BUSINESS: Security & The Internet - Part 1: Phishing

For anyone who spends any amount of time on the internet, Security should be high up on the priority list. In this 2 part series of useful articles, Susan Morrow of Lynwood Jewellery talks us through how we can all stay more safe online.

Susan has worked for the past 15 years in the area of digital identity and data security. Susan has written book chapters on data security online and published a number of papers in the areas of data security and digital identity. She has also given talks on security to an international audience.

In this part 1 Susan tackles Phishing:
I’ve been working in the area of digital identity and data security for a while and the one thing I know to be true, is that there is no such thing as total security. On that seemingly negative note, I will discuss a little about how to reduce the risks inherent in communicating via computer.

The simplest way to do this in a short article, is to break the subject matter down into areas that are the most likely to cause problems. These areas are either, giving out information (such as a password) to malicious third parties or installing malicious software, such as a virus or a trojan. Both of these can result in financial losses and ultimately identity theft. So, to begin, let’s talk about:

Phishing
Phishing is a process by which a malevolent third party tricks you into giving them information that you use to log into, for example, an online banking site. This information is typically your username and password. This is commonly achieved via an email containing a spurious link. Typically the email will seem to be from a legitimate source, such as PayPal, or eBay, or your bank. It may look very realistic, containing all of the same logos and wording that you expect to see from that source. However, it will also have a link in the email, which it requires you to click to confirm some detail or other. If you click on the link you will be taken to a bogus website which will look very similar to the one you are expected to be taken to, for example PayPal’s login page. But instead, the website will be a front end to a server, which will harvest your user details to gain access to your real PayPal account.

If you receive an email asking you to click on a link and enter account details, simply don’t do it. If you are at all in doubt it may be a real email, then log into your account by going to the website directly, i.e. by typing the url into your browser. If there are any messages for you, they will be displayed in your account.

Phishing websites mimic the look and feel of the real website. However, one way that they can be recognised as a phishing site and not the real site, is by looking to see if they display a digital certificate. A digital certificate is a virtual certificate (in the form of a software token) issued to a company, by a certified authority, that proves the company is who they say they are. It takes the disclosure of a number of methods of proof to get one of these certificates. The certificate is then installed on the server that hosts the company website, so that visitors can see this proof of identity. A phishing site cannot easily obtain one of these certificates. There was an issue around 18 months ago with the system (known as the Secure Socket layer or SSL) whereby this process could potentially be compromised, but certificate authorities such as VeriSign have managed to resolve this and we can be confident that if a site is showing a digital certificate with a company name on it, that they are, in fact, that company.

So, where can you see this certificate? Well it depends on the type of browser you are using. If you are using Internet Explorer 7 or 8 then you will see a gold coloured padlock in the bar at the top of the browser. You can click on this padlock and see the name of the certificate authority, e.g. VeriSign, Thawte, etc. It will also say that they have identified the site as, then the name of the company. If you wish to see more details, you can click on view certificates and this will open a certificate dialog. If you then click on the tab, certification path in this dialog, you will see the name of the company who has been certified by the authority. Firefox is similar, but the golden padlock is in the far bottom right hand corner of the browser. Double clicking on this padlock opens a dialog showing who the certificate authority is and the company the certificate was issued to. Other browsers have similar systems.

Phishing attempts are only successful for two reasons. The first is that they rely on people clicking into a malevolent website and the second is that once there the person will enter the username and password used with the real site. The IT industry is currently working on methods of replacing the username and password based login methods with methods that, even if used in a phishing site, would not give out the information required to log into the real site. Watch out in the future for Information Cards and minimal disclosure technologies.

In part 2 we will turn our attention to our other main area of interest: Installing Malevolent Software.