won’t happen overnight, but it would be very beneficial for your customers to start realizing that my-yourco.com, or yourco.xyz, etc. are ALL false, because your only real servers are on dot-yourco. Obviously you’ll retain your existing domains and redirect to the new ones, but consider the simple factor here. You control dot-yourco, thus it is the only authentic source. Scammers cannot touch it, thus all these numerous fake-yourco.com websites are just that, very clearly fake, greatly aiding the public to tell which ones are real!

But wait, you ask, what about our use of national suffixes, to show our commitment and presence in national markets? You can still show that national commitment by internalizing national codes within your own naming system, such as sales.uk.yourco, service.jp.yourco, etc.

A third big reason for switching to dot-yourco is security. A new cyber attack has recently been perfected known as typosquatting. We’re all familiar with cybersquatting, in which someone registers a deceptive name in bad faith, usually to demand a payment to hand it over, or to sell fake goods. This threat is mild however in comparison with typosquatting, which is registering company names with typos for the purpose of stealing their email, and redirecting their web traffic!

Computer security researchers recently demonstrated[1] that, by registering typos of corporate names, they could capture 20 gigabytes of email sent by customers and business partners who typed the name wrong. To prevent the parties from finding out, they relayed the mail to its proper source (after stealing it), and to implement the scam in both directions, they changed the sender’s from-address to another typo they controlled, thus intercepting the reply, which (after being stolen) is relayed properly. This attack occurs entirely offsite, outside your company’s IT security systems, so there are few obvious counter measures, other than to constantly scan for and buy up or take down all apparent typos.

Likewise, misspelled domains are a popular means of hosting fake websites, not only for fake goods, but also for theft of credentials, also known as web-phishing. Crooks, in their tireless ingenuity, will register such typos and use them to put up a copy of your corporate login page, inducing users (who entered the typo) to input their userid and password, which are then stolen. The more technically adept crooks will then redirect and log the user into the true site, so she’s not even aware it happened – until her account is later plundered or her data stolen, etc.

This domain security issue is sufficiently dire that Brazil created a special well controlled second level domain for banks[2], namely dot-b.br, so that end users can be informed that anything that lacks this special banking suffix is not a real bank. [Further discussion of the now pervasive criminalization of the internet omitted.]

Maybe at this point you are seeing the picture. You don’t need to wait for government assistance to create a well controlled TLD, and start informing the public that anything lacking this special suffix is fake. Shell out ($185,000 up front plus $25,000 per year) for dot-yourco, get your own well controlled top level domain, and start putting out the message that this (which you, at last, really control) is the one and only real thing.

By adopting this strategy, you can:

1. Stop spending ad dollars to promote the dot-com brand (which is already famous enough) and instead focus on solely promoting your own brand.

2. Educate consumers that ONLY this dot-yourco suffix is valid and ALL others are fakes.

3. Continue demonstrating commitment to national markets by internalizing national suffixes.

4. More readily police the internet, taking down every instance of any name that resembles yours, cleaning yourself off all other TLDs, retaining only a few to help customers who haven’t gotten the press release.

5. End the major info-security risk of email and web credential theft by typosquatters, because you control what goes in front of dot-yourco, so crooks would be limited to trying to register (at great cost) other typo suffixes such as dot-yurco, which is not economically viable.

The world won’t wean itself from its addiction to dot-com overnight, but many companies with well known brands might be better off taking control of their own internet registration and branding process, wresting it away from open registrars. The cash costs and internal changes may be semi-significant, but the upshift to much greater control, especially of your advertising messages, should make it worthwhile down the line.

Notes:

[1] Researchers’ Typosquatting Stole 20 GB of E-Mail From Fortune 500,
http://www.wired.com/threatlevel/2011/09/doppelganger-domains/

[2] New 2nd Level .br Domain to make Internet Banking Safe in Brazil
http://www.domainpulse.com/2008/10/29/new-2nd-level-br-domain-to-make-internet-banking-safe-in-brazil-2/. See: www.citibank.b.br, which redirects to www.citibank.com.br.

= = = = =
Frank W. Sudia, Esq. is a Washington, DC-based corporate and IP transactions attorney with experience in trademarks and cyber security. For further information see his website at www.sudialaw.com.

This article reflects only my own views, and not those of any client or organization I may be affiliated with.

Labels: , , , , , ,