EV SSL certificates won't stop phishers, researchers say

By Robert Westervelt, News Editor 31 Jul 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Two researchers who infiltrated the phishing underground say more proactive work needs to be done to investigate, slow and even stop phishers.

This whole problem is a symptom of this entire ecosystem that exists to steal identities, bank account and credit card information from people. Billy Rios independent security researcher

Security researchers Billy Rios and Nitesh Dhanjani will give a presentation on their work next week at the Black Hat conference in Las Vegas. Over the course of a year, the researchers got friendly with a few phishers and discovered how they operate. Rios and Dhanjani said their work gleans insights into how phishers purchase and use their tools, how they transfer money from one person to another without disclosing their identity or location, and how they build their reputation in the phisher underground.

"There's a lot going on that is supporting all these illicit activities," Rios said. "It's really its own little world operating off of itself and we got an interesting sneak peak at how that world operates."

Rios and Nitesh discovered credit card information and other financial data being moved in bulk in open forums. Phishers usually amass about 500 credit card numbers before they can profit off them, Rios said.

"They're basically operating with impunity," Rios said. "They're out in the open for anyone to come and purchase what they have to sell."

And that world is not likely to be shut down by any technology, the two researchers say. VeriSign Inc. and several other vendors are pushing the adoption of EV SSL certificates, which turn a Web browser navigation bar green to confirm the validity of a website and red to warn users of a phishing scam. The latest browsers support the certificates and more websites are starting to use them.

While Rios and Dhanjani call EV SSL certificates commendable, they said they don't address the root cause of the problem.

"Phishing is successful because of our reliance on static identifiers," Dhanjani said. "What we really need is a revamp of the financial system in how identities are established in the real world."

Dhanjani said it's not a technology problem, but a process problem. A person's identity shouldn't be compromised if their Social Security Number is revealed, he said.

"When we get to the point where I can pull your credit report. … and even with all that information, I can't steal your identity, that's when we've made some progress, rather than a technological Band-Aid which may soften the situation for a while," Dhanjani said.

SearchSecurity radio:

Rios said the phishing problem is bad because the barrier to enter the phishing underground is extremely low.

"Basically anybody, if they happen to stumble upon the right place, would be able to get into this industry, and after a day be able to launch their own phishing enterprise," Rios said.

EV SSL is a technology developed about a decade ago, but it was well ahead of its time, said Geoffrey Turner, senior analyst at Cambridge, Mass.-based Forrester Research Inc.

As a consultant in 1995, Turner helped VeriSign develop its digital certificate program. At the time, VeriSign collaborated with accounting firms trying to use the technology for site verification, Turner said. A period of risk aversion by auditing firms set the program back a bit, he said. Today, the browsers have standardized to support EV SSL, making it more viable in the market, he said.

So far adoption has been sluggish because many people still use Microsoft Internet Explorer (IE) 6, which doesn't support the technology. With the release of IE 7 and Mozilla Firefox 3, adoption should increase Turner said.

Phishing: The Shortcut Guide to Extended Validation SSL Certificates: In an excerpt from Dan Sullivan's book, "A Shortcut Guide to Extended Validation SSL Certificates," the author explains some of the limitations of SSL. Researcher warns of new do-it-yourself phishing program: FaceTime malware research director Chris Boyd says his team has been trying with mixed results to take down a new do-it-yourself phishing program they found online.

"It will become a much more mainstream defense against phishing," he said. "It's turning into the principle means by which a consumer can protect himself."

Ultimately, EV SSL protects the company brand, but it also increases trust with the customer, Turner said. EV SSL is going to be an important part of the development of the company's business reputation and standing in the marketplace with consumers, he said.

"Still, consumers need to understand that it doesn't relate to anything about privacy protection and it doesn't mean that the company behind the website is going to be adequately protecting your credit card information," Turner said.

Timur Taluy, CEO at FileYourTaxes.com, said his Oxnard, Calif.-based tax servicing firm was among the first to support EV SSL. He said the technology gives the firm's customer base more confidence in the site.

"The tax business is a very prominent financial transaction that people do," Taluy said. "We wanted to make sure our niche of that business was secure and we were providing the best information to our customers to be secure on the Internet."

Rios said the research he and Dhanjani will present, will show that phishers are not sophisticated and have little understanding of sophisticated technology. Old fashioned investigating may be the answer to reducing and even stopping the phishing threat, Rios said.

"We realized that the phishing problem isn't just a Web page that's being displayed to a user someplace on their home computer," Rios said. "This whole problem is a symptom of this entire ecosystem that exists to steal identities, bank account and credit card information from people."

Tags: Hacker Tools and Techniques: Underground Sites and Hacking Groups,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Hacker Tools and Techniques: Underground Sites and Hacking Groups Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary black hat  (SearchSecurity.com) cracker  (SearchSecurity.com) cyberextortion  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) Echelon  (SearchSecurity.com) hacker  (SearchSecurity.com) man in the middle attack  (SearchSecurity.com) van Eck phreaking  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary