February 11, 2009 5:34 PM
- Text
Small Online Merchants Seek 'Safe' Tag
(AP)
As an online shopper, Claudia Race knows she must look out for scams.
So as an Internet entrepreneur working out of her home in New Braunfels, Texas, Race wants to use all the tools available to assure customers they can trust the vacation-rentals service she is about to launch.
But because her small business is so new, Race said she might not qualify for the online seals of approval that Overstock.com Inc. and other larger, established companies are getting to instruct Microsoft Corp.'s Internet Explorer browser to display a green address bar for "safe" when people visit her site.
"It would put me at a disadvantage," Race said. "I do not want anyone to have any questions, hesitate or have any fear factor. They have to know that I didn't just go grab a logo from somewhere and stick it on my site. I want them to know I'm a legitimate business."
What she's seeking is an extended-validation certificate, a response to the plethora of "phishing" attacks in which scam artists try to steal sensitive data by mimicking the Web site of a large bank or merchant.
Once Microsoft activates the feature in version 7 of Internet Explorer in late January, a green bar will appear when the browser sees an EV certificate, usually during a transaction or login. The tool complements a newly launched filter that displays a red warning for known phishing sites and yellow for suspicious ones.
"EV does not authenticate that your plasma TV is going to show up or that it won't have a crack through it," said Tim Callan, director of product marketing for VeriSign Inc., which issued its first EV certificate to Overstock this month.
Rather, Callan said, the EV certificate will tell consumers that the business does exist and operates at the location it says it does.
That's because VeriSign and its competitors will be required to perform extensive checks to verify that the business is legally recognized by a government agency and that the address registered for the certificate is valid, such as by matching it with a government filing or visiting the business in person.
Certificate issuers also must make sure that the company owns the domain name and that the individual requesting the certificate is authorized.
So a scammer can't register from overseas a domain name at "paypa1.com" — with a numeral "1" instead of letter "l" — and buy an EV certificate saying it is the eBay Inc. online payment service.
The certificate issuer would discover the person requesting it doesn't really work for eBay after obtaining eBay's contact information through independent means and asking directly, said Paulo Kaiser, vice president of operations for certificate vendor Comodo.
In the early days of e-commerce, merchants simply needed a standard security certificate for browsers to display a closed padlock. The makers of the Netscape browser, now owned by Time Warner Inc.'s AOL, developed the Secure Sockets Layer technology in the mid-90s, and many online shoppers over time knew to look for it.
Companies known as certification authorities used to always perform a series of checks to make sure sites were really what they said they were.
But newer authorities have tried to cut costs and corners by checking only that the site owns the domain name — not the business said to run on that domain, security experts say. Scam artists — needing only a credit card and a domain name — have exploited the loophole to obtain the certificates necessary to appear legitimate.
Enter the Certification Authority/Browser Forum, a group of certificate issuers and browser manufacturers desiring to restore trust in the certificates.
So as an Internet entrepreneur working out of her home in New Braunfels, Texas, Race wants to use all the tools available to assure customers they can trust the vacation-rentals service she is about to launch.
But because her small business is so new, Race said she might not qualify for the online seals of approval that Overstock.com Inc. and other larger, established companies are getting to instruct Microsoft Corp.'s Internet Explorer browser to display a green address bar for "safe" when people visit her site.
"It would put me at a disadvantage," Race said. "I do not want anyone to have any questions, hesitate or have any fear factor. They have to know that I didn't just go grab a logo from somewhere and stick it on my site. I want them to know I'm a legitimate business."
What she's seeking is an extended-validation certificate, a response to the plethora of "phishing" attacks in which scam artists try to steal sensitive data by mimicking the Web site of a large bank or merchant.
Once Microsoft activates the feature in version 7 of Internet Explorer in late January, a green bar will appear when the browser sees an EV certificate, usually during a transaction or login. The tool complements a newly launched filter that displays a red warning for known phishing sites and yellow for suspicious ones.
"EV does not authenticate that your plasma TV is going to show up or that it won't have a crack through it," said Tim Callan, director of product marketing for VeriSign Inc., which issued its first EV certificate to Overstock this month.
Rather, Callan said, the EV certificate will tell consumers that the business does exist and operates at the location it says it does.
That's because VeriSign and its competitors will be required to perform extensive checks to verify that the business is legally recognized by a government agency and that the address registered for the certificate is valid, such as by matching it with a government filing or visiting the business in person.
Certificate issuers also must make sure that the company owns the domain name and that the individual requesting the certificate is authorized.
So a scammer can't register from overseas a domain name at "paypa1.com" — with a numeral "1" instead of letter "l" — and buy an EV certificate saying it is the eBay Inc. online payment service.
The certificate issuer would discover the person requesting it doesn't really work for eBay after obtaining eBay's contact information through independent means and asking directly, said Paulo Kaiser, vice president of operations for certificate vendor Comodo.
In the early days of e-commerce, merchants simply needed a standard security certificate for browsers to display a closed padlock. The makers of the Netscape browser, now owned by Time Warner Inc.'s AOL, developed the Secure Sockets Layer technology in the mid-90s, and many online shoppers over time knew to look for it.
Companies known as certification authorities used to always perform a series of checks to make sure sites were really what they said they were.
But newer authorities have tried to cut costs and corners by checking only that the site owns the domain name — not the business said to run on that domain, security experts say. Scam artists — needing only a credit card and a domain name — have exploited the loophole to obtain the certificates necessary to appear legitimate.
Enter the Certification Authority/Browser Forum, a group of certificate issuers and browser manufacturers desiring to restore trust in the certificates.
- 1
- 2
- Next Page »
-
Kevin Hechtkopf Kevin Hechtkopf is CBSNews.com's politics editor.
Follow on Twitter »
Popular Now in SciTech
- Apple iPad 3 rumors: thicker, sharper, coming soon
- Retro Duo will play your old Nintendo games
- Happy 50th to computer game Spacewar
- Tesla's Model X: Finally, an electric car we all want
- Apple iPhone 5 rumors, reports say June release
- iPad 3 mini on the way, says analyst
- Apple iPad 3 rumors resurface, sources say March release
- Facebook required for Spotify account, here's a trick
- Obama's 2012 campaign playlist now on Spotify
- Google TV announcements slated for Monday
- Facebook graffiti artist David Choe, from homeless to millions
- How to get the Diablo III beta test
- Google developing home entertainment system
- Ethical iPhone 5 petitions head to Apple stores
- Apple iPad 3 rumors, let's get real
- SOPA is dead, Smith pulls bill
- World Helium Supply Could Be Gone in 30 Years
Latest CBS News Headlines
on Facebook Most Discussed Stories
on CBS News
- Coroner: Houston found bathtub, results weeks away
- McGee, Wall help Wizards rout Pistons 98-77
- Nolan, King lead Kings past Stars 4-2
- Investigators seek answers to Houston's death
on Facebook Most Discussed Stories
on CBS News
