We all know about phishing websites that look like real banking sites. Usually, to the informed layperson, there’s something in the site to inform the wary that it’s not kosher. But what happens when there’s something in the site that confirms that it is kosher?
First some background: TRUSTe is an independent body whose “services support online business growth by allowing companies to communicate their commitment to privacy, and letting consumers know which businesses they can trust.” A TRUSTe seal on a website allows the user to check whether the website is kosher (and whether it supports privacy and other consumer issues). Nearly 1,500 websites use the service, including 28 Fortune 500 companies. In short, as TRUSTe’s own website puts it: “People trust the familiar TRUSTe seal. They know our sites comply with strict standards of online privacy.”
[A seal from the MSN privacy page http://privacy.msn.com/]
But what if that’s not true? What if someone can fake the TRUSTe seal to make it look like their website is TRUSTe-approved? Andrew Smith of Where’s The Beef has shown that it’s possible, using cross-site scripting, to open up the TRUSTe web site to attack and allows a scammer also to use TRUSTe as a phishing source (via addict3d.org).
Now, this shouldn’t be confused with the widespread practice of scammers to simply put a TRUSTe seal and link on their phishing page. That might fool some people into thinking the page is legit, but they will stop thinking that if they click on the link, because it will, in most cases, merely take them to the TRUSTe webpage, which verifies nothing. (In fact, the TRUSTe homepage contains a warning about ‘Seal Spoofers’ — “Did you arrive here by clicking on a TRUSTe seal? If so, you might have found a company that is using the TRUSTe seal illegally” — and invites the user to alert TRUSTe to the scam.)
But this vulnerability is different. It allows the phisher to set up an entire page that, to everyone who visits it, looks as if it is a TRUSTe webpage (correct URL address and all) verifying the scammer’s page as legitimate. As Andrew puts it himself: “This could be quite serious because a phisher could use TRUSTe to just plain scam people or convince them that their site is ‘TRUSTe Verified’.”
This is a serious issue, and I’ve asked TRUSTe for comment. I’m guessing they’ll be alarmed. After all, TRUSTe itself is all too familiar with phishing: It recently sponsored a survey on the subject. Its conclusion: Three quarters of consumers are experiencing an increase in spoofing and phishing incidents and that a third receive fake e-mails at least once a week. Total monetary loss in the U.S. to victims: approximately $500 million.
Of course, the holes that Andrew can be plugged, but that will just be the start. It’s further illustration, if it were needed that
- phishing is not just about fake emails. It’s about impersonating authenticity.
- phishing is a war, not a battle. Scammers will keep probing every defence for a vulnerability, forcing both sides to get increasingly sophisticated.
- users need to get smarter, because the people supposedly protecting them cannot be relied on to be the smartest people on the block. If you use online banking, you need to be more alert than if you just use the Internet for email and checking the weather.
- folk like Andrew Smith should be thanked for their work in exposing these flaws. If people like him have spotted them, it’s fair to say the bad guys are not far behind, and companies and banks should recognise this.
Finally, one can’t help but wonder whether verification services like TRUSTe may at some point cause more problems than they solve. If the appearance of an official looking seal on a website lulls the user into a false sense of security, then what good is it?