51

Say there is a bank/financial service that wants to have hyperlinks on their secure website/domain (or even in emails they send out to customers). In some of these links there are some long/obscure URLs which link to one of their subdomains, but the long links are ugly and not very user friendly, so they want to have shorter, nicer links to put on the website or email.

  • What are the risks for a bank/financial service using an external URL shortener service, e.g. Bitly, for this?
  • Is it better for a bank/financial service to host this sort of short link to long link translation service on their own domain and infrastructure?
hPNJ7MHTyg
  • 627
  • 1
  • 4
  • 5
  • 61
    Using URL shorteners is common practice in scams to hide the domain which is obviously different to who the scammers are impersonating. If the bank often uses URL shorteners, their clients are more likely to click on shortened URLs from scammers. – user9123 Apr 15 '20 at 20:29
  • 34
    If my bank starts using URL shorteners hiding the domain name, I'll drop the bank. There are plenty of internal ways to fix this, going external is a major risk. – Mast Apr 16 '20 at 08:22
  • 11
    If you can host this internally, then why use the long version, at all? - And, also, if an external agent can shorten your urls, why can't you? - Also, cool URIs don't change! – I'm with Monica Apr 16 '20 at 09:35
  • What is the reason for using long and/or obscure URIs and subdomains, anyway? You should have a concise, immutable (or at least expandable) URI scheme for addressing everything. The internal workings of the content delivery should not play any role in this, though. – I'm with Monica Apr 16 '20 at 09:38
  • 5
    It's worth noting that some banks even [have their own TLDs](https://en.wikipedia.org/wiki/List_of_Internet_top-level_domains#Brand_top-level_domains), so this would facilitate branded short URLs. – cmbuckley Apr 16 '20 at 11:40
  • 1
    If Amazon, in everyday operation, can handle URLs that are 2 kilobytes in size for absolutely no good reason, what is the problem, anyway? – Damon Apr 16 '20 at 17:20
  • 3
    I think this is fine if you host your own link-shortner, on your own domain, obviously using HTTPs, and using a cert clearly designating your bank's name. Don't train users to click foreign links. – Alexander Apr 16 '20 at 19:41
  • I hate to say but it's getting popular among banks because of SMS and whatsapp banking. They use url shorteners a lot there. – VarunAgw Apr 28 '20 at 23:44
  • 1
    Given that the bank's developers (and more importantly their development management) seems to lack the competence to register and control domain names, and the simplistic task of translating URLs, I can't say I'd trust them to do anything -- let alone "manage" my money. – Jeff Grigg Apr 30 '20 at 15:35
  • In the end, banks should NEVER send "clickable" URLS – usr-local-ΕΨΗΕΛΩΝ May 06 '20 at 16:36

6 Answers6

87

In some of these links there are some long/obscure URLs which link to one of their subdomains, but the long links are ugly and not very user friendly, so they want to have shorter, nicer links to put on the website or email.

Users generally don't have to type any URLs anymore since at least a few decades. In fact, if you have a look at this link, you'll see it is really long and yet you don't need to type any of it. Generally, URL shorteners are only useful if you have to transmit a URL via a medium that doesn't support hyperlinks, such as printing it on paper. And even there, QR codes are slowly getting implemented more and more to solve this exact problem.

What are the risks of using an external service to do this?

Webcomic showing the dangers of URL shorteners, Source: xkcd.com/1698/

Source: Randall Munroe, xkcd/1698, licensed under CC-BY-NC 2.5

By using URL shorteners, you promise that this URL will link to a trustworthy source. As long as your URL shortener of choice works and remains trustworthy, this works. However, once some time passes, that URL shortener may go out of business, and that domain will go up for sale once again. From that point on, you can't guarantee anymore if those old URLs will work (they probably won't), or what will happen if users visit them. Remember, that in the eyes of a user, this link came from you, so they will trust anything on that site to be from you - even though it might not be.

Has this happened in practice? Yes. In Windows XP, the Windows Media Player does not come with the required license to play DRM protected WMV files. Luckily for the user, Windows Media player has the URL to get the license hard-coded. Unluckily for the user, that URL does not longer point to Microsoft, but rather to a distributor for malware. Any user that still uses Windows XP and wishes to play a DRM-protected WMV file, will be redirected to malware by the built-in media player of their OS, only because of URL shorteners.

A better solution

If you distribute links only digitally, it does not matter how long URLs are. Users just click on the button and that is it. If you really need to distribute URLs in a format that is non-clickable, such as TV advertisements or print media, make your own URL shortener. If ACME Corp. offers a new product called the "Ultra-Gigatron 9001", then make the URL ac.me/ug9001. If that doesn't work, make it acme.com/ug9001. Subdomains are free, and so are path names. Just be aware that that URL needs to be up as long as you expect people to type it.

  • 35
    Ironically, and contrary to the xkcd, for about 15 years the nuclear launch code was a well known **00000000**. Not the point I know, just anecdotal. – user10216038 Apr 15 '20 at 16:15
  • 9
    Note that SMS is a particular still-current case of limited length. – chrylis -cautiouslyoptimistic- Apr 16 '20 at 01:37
  • 10
    Are you sure that the Windows XP DRM vulnerability is linked to a URL shortener? Can you provide a source for this information? I only found https://docs.microsoft.com/en-us/security-updates/securityadvisories/2005/892313 and https://news.softpedia.com/news/ten-years-later-you-can-still-get-malware-via-the-windows-media-player-drm-508031.shtml – Razvan Socol Apr 16 '20 at 04:39
  • 6
    @user10216038 how do you know that? Can you give any reference? – Our Apr 16 '20 at 07:02
  • 1
    @RazvanSocol Might be that I was referring to that vulnerability. It's been a while. I'll edit this when I get the time –  Apr 16 '20 at 08:09
  • 12
    @user10216038 Nuclear launch codes are pretty much useless without access to Air Force One, the Nuclear Football, Mount Cheyenne or any other place where you can actually use them. It's not like you can click on a GET request and accidentally launch a nuclear missile. – Nzall Apr 16 '20 at 10:45
  • 3
    *"QR codes are slowly getting implemented more and more to solve this exact problem."* - which is exactly where a URL shortener is likely to get used - QR codes for long URLs tend to be more awkward to handle - if you can even get the camera resolution and software to handle them. That said, it's still an awful idea to use a THIRD PARTY url shortener for this. – Steve Apr 16 '20 at 16:04
  • @onurcanbektas - Just Google **nuclear launch codes 00000000** and you'll have many references. – user10216038 Apr 16 '20 at 17:37
  • 2
    @Nzall - Yes I'm aware of that. It was just a quip. I apologize to all for inadvertently derailing the topic. – user10216038 Apr 16 '20 at 17:40
  • 1
    I thought it was discouraged to click on links in emails from banks? I'm fairly sure I'd been told to open my web browser and type their url myself, specifically to avoid hyperlinks to fake websites hidden by text like "this link" – craq Apr 16 '20 at 21:18
  • @craq Depends, but this would make URL shorteners just as bad. I assumed that they *want* to send links via e-mail. –  Apr 17 '20 at 11:08
  • 2
    @MechMK1 I think the question is an XY problem. The banks shouldn't use link shortening, but they really shouldn't send any links in emails at all. That's why I'm upvoting F. Hauri's answer – craq Apr 17 '20 at 21:34
  • 2
    Unless you regularly use `ac.me` for all your links, how are your users supposed to know that it's owned by `acme.com`? In other words, using a well-known domain name which clearly belongs to you is probably more important for this use case than short, convenient URLs (though of course a competent organization could easily have both; having a machine generate long, meaningless labels for human consumption is just lazy and stupid). – tripleee Apr 18 '20 at 08:55
  • @Steve, indeed, if it's your site, just create a memorable link. Somewhat longer but memorable link is better than tinyu.rl/bFlmPSvZ. Shorteners are for cases where you want to, say, give a link to someone else's paper that does not have a short url in a footnote in a printed journal. – Jan Hudec Apr 18 '20 at 14:38
25

Is it better for a bank/financial service to host this sort of short link to long link translation service on their own domain and infrastructure?

I think the question contains the answer. For me, the answer is a resounding yes. A URL shortener should use a domain name that is owned and controlled by the 'bank'. The stakes are too high here.

In addition to the very complete answer by MechMK1, we have to keep in mind that any legitimate service, before it even goes out of business, can also get hacked (and quite likely, will be hacked), especially when it provides a springboard to a juicy target.

Consumers have been taught to be wary of phishing, and if the bank dismisses that advice by using an URL that clients are not familiar with, they will sow mistrust and confusion. You could even expect that a number of clients will report the mail as a possible spoof. Customer support is supposed to be busy enough and should not have to deal with self-inflicted problems.

To sum up, if they want a shortener it's probably not going to be as short as t.co, but could be short enough for the purpose (eg avoid line break in E-mail). If they really insist they could buy a short domain name in .com or some country code extension, but that is still not a good idea. Because anybody can buy a domain name and fake whois data. The whois data in itself does not prove that the bank indeed owns and controls the domain name. The point is, you should have a coherent and somewhat predictable brand and naming strategy. That means, stick to the domain names that are already known and trusted by your client base.

Say there is a bank/financial service that wants to have hyperlinks on their secure website/domain (or even in emails they send out to customers). In some of these links there are some long/obscure URLs which link to one of their subdomains, but the long links are ugly and not very user friendly, so they want to have shorter, nicer links to put on the website or email.

We have different use cases here. For websites, using descriptive URLs is something normal, and is usually for SEO reasons. If some URLs are too long, rewrite them or alias them. For example, try to have no more than 3 keywords in the URL and choose the most relevant. A shortener is not the answer here. But you can have subdomains.

For advertising, short names are indeed essential if consumers are going to type them. But they have to be memorable too. Shorter is not always better: www.thebank.com/invest is still more memorable than t.co/Ba21dQ22. But that's why we have QR codes: to relieve people from typing URLs.

In fact, if the 'bank' is already using subdomains, they could assign one just for redirects. And then add a short parameter in the query string like a number.

For E-mails, you don't want long URLs because they can be cut off by the line break. If you send HTML E-mail, that is not a problem really, because a long hyperlink can be embedded in a short keyword. The problem is text E-mail or E-mail clients that do not render HTML, and there are not so many nowadays.

So what kind of problem are you trying to solve ? My overall impression is that the shortener is mostly a marketing gadget, and that the right course of action is to improve what already exists. If you have ugly URls, take the time to review them, prettify them, shorten them. A short URL can be convenient but is not 'pretty'.

Kate
  • 6,967
  • 20
  • 23
14

In addition to the other answers, I would like to stress that communications from a financial shall be easily verifiable for the user.

Say a customer receives an sms/email:

YOURBANK: Your purchase has been successful. More info https://bit.ly/2VBP5iK

Is this legitimate or not? Even to their IT team, that url itself provides no context, requiring them to dig into whatever urls it redirects to. And sometimes, even they would not be able to ascertain if it is legitimate or not, e.g. when the bank marketing department decides to launch a campaign at yourbank-campaign.com rather than using their domain (and thus being detected as a phishing to yourbank.com).

Even if https://bit.ly/2VBP5iK now leads to https://yourbank.com/sign-in:

  • They wouldn't know who created that shortener. Even if it redirects to a legit page now, the author could later change it to a phishing page. Changing the target url between the legitimate and a phishing page would be a great way to confuse security teams.
  • You are training your users that bitly links from your bank are Ok. While any miscreant could create one of those pointing to a phishing to your entity.

And if you buy a new domain (e.g. https://yourba.nk/) to use as a shortener, do place in the website root a text like

This is the official shortener from yourbank.com. All entries here lead to official services by yourbank. See https://yourbank.com/faq#shortener

With the page https://yourbank.com/faq#shortener (at the main site), linked from it confirming the same information.

You will nevertheless end up with users thinking it leads to a phishing page, some blacklist adding a url from https://yourba.nk/, etc. but having a clear domain that can be whitelisted, and the proper information readily available will help a lot.

Note that while I would consider owning the shortener domain yourself a must, actually hosting the domain could be delegated to a third-party like bitly, instead of doing that in the bank infrastructure. That would share only some of the concerns other answers have mentioned (such as the shortener company getting compromised and redirecting [some of] your customers somewhere else). However, while it may be a useful service for another kind of company, for a bank the added cost of hosting a private shortener service would be negligible when compared with that of their normal page which those redirects will be targeting. So I wouldn't host it outside of my infrastructure either.

Pang
  • 185
  • 6
Ángel
  • 17,578
  • 3
  • 25
  • 60
  • Note: yourbank.com is a working domain name for the Pendleton Community Bank, so you may want to use a different url to avoid problems if they do end up implementing these links. – Nzall Apr 16 '20 at 10:48
  • 13
    `You are training your users that bitly links from your bank are Ok.` — This, IMO is the biggest risk as it's the most easily exploitable. It's not whether Bitly goes out of business or expires, but if anyone can create `https://bit.ly/new-lloyds-business-accounts` and it looks just as legit as if it came from you, you're just _asking_ to get your customers phished – anotherdave Apr 16 '20 at 12:00
  • 1
    @anotherdave Agreed. It'd be slightly different if, for example, the US Government set up a URL shortener service at `https://bank.gov` which only officially registered and audited financial institutions could use. – Chronocidal Apr 16 '20 at 16:53
  • @Chronocidal There's a [.bank](https://icannwiki.org/.bank) tld that might be used that way. – Ángel Apr 16 '20 at 20:52
  • 3
    Please don't do https://yourba.nk/ unless your main domain is excessively long. It's just pointless. You have enough space to write https://yourbank.com/go/1234 – user253751 Apr 17 '20 at 11:45
  • 1
    Not only that, they could cloak the link, so when someone from the bank's IP range clicks the link, it goes to the bank page where it is supposed to. It only sends you to the scam link if your IP recently loaded a 1x1 pixel graphic that was in the email, is from a foreign country, whatever. – Harper - Reinstate Monica May 06 '20 at 16:06
11

No matter, I hate the idea of sending sensible URL by mail!

When my financial partners do have something to communicate, I expect something like:

Some document are stored on your account at yourbank. Please use your regular login to connect your account's message box.

In case you forgot your login, use link written on your last bill or call us at number you may found at bottom of your last bill.

Using link in email lead to a lot of malicious thing like fake url using UTF-8 letters as domain, like Y0urbank.com or yⲟurbank.com (with ⲟ as ⲟ) and so on.

From there, strong url could simply figure on bank website or in my private space once logged, as simple href link.

`<a href="https:yourbank.com/complexUrl%20Holding%20Lot_of_characters">The link</a>
F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32
  • 5
    Thanks, this is the only answer so far that addresses the XY problem in the question. I have accounts with 4 banks in a couple of countries and all of them have said something like "we will never send you a link in an email, always use a bookmark or search engine or type the URL yourself". They also all use internal messaging systems because email is simply not secure. Someone can even intercept the email en route and change the link. – craq Apr 17 '20 at 18:51
5

No. Nobody should. They are not under your control, and can be redirected at another party's discretion. They can also be used to compromise the recipient's/your customer's privacy. There is no legitimate need for such services. If you really really want short URLs, run your own implementation (it's trivial to do) on your own domain. Otherwise just use normal ones.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34
  • 1
    There are legitimate uses for such services, but they always involve linking to *other* sites than your own, and in many cases, not really having your own at all. They also always involve printed media, not e-mail or web. – Jan Hudec Apr 18 '20 at 14:46
0

The URL didn't get ugly by itself

The business unit within the bank created the website. They are the ones who chose the web platform and URL. They are the ones who designed it to be a customer facing URL that is to go out in public communication.

So the marketing department needs to push back on that business unit and say "no no no, if you want this URL going out to customers, make it not 277 characters".

Then their webmaster would do whatever is required for that to happen, e.g. an internal redirector (in effect a TinyURL within the business unit).

Harper - Reinstate Monica
  • 3,101
  • 10
  • 17