Network News

X My Profile
View More Activity

The New Face of Phishing

Phishing is a difficult enough form of fraud to avoid for most computer users, but when some of the biggest names in the financial industry fail to do their part to detect and eliminate these online scams, consumers often are placed in an untenable situation.

Case in point: A source recently forwarded a link to one of the "best" phishing attacks I've ever seen. This one -- targeting the tiny Mountain America credit union in Salt Lake City, Utah -- arrives in an HTML-based e-mail telling recipients that their Mountain America credit union card was automatically enrolled in the Verified by Visa program, a legitimate security program offered by Visa that is supposed to provide "reassurance that only you can use your Visa card online."


The fake MountainAmerica.net Web site

The e-mail includes the first five digits of the "enrolled card," but those five digits are found on all Mountain America bank cards, so that portion of the scam is likely to be highly convincing for some recipients. The message directs readers to click on a link and activate their new Verified by Visa membership.

Now here's where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. SSL is a technology designed to ensure that sensitive information transmitted online cannot be read by a third-party who may have access to the data stream while it is being transmitted. All legitimate banking sites use them, but it's pretty rare to see them on fraudulent sites.


The SSL Certificate issued to Mountain-America.net

Geotrust and other SSL issuers are supposed to do some basic due diligence to ensure that the entity requesting an SSL certificate is indeed authorized to request it on the company's behalf. In this case, however, it looks like that process fundamentally broke down. Once a user is on the site, he can view more information about the site's security and authenticity by clicking on the padlock located in the browser's address field. Doing so, I was able to see that the certificate was issued by Equifax Secure Global eBusiness CA-1.

The certificate also contains a link to a page displaying a "ChoicePoint Unique Identifier" for more information on the issuee, which confirms that this certificate was issued to a company called Mountain America that is based in Salt Lake City (where the real Mountain America credit union is based.)

Choicepoint is a data aggregator that bills itself as "the nation's leading provider of identification and credential verification services." When Geotrust issues a certificate, Choicepoint provides a unique identifier -- an alphanumeric identifier that is supposed to be linked to a "corporate profile" that people can use to learn more about the recipient of that certificate. However, the profile page on this particular phishing site didn't have any more information than was already included in the rest of the certificate, including the company's name, city and state of incorporation, and the company's Web site (in this case, the profile refers to the phishing site's address.) It's unclear to me how the unique identifier adds anything that is of use to the person trying to verify the legitimacy of a Web site.


ChoicePoint's "Unique Global Business Record" for Mountain-America.net

I put a call in to the Geotrust folks. Ironically, a customer service representative said most of the company's managers are presently attending a security conference in Northern California put on by RSA Security, the company that pretty much wrote the book on SSL security and whose encryption algorithms power the whole process. When I hear back from Geotrust, I'll update this post.


The error page generated by Visa.com

Back to the Verified by Visa program. Users who get the phishing e-mail described above -- or any genuine communications prompting them to visit the Visa site -- might think they're being sent to another fraudulent Web site. First off, the Visa site asks users to enter their credit card number. Then there's the fact that when I clicked on any of the links on the Verified by Visa site, I received "Page not found" errors.

Update, 2:13 p.m. ET:Looks like the site has been shut down, no doubt thanks to the hard work of the folks at the SANS Internet Storm Center, who first spotted this scam.

Also, I heard back from Geotrust. Joan Lockhart, the company's vice president of marketing, said the site was registered on Sunday and the cert was issued early this morning. Lockhart said Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution.

Geotrust's cert verification process is largely automated: when someone requests a cert for a particular site, the company sends an e-mail to the address included in the Web site's registrar records, along with a special code that the recipient needs to phone in to complete the process.

Lockhart said she doubted that inserting a human into that process would have flagged the account as suspicious.

"I would argue that probably anyone who is processing mountain-america.net would not have raised flags," she said.

By Brian Krebs  |  February 13, 2006; 1:50 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Anti-Spyware Deleting Norton Anti-Virus
Next: Microsoft Issues 7 Patches

Comments

If we assume that either Geotrust or Choicepoint did a name search against a database of bank and credit union names, that means that their matching algorithm was beaten.

a. tricked by a "-" [dash] in "mountain-america.net" or

b.could not recognize a partial text match, i.e "Mountain America" or "Mountain-America", versus "Mountain America Credit Union."

Posted by: Ken L | February 13, 2006 4:18 PM | Report abuse

To quote the article.. "I would argue that probably anyone who is processing mountain-america.net would not have raised flags," she said.
I disagree completely. Perhaps if GeoTrust performed tougher Authentication and Telephone Verification practices, these things would be avoided.

Posted by: Butch | February 13, 2006 4:26 PM | Report abuse

Nice to know Geotrust denies responsibility. I hope your stockholders are reading this :).

Posted by: derek | February 13, 2006 5:14 PM | Report abuse

To those critical of Geotrust, please tell me how you would look at the name "Mountain America" and differentiate it from a sporting goods web site or a hiking web site.

There is nothing about that name that looks fishy.

Perhaps we should return to the days when all SSL certificates cost $400 or so and required all sorts of proof, but I prefer that the rest of us be able to get SSL too.

However, I would not be against adding some type of trust level to SSL certificates. Perhaps a high level trust for banks, financial institutions, and large companies, a medium level for other companies, and a low level for the cheap certs like GeoTrust and GoDaddy offer.

Posted by: David | February 13, 2006 7:22 PM | Report abuse

Is it really fair to include Equifax in this article? Equifax sold the Certificate business to Geotrust quite some time ago.

Posted by: Dan | February 13, 2006 7:26 PM | Report abuse

I have one solution for everyone... VeriSign. While they might be on the higher end of pricing, they have NEVER issued a certificate to a Phishing website, they are strict with their authentication and verification practices as well, which means, they dig into every single order equally.

Posted by: Alfred | February 13, 2006 7:36 PM | Report abuse

At least it was caused by a breakdown in the process (that can be fixed) not someone successfully exploiting recent cryptographic flaws. Unless this is all a big cover up.....running to get some more tinfoil;-)

Posted by: Blitz | February 13, 2006 7:43 PM | Report abuse

How does SSL prevent phishing? It doesn't. A signed SSL cert from a trusted Certificate Authority only assures the user that the information passing between the user and the domain is encrypted. SSL can't tell you if a site is "real" or not.

Posted by: null | February 13, 2006 7:45 PM | Report abuse

GeoTrust's response is rubbish.

Digital Certificates are sold via several authentication mechanisms. The quick and dirty cert from GeoTrust does nothing more than send an email to the WHOIS contact. They do offer a high priced cert with additional verification.

Most other certificate authorities issue certificates to legitimate businesses ONLY. They require manual verification and use Dun and Bradstreet business numbers or require a letter of incorporation. There is no way a phisher would be able to get a site from a provider operating like this.

It is irresponsible for Ms. Lockhart to make statements implying that this could have happened to other Certificate Authorities. You cannot defend the fact that GeoTrusts "quick ssl" cert verification process is ripe for abuse like this.

Posted by: john d | February 13, 2006 7:46 PM | Report abuse

Sorry Alfred...Verisign has screwed up before when issuing certificates. Two went out on behalf of Microsoft from Verisign in 2001.

http://amug.org/~glguerin/opinion/revocation.html

Posted by: Thomas Dark | February 13, 2006 7:47 PM | Report abuse

"Cheap" certs are cheap because they establish a chain of trust; a root certificate authority issues a cert to godaddy, for example, which then can issue certs itself.

The real issue is the validation performed by the CA. People trust the root CA's because they're assuming that there is some extensive research going on, done at least partly by a human, as part of the exhorbitant fee those root CA's charge.

The trust is broken if any part of the chain is weak; if Verisign issued a cert to godaddy, and found that godaddy itself was issuing certs without doing much research itself, then it is Verisign's responsibility to revoke the cert issued to godaddy, or else risking its own trustworthiness. How many times do you think this actually happens?

IMHO, people should remove Geotrust from their browsers' lists of trusted root CA's, but how many people actually know how to do this? If you're interested, I'll tell you...

Posted by: AndreP74 | February 13, 2006 7:49 PM | Report abuse

In response to Alfred's comment, I have to wonder why you think that VeriSign is somehow a solution. Having a VeriSign certificate will protect you no more than having a Thwate certificate, or any other. Someone who opens a phishing website and gets a certificate from GeoTrust will have the exact same indicator appear in the user's web-browser as appears when users go to your site with a VeriSign certificate, so why pay the extra money?

Great, Verisign will make sure that I am who I say I am, but how exactly will this protect my customers?

Posted by: Ian Fette | February 13, 2006 7:50 PM | Report abuse

null, your comment is wrong. The CA stores the website name associated with a cert; that URL is checked across an encrypted channel between the browser and the CA. If it doesn't match, the authentication fails.

Posted by: AndreP74 | February 13, 2006 8:00 PM | Report abuse

The "Verified by Visa" program seems like a target ripe for attack, considering that some banks (like Bank of America) delegate their Verified by Visa processing to companies that their customers have never heard of. If Bank of America customers learn to trust "securesuite.net" and "cyota.com" (Cyota, Inc.), why would they not trust some other site they've never heard of? When the real site is fishy, users are more likely to trust a fake one.

Posted by: David Baron | February 13, 2006 8:02 PM | Report abuse

Ian, the assumption is that Verisign does a more thorough job than a cheap CA, and that the end user checks who issued the cert.

With this story, we can no longer assume that the "trusted" root CA's are thorough; though, like you've inferred, no user takes the time to distinguish between a "cheap" cert and an expensive one.

Posted by: AndreP74 | February 13, 2006 8:03 PM | Report abuse

My question is: Does the certificate, in any way, shape, or form, help to find and prosecute the phishers?
If it does not, then the process for issueing these certificates is fundametally flawed, because it means the site visitor has no way of really identifying the entity that is behind that cert.

Alex

Posted by: below | February 13, 2006 8:18 PM | Report abuse

Personaly I applaude the phisher in this instance if you look at the pic of the site they used the motto "It's Just To Easy" and that says it all.

Posted by: Krage | February 13, 2006 8:32 PM | Report abuse

Alex, your comment summarizes exactly why you can't trust a cert any more than the issuing CA. If the CA cannot reliably identify the requester, then it has no business being a CA. Drop it from your browser's list of trusted authorities.

A non interactive verification process which doesn't even contact the requester back at a physical address or phone number AT THE VERY LEAST is hardly a "rigorous verification process". Maybe if a CA's other customers had the ability to sue the CA for diminished value of their own certificates would authorities take their role a little more seriously.

Posted by: Paul | February 13, 2006 8:54 PM | Report abuse

@In reply to David's quote "To those critical of Geotrust, please tell me how you would look at the name "Mountain America" and differentiate it from a sporting goods web site or a hiking web site."

How about requiring SSL certificate applicants to provide a Dun & Bradstreet DUNS Number, like Verisign does?

Posted by: Anonymous | February 13, 2006 9:03 PM | Report abuse

let's get rid of computers and bank information

Posted by: jim | February 13, 2006 9:08 PM | Report abuse

VeriSign or any other CA would have issued a certificate to that phisher. According to Verisign, they verify the following points: (1) The Organization is still in business; (2) The Organization has rights to the domain name; (3) The request comes from someone who works for the organization; (4) the Corporate Contact is aware of the certificate request; and (5) The Technical Contact is authorized to receive the certificate. All of those thing can easily be true for a company that has a name similar to the name of some obscure credit union. GeoTrust and Verisign also check for common scams like names similar to major banks, etc. but no one can catch every possible attempt. The CA was no more at fault here than was Network Solutions for issuing that domain name, and there was no reason for NetSol to refuse that registration.

Posted by: Steve | February 13, 2006 9:15 PM | Report abuse

"VeriSign or any other CA would have issued a certificate to that phisher. According to Verisign, they verify the following points: (1) The Organization is still in business; (2) The Organization has rights to the domain name; (3) The request comes from someone who works for the organization; (4) the Corporate Contact is aware of the certificate request; and (5) The Technical Contact is authorized to receive the certificate"

Performing these checks, especially number 3, would have prevented this from happening. Geotrust performed none of these, which is why they auto issued a certificate to a phisher based soley on the fact that he had a registered domain.

Anyone can register a domain, so the fact that someone has done so and an automatic script that decides if the domain name is similar to a known bank is not sufficient evidence to issue a certificate verifying their identity.

This company does not perform due dilligence, and so can not be trusted. Remove them from your browser's list of trusted CAs.

Posted by: Phill | February 13, 2006 10:02 PM | Report abuse

This article makes it sound as though finding someone who has some stake in this fraudulent company is hard or would be - perhaps someone should give Gerald a call on this one - he has been naughty.

This is the info used to register the name (which is publicly available):

WHOIS Record For
mountain-america.net

Registrant:
Dugan, Gerald F

24 Tyler Road
Ithaca, NY 14850
US

Domain Name: MOUNTAIN-AMERICA.NET

Administrative Contact , Technical Contact :
Dugan, Gerald F
geraldfdugan@yahoo.com
24 Tyler Road
Ithaca, NY 14850
US
Phone: 607-257-2871

Record expires on 12-Feb-2007
Record created on 12-Feb-2006
Database last updated on 12-Feb-2006

Domain servers in listed order:
NS0.XNAME.ORG
NS1.XNAME.ORG 213.133.115.5

Posted by: John Woz | February 13, 2006 10:04 PM | Report abuse

Holy crap - this is my primary credit union! I must say calling it "tiny" is not entirely accurate. It's a very popular and friendly credit union around the most populated counties in Utah (SLC and Utah counties). Fortunately I never got the phishing email in question, and my wife is also very well-trained to not heed any such scams (took a bit of training). I am eager to see what official communication or response we get - as shareholders - from the credit union itself.

Posted by: mork | February 13, 2006 10:08 PM | Report abuse

I do not understand what the author(and many of the comment posters) are all worked up about regarding SSL certs.

SSL is ONLY for securing the transmission of data from the user back to the server(or site) so that if the data is intercepted it is unusable(encrypted) nothing more nothing less. It is not meant to weed out fraudulant companies, although it has become sort of a by-product of the process.

It seems to me that many of you, including the author, hold SSL certs certs to a higher standard than they should be.

Remember, use the tools that you have at your disposal properly and they usually won't let you down!

Posted by: R Friedel | February 13, 2006 10:35 PM | Report abuse

Unfortunately, all of these comments are way off-base. As the head of customer relations for a major webhosting firm, we see hundreds of these phishing site orders per week (each of which is processed by a human clicking a button after three verirfication checks).

Unfortunately, I have to agree with GeoTrust. The way that phishing site operators work now is to get stolen credit cards and use them to set up totally legitimate looking websites, hotmail/gmail accounts, buy domain names, and in this case buy an SSL certificate.

Let's say that you work at GeoTrust or a web host. An order comes in with a totally legit name, good email address (the person you emailed a confirmation letter to clicked the link to confirm). The IP of the machine that the order came from has never appeared in your order system, isn't on the Tor blacklist, and is a regular old cable modem ISP. The domain name (now keep in mind you've never read this story -- how many of you have heard of this credit union before now) looks like any other business. You call the phone number on file, get the voicemail box of someone whos name matches the order information. Of course you process the order -- it looks fine.

GeoTrust obviously doesn't do all this. They may say that they have multiple verification methods, but I know for a fact that I can submit an order to GeoTrust, check my email 10 seconds later and click the "I Approve of this SSL certificate" link, and hit "check mail" again and have the certificate in my mailbox -- they don't call it QuickSSL for nothing. There is no human interaction at all on their part.

However, we (the web hosting / SSL certificate / etc) community have to realize that todays fake orders aren't coming from Vietnam every time like they used to -- they are coming from computers of people who have a virus, etc, with legitimate card information and phone numbers that match. There needs to be better sharing among this community of blacklists and suspicious data trends to prevent more of these attacks in the future.

Posted by: Jason | February 13, 2006 10:41 PM | Report abuse

I get "Bad Cert" messages from MS. I blow right through such cryptic admonitions. I don't know what a SSL Certificate is. I only give my CC to reputable companies and I can spot a phishing email a mile away - they *always* ask for personal info. I would never give out a CC, SSA #, etc., in response to an email. The whole SSL Certificate system sounds like a huge waste of money. I shop online on a monthly basis and have never lost a nickel. Finally, my Bank, who I do trust and is the issuer of the CC I use online, indemnifies me for fradulent online losses. Respecfully, you well-informed people seem unable to see the forest through the trees of security minutiae.

Posted by: Gene | February 13, 2006 10:45 PM | Report abuse

"Performing these checks, especially number 3, would have prevented this from happening."

Not true! The organization is a perfectly ordinary business. There is no way for anyone to know or predict "mountain-america.net" is going to be used as a spoof for the "Mountain America Credit Union."

Posted by: Steve | February 13, 2006 10:46 PM | Report abuse

SSL is not only for securing traffic. It provides mutual authentication and is specifically designed to make sure the server is authentic. If this were not the case, we could all generate our own SSL certificates.
The main piece is that the SSL cert is signed by a certificate authority. By signing the SSL cert, the authority certifies that the recipient is in fact the entity they say they are according to the verification policies of the CA. A CA that has a signing certificate in your browsers trust chain SHOULD be thorough enough to stop these attacks, if they aren't, it should go up the chain and their signing certificate should be revoked. Unfortately, last time I checked, only IE checks for certificat revokations. For other browser, "the cat is out of the bag".

Posted by: jsmith | February 13, 2006 10:50 PM | Report abuse

"SSL is not only for securing traffic. It provides mutual authentication and is specifically designed to make sure the server is authentic"

A phisher got a server, a domain and an SSL cert. Yay for the phisher. What does this have to do with SSL? They had a cert for a domain on a valid PHISHING server and apparently used social engineering skills to do all the dirty work. The phishers used the SSL cert to make people feel all warm and fuzzy, combined with the common digits on a series of Visa cards. It's not much more different than "Click here for nude photos of (insert celebrity here)". There are many easy targets out there and everyone needs to be a little more cautious with their information. If I get an email with even a partial bit of sensitive information in it from my financial institution, you bet your ass I call my local branch and raise holy hell.

Posted by: Dean | February 13, 2006 11:35 PM | Report abuse

I have to agree with the last couple posters. Jumping to blame someone over this (apart from the phisers or the people who still don't know to be sucpiscious of links in emails asking for personal info) seems like a hasty attempt to 'make someone responsible.'

Yes, an SSL cert does more than merely encrypt communication. However, there clearly is an important utility in merely verifying that a certain server really does belong to the person who controls a given doman name. It is necessery and important to have this simple sort of check out there on the internet and like it or not this is really what SSL certs accomplish. Trying to make SSL certs do something more would be a big mistake because there would be no way left to verify that the new websites someone just set up to sell beanie babies from their basement wasn't being spoofed.

Quite simply what is necessery is a higher level of security for banks and other financial institutions. While an addititional verification level on top of SSL might be helpful ultimately this needs to be built into the browser (and I think it is being worked on and may even be implemented in a few places). Just SSL would be a good start if most browsers were configured to check against a list of trusted financial institutions and display a special color to indicate that the SSL cert actually belonged to someplace you had designated as trusted. In the long run some higher level of verification would be good too so you didn't need to do this manually but until browsers generally support features giving more security info than just valid or invalid SSL certs there isn't much to be done.

Posted by: logicnazi | February 14, 2006 12:08 AM | Report abuse

Think twice before following Andre and Phil's advice of removing Geotrust from your browser's certs.

Geotrust is the third largest SSL provider, occupying almost 10% of the SSL market, according to whichssl.com

It's possible this phisher may not of gotten through Verisign's DUN check (or its insane prices) but if they got through Geotrust, they can surely get through Entrust, Comodo (used by Network Solutions), or GoDaddy.

Posted by: Jules | February 14, 2006 12:21 AM | Report abuse

Are there any statistics/polls on consumers/users who actually pay attention to the certificate prompt when it pops up?

Or how many of the end users actually know what is going on when transactions as such go through?

Thanks.

Posted by: Richard Kreider | February 14, 2006 12:21 AM | Report abuse

The most practical thing, given the lame behavior by GeoTrust, was for me to go into my browser and remove the trust settings from GeoTrust, since I no longer trust certificates that they issue.

Posted by: GeoTrust De-Trusted | February 14, 2006 1:29 AM | Report abuse

Shame on Geotrust and all the CAs that have made a joke of the SSL authentication model. Thanks to them, the trust in SSL certs has become all but worthless.

SSL provides session encryption AND server authentication. It doesn't make sense to encrypt your data if you can't verify who your encrypting it for. That is, and has been, the primary purpose of SSL from the beginning.

The problem is, the CAs have made a joke of SSL by issuing certificates at differing levels of trust, fully knowing that the browser has no way to distinguish these certificates that represent different trust levels in a way that can be easily determined by end users.

All SSL server certificates should be issued using the strictest background checks, with the minimum being DUNS verification and checks by the CA to ensure the SSL server cert is issued to a legitimate organization. This is the way it was in the beginning, and SSL server trust meant something then.

Sure, SSL server certs will cost $300-$400, and may take a couple of weeks to issue. However, for legitimate companies establishing a legitimate web presence, this is nothing compared to the cost and time they invest in setting up a legitimate web business.

When looking at phishing, we already have a perfect system available to stop it, SSL. Problem is, the CAs have bastardized the SSL trust model so bad that SSL server certificates are now a joke, making it impossible to understand the trust associated with SSL servers.

Posted by: SadSadCA | February 14, 2006 1:51 AM | Report abuse

Veriphied by Visa?

Brian, thanks for writing about this phishing attack in detail. The Verified by Visa program appears to have been launched a few years ago, although I first became aware of it only several months ago when one of my banks adopted it. I've been expecting phishing attacks to target the Verified by Visa program "any day now", and I just got around to blogging about this a couple weeks ago, at the antiworm blog, here:

Phishing by Visa

Only 10 days from blogger's speculation to phisher's implementation! The social engineering exploit gap is getting narrower!

/gary
. .. ... ..... .......
http://IntrinsnicSecurity.com
AntiWorm Defense-in-Depth.

Posted by: Gary W. Longsine | February 14, 2006 2:23 AM | Report abuse

If a website SSL certificate isn't tied back to the corporate address listed in the business' state incorporation papers, then it's open to fraud. All the other verification solutions are just workarounds.

The fact that the government isn't making sure this is secure is a default on one of it's basic duties. Ie. planning & setting up the infrastructure to permit commerce to occur.

Privatization may make sense in a lot of situations, but not for coordinating core standards for commerce. That's something the government is supposed to do.

Ben Slade
Chevy Chase, MD

Posted by: Ben Slade | February 14, 2006 2:37 AM | Report abuse

Isnt Choicepoint the same company that mistakenly sold millions of credit profiles to Nigerian scammers ?

http://www.techweb.com/wire/ebiz/60405814

And they're issuing SSL certs ? Amazing !

Posted by: Architect | February 14, 2006 2:42 AM | Report abuse

SSL is SSL is SSL. All it means is that the information crossing the internet is secure from the browser to the server. But they also have a secondary role. People have grown to assume that SSL certs from trusted companies like Verisign check to make sure that the SSL cert belongs to a legitimate place that they "vouch for" stating that they exist and there is a levle of accountability for website in question.

I admin a small business exchange server and the company I work for is too cheap to buy a Verisign cert. Really there is no need. It is only used by employees, so we created our own SSL cert. Sure IE gives a warning, but we have our employees add our cert to the trusted list and everything is fine. This works for employees since they know who we are.

SSL certs are only as good as the trust you have for the issuing company. Thank you for this article, after reading this, I"m taking Geotrust off the trusted list for my browser.

I think there should be accountability for SSL issuing companies. If they give out a certificate, they should gaurantee the authenticity of website. This does not mean that they would be liable for any missconduct of the website, but that should there be a problem, you could go to them and they would produce the person that is accountable. If they fail to produce said person, they should be held accountable instead. That is the only way that I would "trust" an issued certificate. The way SSL works now, it only function like WEP protection does for wireless networking and has nothing to do with legitimizing a website.

Posted by: Andrew | February 14, 2006 2:50 AM | Report abuse

Speaking on behalf of a registered Certificate Authority, this article touches on a very important issue regarding digital certificates and the implicit trust that consumers place in the technology.

Any CA that issues SSL certificates in a matter of seconds, where the issuance of the certificate is based solely on the customer's credit card payment having cleared, could definitely also make the same mistake as GeoTrust. However, the key here is 'instant', as any CA that undertakes even the most basic checks would have found this certificate request to be suspicious, and at the very least would have flagged it as requiring additional information and supporting paperwork, not to mention actual person-to-person contact. Perhaps the con-artists behind this particular scam tried other certificate vendors without success prior to obtaining one from GeoTrust.

Certainly one can make a case that more sophisticated criminals can create a 'shell' company in the same jurisdiction as a targeted business, rent some space and obtain a telephone number, get listed with Dunn & Bradstreet, register a domain name, and for all intents and purposes appear to be a legitimate business operation. They could then likely fool even those CA's that actually do put some effort into the verification process before issuing a certificate. But there's a fair amount of work involved in such a scheme, you have to be patient (your business has to be operating for quite a while before D&B will list it), and a significant paper trail is created. And why bother, when you can simply purchase a quickie certificate from a dine-and-dash CA. *THIS* is the issue.

A certificate's cost is no guide for what goes into the verification process. CA's are required to publish the details of their certification process in a document called a Certification Practice Statement, or 'CPS'. The CPS describes what steps the CA takes to verify the legitimacy of a certificate request (in some cases the description actually says that they do nothing at all). What kind of verification do you think can be done in a 30-second automated transaction? Would you do business with a company that would issue digital identification in *your name*, without that company making any kind of contact with you to verify that it really is you that's requesting the issuance of such identification? Those who support the instant-SSL vendors are as much to blame as the CA's that offer those products. ALL certificates issued by any CA that offers instant-certificates should accordingly be considered highly suspect.

Brian Pederson
Chief Technology Officer
cryptguard.com

Posted by: Brian | February 14, 2006 3:27 AM | Report abuse

I would argue the whole conceot of Certficate Authorities is flawed. The scope of the internet is too large to 100% accurately verify each site. The authentication / validation should NOT be done by another business.

The validation should not be linked to a website, a seperate system should be in place, where credientials are placed on a website and validated, independently of the infrastructure.

For example, it would be pretty easy to setup a VoIP phone with an 800 number, and phish using a phone line.

SSL should solely be the encryption. The verification should apply to the whole site (HTTP/HTTPS/PHONE/FAX/MAIL etc) People need to have a universal method to ensure they are communicating with the right party.

Posted by: Brandon | February 14, 2006 3:42 AM | Report abuse

So a human wouldn't have stopped this?

Punch "mountain america" into Google. What's the first hit?

Basic due diligence. Surely.

Posted by: Ed Daniel | February 14, 2006 4:53 AM | Report abuse

your answer, always trust google.

Posted by: your answer | February 14, 2006 5:35 AM | Report abuse

Folks have been mentioning that a DUNS number should be required to get an SSL certificate. A couple of points here - even Verisign don't *require* it (they use other company DBs if there is no DUNS number supplied) and won't this stop any individual from having an SSL Web site (e.g. they might just be setting up a list of registered users for a forum, mailing list, etc. and want SSL to encrypt the personal info transmission)?

BTW, I use GeoTrust for SSL certificates and it always struck me how it's possible to put any company name/info you like in the application form for the cert, effectively making that Choicepoint URL they put in the Organizational Unit field of the issued certificate completely worthless.

The cheap certificates are handy if you buy a lot of them (e.g. you're a Web hosting firm) and none of the sites you deal with have high volume/value financial transactions on them, but I think any site that's got a significant e-commerce presence should be going for a more "trusted" CA (yes, that probably means Verisign, even though I think they overcharge), because they do manual verification and you do get the company name in the Organization field of the issued certs.

Posted by: Richard Lloyd | February 14, 2006 5:37 AM | Report abuse

Brandon, what universal method would you propose?

Posted by: Sheila | February 14, 2006 5:39 AM | Report abuse

To Jon Woz's commment -- In all likelihood, Mr. Dugan is not the phisher. Usually, phishing sites are registered under someone else's credentials and stolen credit card. In this case, a LexisNexis lookup says Mr. JT Dugan died a few years back (according to his Social Security files). I left a message w/ Mrs. Dugan, who no doubt recently had some credit card fraud on the family account.

Posted by: Bk | February 14, 2006 7:14 AM | Report abuse

Modern times has called for proper authicated measures against fraudsters. Well it certainly seems as though Geotrust or should i say GEO-DE-TRUST is falling behind in keeping up to the pace of scam originators.

Sorry Geotrust, you blew your chance!!!!!!!

Posted by: Concerned | February 14, 2006 8:24 AM | Report abuse

So who goes to jail?

Posted by: Andy | February 14, 2006 8:39 AM | Report abuse

I've encountered a nifty Firefox extension that could have helped in this case (and in most other phishing attempts). Feel free to check it out: http://www.cs.biu.ac.il/~herzbea//TrustBar/index.html

The implementation is not so polished and a bit buggy, but the idea is good.

Posted by: TrustBar fan | February 14, 2006 9:36 AM | Report abuse

Where this is flawed is that they send information to the owner of the domain. If the domain was created by the fraudsters then they are just sending the email to the fraudsters to verify it. They should lookup the business from some other means and phone the company(not trusting domain information at all). I am sure this is not the only case where this has happened. It would be trivial for someone to create a domain something like a bank name and then get an SSL certificate for it.

If we really wanted certificates to mean anything we would need a government database of domain to business that browsers could query. When you apply for a business license that would be part of the signup.

Posted by: Adam | February 14, 2006 9:47 AM | Report abuse

I have bought a number of Geotrust ssl certs for $15 from [domain withheld] for legitimate personal sites. For my day job I progrm on 3 online banking services at a UK bank. At the bank we pay $750 per cert for certs by a leading authority. What is the difference between the $15 certs I bought and the $750 certs from the point of view of the end user? Nothing. Would your mother know not to trust a Geotrust? Nope. I was shocked to find out that to get my $15 cert all that I needed was control of one of a choice of a dozen 'official' sounding email addresses at the domain on the cert request (e.g. root@mydomain.com) and to supply them with a phone number. Any phone number. I gave them my UK cell phone. They gave me an automated callback on that cell phone and I said my name. The cert was mine in minutes. What kind of security check is calling me on an international cell phone? Luckly for me though as I was able to buying my fathers cert on his US AmEx card. Does my name sound like my fathers? Nope! So this goes to show that using a stolen card number would have been trivial. So to recap all you need is a stolen international cell phone and a stolen card number and you can get a $15 ssl cert. Nice. Now I find out on this article that they would allow you to by a cert on a domain that closely matches a financial institution? I think that most security folks would like to see Geotrust put out of business...

Posted by: SimonM | February 14, 2006 9:47 AM | Report abuse

p.s. My cell phone number was for the country code UK and I paid on a credit card with the country code US! So that is yet another simple check that Geotrust missed which should have barred me from getting the cert. Someone needs to put them out of business ASAP.

Posted by: SimonM | February 14, 2006 9:51 AM | Report abuse

I think the "Best" phishing scams usually involve XSS attacks. This way the actual victim site is used, the URL is the same, and there's no SSL trickey. Just rewrite the vulnerable page into the form you want and send the user-input offsite. This is definitely a breakdown in the cert granting process though.

Posted by: Kodiak Jack | February 14, 2006 10:12 AM | Report abuse

Shouldn't the fact that the Administrator Contact's e-mail address was yahoo.com have raised any flags, even for an automated verification system?

Posted by: eb | February 14, 2006 10:44 AM | Report abuse

While I can appreciate people's comments that the SSL issuance process should be more rigorous - I would conject that no matter how rigorous it was it would still not be fool proof. The simple fact of the matter is that SSL is an encryption technology and to use it for anything more than that is an error by us - DESPITE what CAs would have you believe about how trustworthy their certificates and their process is.SSL is not the solution to this problem.

Cheap certificates are incredibly useful to any of us running small websites who want encryption. It would be ashame for them to go away only to find out that it did nothing to solve this problem anyway.

The solution is proper online security techniques, and user education. For example, my finanical institution has a multi-stage login. You enter your username first, at which point they prompt you with security details from your account that only they (and you) know - for example an identification "phrase" as well as a unique picture. You then enter your account password as the second stage and then you're logged in. THAT is a secure process, and helps me identify the website as being the legitamate one I am trying to log into. No SSL cert or web URL can ever provide that kind of assurance. To rely on them to do so is inappropriate.

Problem Solved.

Posted by: Mark | February 14, 2006 10:55 AM | Report abuse

So GeoTrust's verification process is a spellchecker? I've just deleted GeoTrust and EquiFax certs from my browser.

Posted by: Ken | February 14, 2006 11:43 AM | Report abuse

I've read _all_ the posts here, and some people seem to be calling for re-inventing the wheel (not fully understanding the scope of SSL), while others blame the end user for not having common sense. My earlier point about deleting Geotrust from the browser's list of trusted CA's acknowledges that people are smart enough to know when a perfectly-fine implementation of security has been abused. Yes, I know how big Geotrust is! That's _exactly_ my point.

Posted by: AndreP74 | February 14, 2006 12:12 PM | Report abuse

On a not too-unrelated note: while ANYBODY can register a domain name (actually, that's not exactly true), the ICANN rules state that the technical and administrative contacts be legitimate and up-to-date. Any ICANN-accredited organization that has the authority to issue domain names has the responsibility to cancel the DNS entries if, after trying to contact the registrant (in the case of dispute), sufficient time has passed without the information being brought up-to-date. This includes address of record.

I recently tried to contact tucows regarding their registration of bonzaikitten.com, in which I found the address of record to be incorrect (it was for an organization that was in no way associated with the registrant of record). I never heard back from tucows; apparently they didn't care enough to do their accreditation's duty. CA's have a similar duty to investigate, and when they don't, the simple fix is to reduce their business until they comply or go out of business.

Posted by: AndreP74 | February 14, 2006 12:23 PM | Report abuse

Educate! Educate! Educate! Then it does not matter what the end user is presented with.

Posted by: trodak | February 14, 2006 12:31 PM | Report abuse

I don't care how "convincing" a phish is, if I receive an e-mail from any financial institution, I will not follow any embedded links, period. Messages from financial institutions I don't use are automatically assumed to be fraudulent.

On the other hand, if a message arrives from a financial institution I deal with, all I have to do is type the institution's URL, log in, and see if there is a legitimate message for me.

Trying to figure out from a message's appearance or from the presence of a certificate whether a link goes to a legitimate site or not seems to me a lot like playing Russian roulette with live ammo in 4 of the 6 chambers.

Simple advice that almost always works: Trust nothing implicitly.

Posted by: Bill | February 14, 2006 12:31 PM | Report abuse

Tiny?! MACU has several billion dollars in assets. They're one of the largest CU's in the country.

Posted by: James | February 14, 2006 12:54 PM | Report abuse

The whole reason for certificates is so that the certificate authority cartel can make money by charging site operators to enable encryption.

There is no reason why you need to buy a certificate to enable SSL encryption. Self-signed certificates work just fine, except that browser makers feel compelled to "warn" your visitors when the certificate isn't signed by one of the cartel members.

What additional value does a CA-signed certificate give you? None. It cannot guarantee that the operator of a site is trustworthy. It can only make a weak promise that the operator of the site is "who they say they are." This does not account for similar-sounding names or criminals who register certificates for a seemingly-legitimate business front, or the fact that all certificates -- thoroughly researched or not -- look the same to users.

Posted by: Nate | February 14, 2006 1:34 PM | Report abuse

I agree with several of the posters that the primary problem is that the certificates are really just for data encryption and that a separate system should be used for verifying the "authenticity" of the site.

The fault lies not with the SSL but with the misrepresentation of what it means. The dialog boxes which the user interacts with encourage the user to believe that the site has been verified when this is not the case. Rather than reassuring users that they are being made secure, the dialog should warn that the cetificate will guarantee that transmission of data to the website is secure but specifically warn that the website itself has not been validated. It is the illusion of security that is the problem, that illusion should be discouraged.

Any entity that claims to certify that a website is legitimate should be able to produce the actual person who purchased the certificate or be liable for any misuse of that certificate. This type of certificate would be much more expensive due to the liability it would generate, but that liability would be the thing that makes it meningful. As it is, there are no consequences for slipshod practices.

The real problem is that the certificates give the illusion of more security than they deliver. The place to fix this is in the dialogs that the user interacts with. If these were warnings rather than reassurances, users might make better choices. I do not believe that any other form of "user education" would be meaningful.

Posted by: jimbob | February 14, 2006 1:35 PM | Report abuse

If you're going to delete Geotrust you might as well delete all the rest of the authorities that provide fast-SSL certificates. Then have fun buying stuff online.

Posted by: Jules | February 14, 2006 2:23 PM | Report abuse

The problem is not SSL or the misinterpretation/false perception of SSL. Its at least a false perception of what these Equifax/GeoTrust certs get you (several comments already on this). The problem starts at the processes that Equifax/GeoTrust use, which appears broken. Also see comment on ICANN (or ARIN, etc.) and the DNS and there are more breaks in this supposed system. The names (Equifax, GeoTrust) are supposedly infused with trust, but all these procedural breaks have caused the loss of trust in this (supposed) system.

It is not ludicrous to assume that this would succeed. People will beleive anything. And it only takes one fool to click to make a crook rich. I have read that for a few $1,000 invested in this type of scheme the Return on Investment is around $500,000 in a month.

Its all broken.

Posted by: Brett Osborne | February 14, 2006 2:33 PM | Report abuse

Maybe GeoTrust should include googling before authorizing? Mountain-America credit union IS the first result. EFB

Posted by: Camelspiders | February 14, 2006 2:50 PM | Report abuse

Hi, from one who purchases many SSL certs for my clients websites SSL represents much more then encryption it represents TRUST (or at least is part of the trust equation).

For example; it is a fact that end users who visit an e-commerce website and submit sensitive information look for the browser lock. Also many look for the site seal (example: Secured by Verisign Seal). It is a simple matter of building Trust. The statements made that SSL certs are for encryption only is simply not true. Yes if you are securing an intranet or perhaps for access by internal employees only, encryption might be all that is needed.

As I understand the role of a CA is to verify that the applicant is a real organization or individual. How can you trust encryption if the entity is not verified? Sure the SSL cert will encrypt sensitive information but in the same note it is unencrypted on the entities server to be used as they please. An SSL cert will not protect you from a scammer who is a legitimate entity, however the offended will have some level of recourse as there would be a real responsible party.

Issuing an SSL cert to a Phishing site does a great deal of additional harm to the end user as the lock and seal help to complete the perfect scam. Geotrust is catering to a market who in my opinion does not care about trust. Sure they sell a lot of SSL certs but is this good for online business/transactions, I say no.

I would imagine that there is not a CA that can guarantee 100% that every applicant is a real entity, but I would bet with proper verification it would be very rare for a cert to be issued to a Phishing website as Geotrust has done. With a human doing some level of due diligence this would not have happened as surely anyone can see that the whois record for mountain-america.net presented many Red Flags. Without the SSL certificate and seal issued by Geotrust the scam would have been much less believable (again an issue of trust) which ultimately would have prevented many from being duped/harmed.

In closing as an e-commerce business consultant I have a responsibility to my clients to recommend good/reliable information about various products and services which will best serve their business and customers needs (this should apply also to any system administrators or web host providers). I also believe that I could hold some level liability when referring or perhaps reselling SSL certificates that do not properly authenticate their customers/applicants.

Even though Versign is an expensive CA and perhaps slower then they should be at processing applications, they have a strong brand and perform proper authentication. There are many other good CA’s that also perform proper validation and provide trusted brands for much less money (take your pick Comodo, DigiCert, Entrust, Thawte, etc.). The difference in price for alternative CA’s is $200 to $79. If you are serious about your online business/customers-trust what is the big deal about spending $200 to $79 verses $30 to $20. If you only need encryption (intranet) by all means purchase a Cheapo SSL cert, as they are better then self signed certs because they have browser trust (so you can avoid the annoying popups). My 2 cents worth (well maybe 3 cents).

Posted by: E-Commerce Biz Guy | February 14, 2006 5:59 PM | Report abuse

You say that SSL is about TRUST — well that is what users *think* that an SSL certificate implies. But, as you imply, there is no reason to trust a site just because it has an SSL certificate.

1. You can’t trust that they are who they say they are (because CAs don’t do sufficient validation).

2. Even if they are who they say they are, that does not mean they are trustworthy. Spyware is sometimes signed by CAs. Does that mean it is real spyware, not fake spyware??

You suggest that, “if you only need encryption (intranet) by all means purchase a Cheapo SSL cert.” But site operators have no incentive to buy a more expensive certificate, because it makes no difference to the CUSTOMERS. Even if customers figure out how to view the SSL information, it will be gobbledy-gook to them. And they are unlikely to know what differentiates brands such as Thawte, Comodo and Geotrust.

Sites will not lose customers because they select a cheaper SSL certificate. They will only lose customers if they don’t use SSL (no lock symbol in the browser), or if they use a CA that is not a member of the cartel (the user will get a “security warning” about the certificate and may decide not to trust the site). Buying a cheap-o certificate gets around both of these problems, and will continue to do so, for the forseeable future.

Posted by: Nate | February 14, 2006 7:08 PM | Report abuse

Nate - you totally misunderstood the opinions I expressed above. I did not say that SSL certificates provided by CA's who perform legitimate validation can not be Trusted. On the contrary, I suggested that they are best equipped to verify such details and build trust online. They are in a sense the first line of defense. This provides some level of recourse for the consumer/end-user, as they have a legitimate registered entity to go after if scammed. If a CA does not perform proper validation and issues SSL certs to non-verified entities (what this article is all about) then there is really no recourse (Tim-Buck-To comes to mind).

I also explained that is not possible in my opinion for a CA to verify 100% the legitimacy of all applicant organizations/individuals. To clarify, I was not suggesting that a CA could never verify such information but rather I was suggesting that they could not get this right 100% of the time due to the ability of a scammer to setup a shell company or present forged documents. This as suggested in a previous post is highly unlikely as it would take a great deal of work and risk to the offender. Just a guess, but I would bet the vast majority of applicants are properly validated by CA’s which adhere to acceptable validation procedures.

Regarding my comments on Cheap certs. I completely disagree with your statement “Sites will not lose customers because they select a cheaper SSL certificate”. This could be the farthest from the truth, if you have ever studied purchasing habits/treads of online users/consumers you would know that a strong Trust brand counts a great deal. Many users/consumers view the site seal of security and trust as important as lock in the browser. Take a good look at most large banking and e-commerce websites; you will usually see a site seal from a trusted CA. The reason is simple a strong brand builds consumer trust. Trust is needed to convert sales.

As an example put up two e-com websites with identical product offerings and marketing plans, website 1) displays either a week brand of trust (example: CheapoSSL) or no brand (only encryption – the lock) the other website 2) displays a strong/trusted brand (representing the best standards of authentication – remember trust is earned), I guarantee that website 2) will greatly out sell website 1). I know this to be true as not only do many studies/reports support this idea but I have experienced it first hand with my clients.

I do agree that many will purchase the cheapest certs they can get their hands on, but I would also bet these same groups are out of business in less then a year or struggle along for many years with little conversion. The attitude that cheapest is best can be valid when applied to the right circumstances, but like the old adage goes “You get what you pay for” also applies to purchasing SSL certificates. CA’s who perform proper verification of applicants I would assume incur greater expense and thus charge more for their SSL products, although I am sure the high prices that Versign charges is more to do with their long running brand. Many other CA’s who practice proper authentication standards do provide products at very reasonable prices.

Regarding online security in general there are much bigger issues at hand then SSL encryption. As stated in an earlier post “consumer education is the biggest key”. I completely agree. Common sense can go a long way in fraud detection and prevention. As I suggested above SSL can provide a good front line defense regarding authentication and encryption, but what happens to sensitive data once decrypted on the web server? Once stored information/data is open game. Questions such as does the server admin update security patches on a regular basis, is the server protected by a good firewall, do they store high risk data securely offline (credit card numbers or social security numbers should always be encrypted), do they sell or share data with other third parties, etc are questions that truly need answers.

The bottom line if you are going to place trust and submit sensitive data to an unknown website there will always be an element of risk. Educated users can avoid many unnecessary pitfalls including being lured into a Phished website. Proper authentication of SSL certs should be a concern for anyone who places their sensitive data at risk online. Encryption means nothing without the verification of a responsible party on the receiving end of the ssl connection/tunnel.

At the same time I must also acknowledge that there is a market for cheap ssl certificates. If again your need is to secure an internal network or for non-sensitive (public) data then SSL certificates with minimal authentication might be the best option. However, I would suggest looking at the entire package including support and certificate management tools when selecting a CA. Lowest price does not always = best value.

Posted by: E-Commerce Biz Guy | February 15, 2006 5:28 AM | Report abuse

It may have been true last week that nobody cared where you got your cert. It is no longer true, thanks to this incident. People who care about security will get browser builders to build in sharper tools to help them manage the amount of trust they assign. (Like flagging anything signed by GeoTrust or any of their delegates as "no good for commerce". Imagine a broken currency symbol in danger-red next to that closed lock.)

Posted by: Mark | February 15, 2006 9:21 AM | Report abuse

See: http://www.greenarmor.com

If the real Mountain America credit union had been using the psychology-based Identity Cues system to make clear to its users when they were accessing the real site, users wouldn't have had to do much yet the problem could have been averted altogether or at least minimized.

Posted by: Rajesh | February 15, 2006 9:40 AM | Report abuse

What an "interesting" reply from GeoTrust?

Secure Socket Layer is nice but provded with unsecure authorization/approval procedure especially for the certification application.

Much more automation in the approval process, more fradulent cases could be exploited. In fact, when will we apply automation? It could be good for some repetitive but low-risk action. Otherwise, our citizen card could be distributed in self-service counter. ;P

Regards,
Anthony Lai, CISSP

Posted by: Anthony Lai (Hong Kong) | February 15, 2006 11:55 AM | Report abuse

Saying that SSL certs build trust by the consumer is more the result of marketing by Verisign than any technical, procedural, or consumer intelligence reason.

In the absence of real security but the presence of encryption, consumers have been falsely lulled into believing that the two are equal and they are not.

In order to buy something from Amazon with your address and credit card number, you need encryption. In order to log into your bank, you need security. Having a user log in with a username/password over SSL is a terribly poor way to implement security, despite its prevalent use on the web.

The lesson to take away from this is that security needs to be implemented properly, not that some company's certificate process is lax.

Posted by: Mark | February 15, 2006 5:51 PM | Report abuse

Posted by: Todd | February 15, 2006 8:53 PM | Report abuse

Basically what you people don't seem to understand is that the entire security idea is flawed because it is based on trust, trust that the site you are visiting is valid and that the certificate validating that sites credibility is not fraudulent. Once you open your minds to this you will see that it has become incredibly risky if you are amongst the proletariat of the internet to use your personal details or any sensitive data on any website. That and validating companies need to revise their strategies with regards to how validation and authoring of certificates occurs, however as this would require a large redesign of the current process it is unlikely that this will be fixed as soon as is necessary. be afraid be very afraid

Posted by: green butterfly | February 16, 2006 5:44 AM | Report abuse

Okay, so Geotrust issued a cert that was used in an illegal phishing scam. Fine. There's really nothing wrong with that. Once the cert has been issued, Geotrust has no control over how it is used.

The question is, have Geotrust's procedures made it possible to positively identify the culprit?

Posted by: j | February 16, 2006 8:28 AM | Report abuse

So, "E-Commerce Biz Guy", do you work for Verisign? It sure sounds like it, the way you extoll Verisign's virtues by equating their bloatedly high prices with value and security.

High pricing does NOT equate to "due diligence", and inexpensive does NOT equate to "untrustworthy". That's a myth created by Verisign and its similarly overpriced cohorts.

ANY certificate vendor that issues "certificates in minutes" - at whatever the price - is cheating the public, and ALL such certificates are worthless in terms of trust. No matter who issued them. Period.

Read the issuance policies posted on the vendor's website if you want to know what criteria they use. A good example is Go-Daddy - they state right on their website that they do nothing when churning out their turbo-certs:
* Fax document not required
* No telephone verification required
https://www.godaddy.com/gdshop/ssl/ssl.asp
(scroll down the page and click the "compare certificates" tab)


There is no difference between a $500.00 certificate and a $25.00 certificate, in terms of whether you can determine, based on the price, which vendor *actually* did any checking of the company to whom the certificate has been issued.

Inexpensive certificates are sold by many CA's, and some do nothing beyond holding out their hand to take your money. However, there ARE vendors who DO require supporting documentation, who DO actually make phone calls, and who DO take their authentication responsibilities seriously.

When deciding between two vendors that both implement appropriate verification procedures and take the time to properly verify the applicant's information, the $25 or $50 or even $90 cost WILL be the deciding factor, and a hands-down winner over the $400 or $500 or $800 price-gouge.

Posted by: merlin | February 16, 2006 6:25 PM | Report abuse

Hahaha, that is my bank, but I didn't get an email. Maybe that's because my VISA is with another bank, but then again I wouldn't think that the phisher would have access to the members email addresses.

If they did, then I think there is a larger problem.

Posted by: Darren Kopp | February 16, 2006 7:43 PM | Report abuse

People who falsely believe that life can be lived without relying on trust: do you pull over when you see a cop car with its lights flashing behind you? Do you pay sales tax on items you buy (assuming your state or county collects it)? Do you allow your doctor to inject you with drugs?

In every case mentioned, someone at one time or another has gone through the trouble of faking said profession, even if the cost is non-trivial. The Internet relies upon trust for commerce, otherwise none could take place. If the government's role is to protect us in the above cases, then so, too, is it the "trusted" CA's job to protect consumers.

I've always assumed that part of the reason the "trusted" root CA's cost so much is their manual verification process, along with some sort of guarantee (read: liability). They should also be checking up on customers who use the certificates as part of a chain to issue certs themselves, and revoke customers' certs who abuse that trust.

The problem is that there is no liability; the only way to "sue" is to put them out of business. Remove the abusers from your chain of trust.

Posted by: AndreP74 | February 16, 2006 11:49 PM | Report abuse

This kind of attacks can be easily avoided by use of Netcraft's Anti-phishing Toolbar and a "little" user-education.

Here is how:
http://www.xml-dev.com/xml/SafeBrowsing/

Posted by: Saqib Ali | February 22, 2006 11:31 AM | Report abuse

Technical "solutions" to trust problems often merely obscure the issue and make matters worse, not better. No trust technology will ever defeat human gullibility.

Posted by: drew | February 22, 2006 3:01 PM | Report abuse

FIX YOUR CREDIT FOR FREE

Posted by: Trueley Amazing! | March 4, 2006 1:14 PM | Report abuse

Posted by: Anonymous | March 4, 2006 1:15 PM | Report abuse

Merlin - I do not work for VeriSign or have any affiliation/benefit for the opinions I posted. I agree their prices are high but at the same time I am saying they along with a few other CA's properly validate ssl certificates, which is something we should all be concerned about.

I believe other CA's such as DigiCert (http://www.digicert.com), Comodo (http://www.comodo.com), Entrust (http://www.entrust.com), Thawte (http://www.thawte.com), etc. also practice proper validation. I recommend Verisign to my business customers as they represent a strong trusted brand. However, I am sure other CA's as listed above are also developing strong brands which can provide an alternative to the more expensive ssl certificate providers.

I feel strongly that standards must be set to help prevent continued abuses that hurt us all.

Posted by: E-Commerce Biz Guy | March 13, 2006 1:39 AM | Report abuse

I would like to add Microsoft to the equation.
With Windows and Internet Explorer comes a pre-installed list of 'trusted' Certificate Authorities like VeriSign and GeoTrust.
I don't know what the process is to get into that list as a CA. I imagine they paid Microsoft for it in the past.
The same goes for the other web browsers.
So the concept of trust in SSL also relies on the web browser vendor's selection of CAs. Once you're on that list as a CA, you can sell certificates that do not show an 'untrusted cert' pop-up in the browser, which is what a web shop wants. And as a CA you can selle certs until your CA cert expires, which is usually only after 10 or 20 years. (Yes I know it's a different story for sub-CAs)

I worked on PKI/CA projects for several years, and PKI always had the 'promise' of solving the authentication problem on the internet, but it simply never really caught on as 'the' authentication technology. One could argue that the browser user interface for SSL, the small padlock icon at the bottom right of the browser, is not obvious enough.

I agree that GeoTrust and the like reduce the value of SSL as a means of authentication to zero. It is safe to remove them from your browser. The result is, any time you hit an SSL site with a GeoTrust-issued cert, you get a pop-up and you can decide whether or not to trust the site, if not the CA that issued the cert.

Posted by: Maarten Brugman | March 15, 2006 7:02 PM | Report abuse

It's really obvious to see phishing, just look at the url. I think Internet security is not an issue at all, the major companies employ QA teams, engineers, and web architects to ensure there aren't any loopholes.

Anna
http://www.e-creditreporting.com

Posted by: Anna | March 16, 2006 7:04 PM | Report abuse

The "Verified by Visa" program seems like a target ripe for attack, considering that some banks (like Bank of America) delegate their Verified by Visa processing to companies that their customers have never heard of. If Bank of America customers learn to trust "securesuite.net" and "cyota.com" (Cyota, Inc.), why would they not trust some other site they've never heard of? When the real site is fishy, users are more likely to trust a fake one.
http://www.freenewsarticle.com

Posted by: luke | March 19, 2006 9:45 PM | Report abuse

What's the liability to Geotrust for issuing such certificate?

Posted by: Rick Wills | March 22, 2006 9:46 AM | Report abuse

Security is your reputation. If there is no security there is no customers. And it's really not a quetstion.
http://www.ecommerce-land.com

Posted by: Helen, ecommerce manager | March 28, 2006 2:28 AM | Report abuse

I want mp3 player. What will advise?

Posted by: Anton | April 3, 2006 3:42 PM | Report abuse

online casino

Posted by: dude | April 7, 2006 8:11 PM | Report abuse

Hi
To write the letter, it is necessary ...

Posted by: Dmitry | April 9, 2006 12:32 PM | Report abuse

Very good site, congratulations! the xmen

Posted by: xmen | April 17, 2006 11:52 PM | Report abuse

Thanks for bringing this to our notice Online dating services

Posted by: Free dating services | April 20, 2006 7:49 AM | Report abuse

Thanks for bringing this to our notice Online dating services

Posted by: Online dating services | April 20, 2006 7:49 AM | Report abuse

Thanks for bringing this to our notice http://www.datingservices-online.net

Posted by: Free dating services | April 20, 2006 7:50 AM | Report abuse

internet security is a very important problem on the net, you should always protect yout privacy, you'd better use IE Protector And Tracks Eraser , it's an internet privacy protection tool.

http://www.yaodownload.com/internet-tools/browsers/ieprotector-trackseraser/

Posted by: tom | April 23, 2006 8:57 PM | Report abuse

This blog posting was of great use in learning new information and also in exchanging our views. Thank you.

Tyrell parkins

http://www.acreditcheck4u.com

Posted by: Tyrell parkins | May 3, 2006 4:29 AM | Report abuse

I hope everyone has enjoyed the blog as much as I have enjoyed writing it.


Isaac Marowitz

http://www.Bankcardspaidoff.com

Posted by: Isaac Marowitz | May 25, 2006 1:32 AM | Report abuse

I can't resist appreciating the owners of this blog. Good information. Well Done.

Jamal Williams
http://www.Dunandbradstreetlocal.com

Posted by: Jamal Williams | May 25, 2006 6:20 AM | Report abuse

Hi, according to this discussion theme i think that you might be interested in http://www.yourgirls.ab3.eu/ where you can find hundreds of cool girls right from your town... Just check it.

Posted by: John Hash | June 26, 2006 9:19 PM | Report abuse

Great work!
My homepage | Please visit

Posted by: Felix | August 4, 2006 5:24 AM | Report abuse

Posted by: Lori | August 4, 2006 5:24 AM | Report abuse

I think this blog is quite interesting.

Posted by: Simony | August 23, 2006 1:34 PM | Report abuse

I got a cert from DigiCert it was a great experience for the following reasons:

1) Great Value (Low Cost)
2) They Properly Verify
3) Quick
4) Great Support!

Lots of options out there folks just have to look around ;)

If you want a good ssl certificate you can find it here:
http://www.DigiCert.com

Posted by: adminisme | August 25, 2006 3:34 AM | Report abuse

Madre Mia!
So much crap!

I have read this blog rather late 2006 and the very best is Posted by: Mark | February 15, 2006 05:51 PM

He points out the core issue:

What's to discuss about secure transfer without a secure login and endpoint authentication? Zip!
The discussion looks equal to how to drive a car already at the junk yard just for the pleasure to go on talking.

Hasn't anybody heard about Bruce Schneier and the "security" of encryption (SSL amongst ) after the Chinese having compromised the SHA-1 already in 2004?
This is what Bruce expressed.

QUOTE

The standard, known as SHA-1, "is used in pretty much every cryptographic protocol out there, says encryption expert Bruce Schneier "(SHA-1 is) used in SSH, in SSL, in S/MIME, in PGP. It's used in IPSec. VPNs use it. Everybody uses it."

END QUOTE

News? If so I recommend a glance at this link from already Feb 2005 !! potentially giving us less in deep discussion of security built into insecurity. What Bruce and his Cryptogram newsletter doesn't express from the cryptographic field isn't worth knowing and I'm not employed at Bruce's Counterpane Inc.

http://www.techworld.com/security/news/index.cfm?NewsID=3156

Moreover the impact by the Chinese was so huge that the Chinese researchers were refused Visa to the Cryptographic Congress in the US last fall. This might have some to realize the value of SSL, nowadays. So be afraid - very afraid.

Furthermore, look at the hacker's blogs and you'll see how far these guys already are in decryption. SSL-128 is now down in minutes... Three years ago we talked about 700 years so welcome to 2006, guys.

BTW. Haven't anybody heard about spywares and phishing?
Are they forgotten or just inconvenient around the SSL crap? Let's wait for the security companies named here to introduce Security and let the overrated SSL retire with Honor.

I have some understandings why cracked SSL solutions are allowed still to widely misled consumers as "secure". Of course, the investments can't be left uncovered and for sure we have some people here urging for sale as there is Nothing else yet to provide...

Posted by: End of Crap | September 26, 2006 1:43 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company