Snippet: I received a phishing email last night. Since Entersekt is in the business of protecting banking customers from online fraud, I like to check out these phishing sites to see their latest tricks. This one was a good copy; it even had that standard “Secured by XYZ” logo included, indicating the certificate authority (CA) supposedly used to secure the site.

I received a phishing email last night. Since Entersekt is in the business of protecting banking customers from online fraud, I like to check out these phishing sites to see their latest tricks. This one was a good copy; it even had that standard “Secured by XYZ” logo included, indicating the certificate authority (CA) supposedly used to secure the site. 

Do these logos mean you are automatically protected?

Unfortunately not.

Phishing sites like this one use simple HTTP, with no Secure Sockets Layer (SSL) protection. So the security promised by the logo on the landing page is worthless. Would it have helped if the sites were HTTPS (i.e., using SSL security)? Well, in my case, the site was “legitimate” but had been hacked and modified to include the phishing site. If it had had an SSL certificate, my browser would have indicated that I was on a valid site, with a valid certificate. And the browser would have been correct; I would just have been on a completely different site than the banking site I thought I was on.

So, does a valid certificate in your browser mean you are protected? 

Again, no.

Whenever you connect to a sensitive website, check that it is using SSL (the URL should start with https://), and that the address is owned by the organization you expect it to be, not an imposter (e.g., www.mybank.com and not www.randomhackedsite.com/mybank). You may see a green bar in your browser’s address field if your bank or other service provider opted for an extended validation certificate. This simply means that they paid a bit more to have CA make absolutely sure they were issuing the certificate to the legitimate party. 

Check these things every time you log in to a website. It’s good practice. In fact, if you have the time, go further and open the certificate to ensure it was issued to your bank. 

Does that certificate, issued to a legitimate service provider, mean you are safe from fraud?

Not so fast.

The certificate you see was issued by one of around 650 CAs in locations around the world. All of them are WebTrust accredited. As part of this, they must provide a Certification Practice Statement (CPS) to all interested parties, detailing the checks they perform before issuing any certificate. WebTrust certification means that a CA follows all the procedures they claim to do in their CPS. When CAs achieve certification, all major browsers will start including their root certificate in their new releases. The browser you are viewing this blog post through trusts all of them. If you go to your browser’s settings, you can see a list of trusted root certificates. It’s quite a long list. But how well do any of us know these companies or their processes? If there’s a weakness in their processes or software, someone untoward could get in and issue fake certificates impersonating your organization.

I just re-checked my laptop’s list of root certificates. Funnily enough, the one at the top of my list was issued by Comodo. Comodo’s DigiNotar was one of a number of CAs hacked in 2011. A fraudster gained access to its certificate-issuing engine and produced more than 500 fake certificates impersonating all the big companies (Microsoft, Google, etc.). Fraudsters have gone as far as creating fake companies to get certificates issued. See Tracy Kitten on just such an attack using a fake Brazilian company. 

These examples illustrate a fundamental problem that a number of long-running computer security gurus like Bruce Schneier have been raising for years now (Ten Risks of PKI: What You’re Not Being Told about Public Key Infrastructure), as well as young bloods like the popular white hat hacker, Moxie Marlinspike, who has submitted a proposal to the Internet Engineering Task Force to try and rectify this problem. The Public Key Infrastructure (PKI), the system on which the Internet’s security framework operates, relies on 650 companies and their certificates, all operating at the same level of trust. There is no regional or other distinction. A CA in Malaysia can issue a certificate for a bank in Milwaukee and your browser will happily trust it, since it trusts the issuing CA. 

Can we really trust all certificate authorities and all of their processes? 

You guessed it. No.

Don’t get me wrong, there are a lot of stunning companies with great processes and controls, and the fundamentals of PKI are strong. The underlying cryptography stands the test of time. The current system’s weakness lies in the fact that some CAs are more vulnerable to attack than others, but all are afforded the same level of confidence and can operate on a global scale. 

At Entersekt, we realized this early on. That’s why, when we built our own certificate authority, we chose to use a closed PKI system. Our customers have full control over the certificates they choose to trust, and the use to which they are put. There are no nasty surprises.

Our goal is to make the Internet a safe place to transact. We’ve used the cryptographic standards and concepts of PKI, but removed the need to trust anyone you don’t know. When our customers protect their assets with our multi-factor authentication solutions, they can rest comfortably in the knowledge that they don’t have to trust just any CA out there. In fact, with our technology, organizations can be fully protected from online and mobile banking fraud without even trusting Entersekt entirely. 

Does Entersekt’s approach mean you are fully protected from account takeover fraud? 

Happily the answer to this one is yes.

Subscribe to our blog.


Gerhard Oosthuizen

CTO

Gerhard provides the organizational and operations heft to turn vision into reality. His role at Entersekt represents the CTO function in its purest and most exciting form. Our purpose is, after all, to design and build high-performance, market-leading software and support systems for an international customer base with extremely high expectations.

Tags

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.