Subdomains

Remember the Great Equifax Hack back in Sept 2017? Equifax came under a lot of fire for the way they handled the breach and one of their mistakes was using the custom domain equifaxsecurity2017.com for “customers” to check whether their personal information had been compromised. Shortly after the breach, several other lookalike domains were registered including securityequifax2017.com. In fact, the custom domain was so confusing that Equifax themselves directed people to the incorrect site via tweets on Twitter.

Two years later and it seems that large enterprises still don’t understand why this is a problem. TD bank is Canada’s second largest bank and yet they have repeated this mistake with their rewards program at tdrewards.com and with their travel booking site ExpediaForTD. These should be rewards.td.com and expedia.td.com respectively. Why? Because only TD can create sites and issue certificates on the td.com domain.

And that’s just good security.