New phishing attacks based around authentication
New phishing attacks based around authentication
Apr 13, 2005: A white paper has been released about the dangers of first-generation authentication, because it presents a huge opportunity for fraud and phishing attacks and it claims anyone can obtain an authentication certificate with almost any company name.
The white paper is called: "Vulnerability of First-Generation Digital Certificate and Potential for Phishing Attacks and Consumer Fraud". It claims that organisation-validated certificates are not only prone to human error but it is easy for a disreputable person or entity to request a certificate in a well-known company name, and then create a phishing site to defraud customers.
This could especially be a large risk when it is viewed in a browser that displays the organisation name wit the secure sockets layer, which indicates that web site is legitimate.
Howard A. Schmidt, the former White House cyber security advisor and previous CSO of both Microsoft and eBay said: "I'm pleased to see VeriSign's thawte brand and other CAs join GeoTrust in adopting second-generation authentication practices, because its making online commerce safer for consumers.
"Manual vetting of organisations creates a huge vulnerability that can be used to the benefit of phishers and identity thieves. I hope that certification authorities who are still using first-generation processes will understand why they should migrate to advanced authentication without delay."
GeoTrust, for example, use second-generation technology to automate domain control, email and telephone validation, combined with sophisticated fraud-detection algorithms to remove the potential for web merchant fraud and eliminate significant phishing holes created by more vulnerable organisational vetting processes.
David Jevans, the chairman of the Anti-Phishing Working Group said that it is essential that certificate authorities move to this level of protection.
Related Article: