This article is more than 1 year old
Faked NatWest, Halifax bank sites score REAL security certs
Netcraft wonders if CAs are taking verification rules seriously
UK Banks Halifax and NatWest are among organisations targeted by fake sites that have won SSL certificates from certification authorities (CAs).
Netcraft says certifiers who should know better – such as Symantec, Comodo, CloudFlare's certification partner GlobalSign and GoDaddy – have handed out certs to sites like natwestnwolb.co.uk. That site's a faked attempt at luring traffic away from UK bank NatWest's real online banking operation at www.nwolb.com. Another UK bank, Halifax, is flattered by the existence of fake site halifaxonline-uk.com. Someone's trying to take a bit out of Apple at itunes-security.net, PayPal has to cope with emergencypaypal.net and phishers even think someone's likely to have such fat fingers that they end up at btintranert.com.
While some of the sites above are chucklesome to a degree, Netcraft notes that “Consumers have been trained to 'look for the padlock' in their browser before submitting sensitive information to websites, such as passwords and credit card numbers.” The padlock will appear when sites have a valid certificate, so the errors made by certification authorities lend a little more authenticity to fake phishing sites, no matter how ridiculous their URLs. That authenticity will help those sites to fool punters into inadvertently handing over their internet banking credentials and other personal details, which won't end well.
Netcraft's Graham Edgecombe notes that CAs have a code of conduct that requires them to be especially careful when handing out certificates to high-risk sites like those that purport to have anything to do with online banking. Edgecombe stops short of accusing CAs of ignoring those checks, but points out that free trial certificates with short expiry times are phishers' favourites.
Might CAs be less-than-optimally rigorous when checking freebie certs? That conclusion's there to be drawn from Edgecombe's post. One thing the post omits is that it's also possible to obtain trial domain names, or to register them at very low cost without offering much by the way of verifiable identification.
CAs may be messing up by handing out certs to miscreants. But the mess is not entirely of their making. ®