It Makes You Want To Weep…

On PayPal, with my URL bar looking like this:

paypal.png

I saw a banner ad for “Can You Spot Phishing?”. Intrigued, I clicked it and, after a short interstitial screen, ended up with my URL bar looking like this:

paypal-phish.png

<facepalm> Which country is SG? Why doesn’t that match the “.co.uk” TLD? And is PayPal, Inc. the same company as PayPal Pte Ltd? And surely anyone could register a “paypal-marketing” domain?

Can I spot phishing? Well, my current well-tuned phishing detector is already flashing orange…

9 thoughts on “It Makes You Want To Weep…

  1. SG = Singapore.

    Google says.

    http://masnet.mas.gov.sg/fin/findir/SDWFIDIR.NSF/696dfbd9e247620f48256368000aed5d/a4fad7e530461a5248257537004775d6?OpenDocument

    PAYPAL PTE LTD
    Company category :Others
    Company :PAYPAL PTE LTD
    Incorporated in :Singapore
    Address :89 Neil Road #03-01
    Singapore 088849
    Telephone : 65104610 (General

    http://www.inquadros.com/partners.php

    PAYPAL INC. / PAYPAL PTE LTD

    PayPal was founded in 1998 and was acquired by eBay in 2002. Located in San Jose, California, PayPal setup it’s Singapore office in 2007 providing payment processing for payments made through credit cards, bank accounts, buyer credit or account balances, without sharing financial information.

    http://www.edb.gov.sg/edb/sg/en_uk/index/news/articles/paypal_s_new_technology.html

    PayPal has selected Singapore to site its International Headquarters and Technology Development Center. As part of PayPal’s global strategy, the Center will support the US-based company’s growing international business. Over the next five years, it plans to hire more than 200 staff for its product development, operations and infrastructure design, engineering and engineering support divisions.

  2. But I though the EV SSL cert process (just like the original SSL process) was supposed to ensure the certs only went to good people. Or those who can manage to squeese through the vetting[1] process.

    SSL is a communication protocol, not law enforcement.

    I personally still feel EV SSL is more of a money grab after market competition killed the profitability of regular SSL certs.

    IMHO we should be looking into either ways distributed blacklisting based on reputation and using open protocols. Or standardizing how blacklisting could be done so different companies can provide them similar to Google SafeBrowsing and users can select who they want to trust to provide such functionality. Or just leave it to the DNS providers (OpenDNS for example).

    1. http://www.cabforum.org/vetting.html

  3. Philip: Those were rhetorical questions :-)

    Robert: I agree it’s not as bad as redirecting to http:// on some random domain which happens to contain the word “Paypal”. But really, they should be able to do much better than this.

    Your suggestion of the reason for EV makes no sense. If it were just a “money grab”, why would sites pay? It must provide benefit. Do you think that the added vetting costs money? Do you think that it has value in making it more likely to be able to track down site owners if they do something nefarious? If so, it can’t be just a “money grab”. Also, the standard is open and any CA can compete. It’s hard to artificially inflate prices in an open market.

  4. But would most users know to expect a country code at the end of the green bar? If you asked me – before I visit an EV site – to describe the information that goes there, I’d remember the company name and favicon, but that’s it.

    I’m not very familiar with the cert registration process, but could a scammer register as “Bank of America (BA)”, “Alliance & Leicester (AL)”, or “Capital One (CO)”? Or could a malware writer get “Download Windows (MS)”? The bar shines green, so a user might not find reason to dig deeper.

  5. @Gerv: It’s easy to get sites to pay. It’s already been billed by browser vendors as the way to make sure your safe on the internet. Several large eCommerce sites including PayPal have been pushing awareness as well.

    It’s only a few hundred dollars. To most of the large websites who on average pay hundreds of dollars per domain per year to be managed by a trademark company… what’s the big deal?

    The standard itself may be open… but it’s only useful if it’s included in mainstream browsers. Whom all have CA policies. Unless it’s included, the CA is pretty useless (cacert).

  6. Until CAs start actually getting punished by browser vendors when then screw up, it’ll all just be a race to the bottom. As it is now, once you get your cert into the browser, you pretty much get guaranteed income… So why would they care?

    In ten years, it’ll probably be XV or something, and everybody gets to pay again.

  7. I am reminded of this BBC article.

    It’s pretty odd to see this happening, for me. While I would not want to pretend the Dutch TLD administrating organisation is more scrupulous than the .co.uk people, a few years ago when I registered my first domain, in order to get a .nl domain, one actually needed to be able to provide a valid business registrations number. They had momentarily stopped providing such TLDs to individuals (I can’t recall why, but they had). This led to me getting a .com instead, which I still somewhat regret, but there we go…

    As for CAs and EV certs, my network security class prof. (and the widely-reported incidents a few months back) did a good job of making me skeptical of the security of my connection in all but a few select cases. Thankfully, I don’t yet use Paypal. Fortunately Dutch banks don’t use passwords but one-time hashes provided out-of-band, so phishing is much harder to make work. In most other cases, it helps me to realize I am still (fortunately) too small a fish to fry for hackers.

  8. Have I ever mentioned that I don’t consider Extended Verification to be of any significant value?

    From a security perspective, the big problem with HTTPS (with or without EV) is that browsers only check whether the certificate is signed by a trusted authority, which is, to a first approximation, meaningless. I’m not aware of any browser that checks the whether the server key is the same today as it was last time the user visited the site, which is FAR more important for preventing meaningful MITM attacks in the real world. OpenSSH gets this right.

    (Yes, I realize that website operators do not have a good way to notify users if they need to change keys for some reason. I still think warning the user if the key changes is overwhelmingly more important than warning the user if the cert isn’t signed by somebody on The List.)

  9. Have I ever mentioned that I don’t consider Extended Verification to be of any significant value?

    From a security perspective, the big problem with HTTPS (with or without EV) is that browsers only check whether the certificate is signed by a trusted authority, which is, to a first approximation, meaningless. I’m not aware of any browser that checks the whether the server key is the same today as it was last time the user visited the site, which is FAR more important for preventing meaningful MITM attacks in the real world. OpenSSH gets this right.

    (Yes, I realize that website operators do not have a good way to notify users if they need to change keys for some reason. I still think warning the user if the key changes is overwhelmingly more important than warning the user if the cert isn’t signed by somebody on The List.)

    > Your suggestion of the reason for EV makes no sense.

    If you stop and think about it, it makes a LOT of sense.

    > If it were just a “money grab”, why would sites pay?

    Because to some users it will make their site APPEAR to be more official, reliable, or secure. (This in no way implies that the site actually IS any of those things.)

    > It must provide benefit.

    It does, to the site. Well, sort of: it’s a classic prisoner’s dilemma. If you do it and your competitor doesn’t, it gives you a competitive advantage. If your competitor does it and you don’t, it gives the competitive advantage to them. So you end up both doing it, even though you’d both be slightly better off if neither of you bothered. Because in the absence of a binding agreement between both of you (AND all of your other competitors…), somebody’s going to do it, and then everybody has to do it.

    > Do you think that the added vetting costs money?

    Irrelevant.

    > Do you think that it has value in making it more likely to be
    > able to track down site owners if they do something nefarious?

    Were you born yesterday? There is fundamentally no such thing as a vetting process that could accomplish that to any significant extent.

    > Also, the standard is open and any CA can compete.

    Ipso facto, anybody who wants to buy one of these certificates will be able to do so, no matter how shady they are. Ergo, they provide no significant security.