VeriSign Phishing Awareness Site Starts Well then Misses Point

A tweet from @Allen L. Kelly pointed me to a nice bit of phishing education from VeriSign.  www.phish-no-phish.com runs you through a challenging quiz where you are presented with two ‘identical’ screenshots and have to identify which is the phishing site.

Some of the sites were very difficult to differentiate and I even got one wrong because I was perhaps in too much of a hurry and didn’t spot a couple of minor spelling mistakes.  This though would reflect real life for most people so was an excellent way of demonstrating just how careful you need to be.

I got about half way through and was considering posting a link to the site on the corporate intranet as an awareness exercise for staff.

Then I was hit by the sales pitch.

After the fifth question a screen appeared explaining how Extended Validation (EV) SSL, triggers modern web browsers to display a green address bar when a genuine site is viewed.  Fair enough I thought. Users should be taught about this technology as it can help them identify genuine sites.

I was invited to continue the quiz to “see how easy it is to choose the correct site. Just choose the site that displays the green address bar.“

And yes it was easy after that. No more needing to look for dodgy addresses, missing padlocks or poor spelling and grammar.  As the tips pointed out:

The green address bar is a surefire way to identify the genuine Web site.

When you see the green address bar, there’s no need to scan for typo’s and misspellings.

Criminals can’t fake the green address bar.

Cool! No more need to take care, just watch for the green address bar and any site that doesn’t display it must be fake! And I know I can trust any site with a green address bar because criminals can’t fake it – yet.

You’ll have to indulge me here for while I believe technical solutions can help, I don’t believe they solve the problem.  As Mr Schneier says:

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

It’s a shame the VeriSign site lets itself down on this point. I know they’re trying to sell a technology solution but there should be a stronger emphasis on EV SSL being only part of an overall solution.  After all it’s not going to help users who are taken to a fake site from an email link – unless of course they’ve bought into the technology so completely that they only trust sites with green address bars. This is after all how the final five questions in the quiz run. You just click on the sites with green address bars.

But then you’d be missing out on all the fun on Facebook, Twitter, Gmail (Thawte i.e. Blue) etc.

New Bypass Bypasses Security

The New Northern Gateway Toll Road will save motorists  several minutes, perhaps even an hour or two during peak holiday times but at what cost?

Given that you have to pull off the road and go into a service station to pay by cash to use the new bypass, paying in advance online would seem a sensible option. According to this story in the NZ Herald at least 900 people thought like this too.

Using this road could carry a hefty toll

Mrs Williams however wasn’t so sure, especially when she realised she was being asked to enter her credit card details into a site that was not secure. The site was not encrypted. This would have been obvious to anyone clued up enought to look for the HTTPS prefix or a padlock in their browser.

So why have at least 900 people ignored basic advice to look for a padlock before entering their bank account details? Perhaps they were just as confident as Brent Dooley the Transport Agency registry centre manager who as apparently “confident the website was secure” according to the article. The article doesn’t say why Mr Dooley was so confident. 

What is even more astounding is the assertion that all the banks approved “verified and certified all our banking arrangements”. Considering that not long ago the banks were thinking about penalising their customers who did their banking on unsecure computers it is doubtful they’d have let the Transport Agency get away with asking customers to transmit their details in plaintext.

But at least someone was thinking about security at some point.  If you read the website Privacy Policy you see this statement:

We employ strict security procedures and to protect the information we hold. Access to and use of personal information within NZTA Tollroad is limited to prevent misuse or unlawful disclosure of the information.

Perhaps they should go back to having a man (or woman) in a booth. Much more reassuring.