On Sun, 21 Dec 2003, Parry Aftab wrote:
If not to protect them, how can you verify that s site is not being
spoofed, technically?
When you connect to a secure website, you can examine the SSL Certificate
for the site, usually by clicking on the "lock" symbol on many browsers.
People should learn how to do this, and make it a habit of doing so when
they connect to secure sites, so they recognize when something changes.
Unfortunately, like other components of scams, the certificate might have
a similar sounding name You think you've got (eg paypal.com), but you got
Paypal-business.com. The certificate (we assume for argument) really does
belong to an entity called paypal-business.com, but is paypal-business.com
the same as paypal? You don't know.
The best thing to do is start from (eg) paypal.com from your account
statement, etc, and examine the site certificate. Then you have a good
chance that it is not spoofed. But it is only a chance, as it could still
be spoofed in various ways. There are lots of scenarios for this: But
here's one: Your computer could be infected with a virus which installed
a web proxy--then the attacker sends you a message to go update your
stuff. You type in paypal.com, but your infected browser goes to the fake
site instead. When you try to view the certificate, your infected browser
shows you the real certificate information. You can't easily know this
didn't happen. But examining the certificate is a good practice.
So there are things to do that will make the con-artist's job harder, but
you can't make it impossible to be conned. But hopefully, the police will
be able to track down the con-artists, and by doing so, will deter others.
There is no perfect system, so we can't give any assurances that there is
a perfect system. Nor is the case that if you do or don't do certain
things, you can't be victimized. The best we can do is tell people to use
their common sense, so they aren't victimized by the lowest-grade of
con-artists.
The issue is not a technical issue, but a social and policy issue. You can
also be sure, as a point of policy, that if the law enforcement community
doesn't reactly swiftly and harshly to cons and frauds, then the
lowest-grade cons will be attracted to the internet, where experience and
close calls will improve their skills. A large number of high-grade (by
that I mean very sophisticated) con-artists would be a disaster. A large
number of low-grade con-artists creates momentum for increases in the
number of high-grade con-artists. The policy implications are clear.
Law enforcement tends to focus on the most serious criminals: Bank robbers
who take control of a bank and enter the vault get more attention than the
person who passes a note to a teller. This is good policy, but the "note
passers' who rob real banks aren't completely ignored. In contrast, in
the virtual world, that's just what's been happening: 'note-passers' are
ignored altogether until they graduate to the major 'seizing control'
level. This is bad policy.
Consider the microsoft worm perpetrator who coincided with the East Coast
Blackout. When it was suspected that it might be related to the blackout,
the police found this guy right quick. It is not hard to track these
things down with law enforcement powers. But nearly all virus operators
are ignored, even when reported.
I operate an ISP in Boston. I've reported several computer breakin's over
the years the Feds. They take the report and nothing happens. Now, I don't
bother. I have enough to do. By trial and error, the crackers and
con-artists get better.
--Dean