A hacker successfully forges digital certificates and issues them to illegitimate websites to make them appear authentic.
After breaching the systems of a digital certificate authority a fraudster makes their phishing and pharming web pages suddenly seem legitimate. Consumers rely on trust marks and digital security certificates to let them know a website is secure enough to handle their payment card account numbers and other sensitive information. But when fraudsters can make their fake sites appear legitimate by forging these digital certificates it not only coerces the consumer into providing their login or credit card information, but it also reduces the trust and confidence consumers have in digital security certificates and the internet as a whole. If fraudsters have the ability to forge digital certificates than they have the ability to impersonate any website they wish.
Press Release:Fraudsters Forge Digital Certificates, Undermine Consumer Trust in Internet Security
Sarasota, FL, October 31, 2011/Internal Release/ - Consumers rely on signals from their web browser to ensure a website is legitimate before inputting any sensitive information, and web browsers verify a website’s legitimacy by confirming it has a valid digital certificate. Digital certificate authorities, such as Verisign and others, ensure that data remains encrypted as it travels from the consumer’s web browser to the website server, and consumer’s have been trained to look for certain signals, such as an https:// URL. However, recent hacks have enabled fraudsters to forge digital certificates and issue them to their own, illegitimate web pages, which threatens the level of trust these digital certificates and trust marks represent.
This past summer a hacker gained access to DigiNotar, a Dutch digital certificate authority, and was able forge their digital certificates. The fraudster then issued over 500 forged, but valid, digital certificates to fake websites impersonating Microsoft, Google, Facebook, Twitter, Equifax and others. These fake websites were likely sent as links in phishing emails or were landing pages for consumers that fell victim to a Man-in-the-Middle Attack. DigiNotar ultimately filed bankruptcy as a result of this fraud attack but aren’t the only ones to experience this problem. A Japan-based digital certificate authority and another from the United States were victimized by similar attacks in the summer of 2011 as well.
If fraudsters have the ability to forge digital certificates than they have the ability to impersonate any website they wish. Consumers can build a false sense of security believing they are at a legitimate website because their web browsers confirm the site’s certificate and therefore recognizes the web page as authentic. However, if the consumer does log-in or provides any sensitive information they are handing it right to the fraudster. Fraudsters being able to compromise the digital certificate authorities can result in the identity thefts of thousands of consumers, but it can also undermine the confidence consumers have in the security of the internet and internet transactions. With many fraudsters and scams lurking the internet consumers rely on digital certificates to assure them it’s safe to transmit their sensitive information over a website. But when hackers can breach and forge these certificates it threatens the very foundation of trust in internet security.
About The Fraud Practice
The Fraud Practice, http://www.fraudpractice.com, is a privately held US LLC based in Sarasota, Florida. The Fraud Practice provides consulting services on eCommerce payments, fraud prevention and credit granting as well as prepared research and online training for payment and fraud professionals. Businesses throughout the world rely on The Fraud Practice to help them build and manage their payment, fraud and risk prevention strategies.
Introduction to Ecommerce Fraud Fundamentals.
Provides participants foundation level knowledge about the theories, best practices and terminology surrounding electronic payment fraud. Presented in a standard format covering the history of eCommerce Fraud, consumer fraud, merchant fraud, fraudster motivation, fraud trends, identity verification and phishing.
Managing Fraud Related to ePayments in a Business.
A management perspective on theories, best practices and methods to manage fraud with ePayments. This session covers fraud exposure with ePayments, methods to balance and optimize risk exposure, methods to measure the health of a risk mitigation program; as well as methods to set a more productive mindset for risk mitigation in a company.
Ecommerce Fraud Moving from Tools to Solutions.
This session covers what constitutes a fraud solution and categorizes the many types of third party fraud tools. The course outlines the common terminology of fraud solutions and describes the capabilities needed to implement a fraud solution.
- Authenticity of Web Pages Comes Under Attack - By: Byron Acohido, USA Today