1x1


ONLINE FEATURES Book Reviews BW Video Columnists Interactive Gallery Newsletters Past Covers Philanthropy Podcasts Special Reports BLOGS Auto Beat Bangalore Tigers Blogspotting Brand New Day Byte of the Apple Economics Unbound Eye on Asia Fine On Media Green Biz Hot Property Investing Insights Management IQ NEXT: Innovation NussbaumOnDesign Tech Beat Working Parents TECHNOLOGY J.D. Power Ratings Product Reviews Tech Stats Wildstrom: Tech Maven AUTOS Home Page Auto Reviews Classic Cars Car Care & Safety Hybrids INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads

MAY 20, 2005

By Stephen H. Wildstrom
Wildstrom is Technology & You columnist for BusinessWeek

  STORY TOOLS
Printer-Friendly Version
E-Mail This Story

POLL INSTANT SURVEY >>
With which of the following statements on outsourcing do you most agree?

The benefits of outsourcing to corporate America far outweigh the costs
There's an even split between the drawbacks and rewards
Any benefits are overshadowed by the loss of U.S. jobs
Unsure

VIEW POLL RESULTS >>
  PEOPLE SEARCH

Search for business contacts:

First Name :
Last Name :
Company Name :

PREMIUM SEARCH
Search by job title, geography and build a list of executive contacts

Search by Zoominfo
  Tech White Papers
Most Recent
Most Popular
TECHNOLOGY & YOU
By Stephen H. Wildstrom

Phishers Learn to Exploit VeriSign
At least one Net scammer has co-opted the Web security-assurance company's seal of approval to offer a false impression of safety


Everyone knows not to believe everything they read on the Web. But things get sticky when a company whose main businesses is assuring the security of online transactions gives you assurances that don't hold up.


A few days ago, I received e-mail ostensibly from Bridgeport (Conn.)-based People's Bank, informing me of some security problem and asking me to click on a link and enter my account information. I get dozens of these phishing attempts, and when I see a new one, I'll often check it out. (Don't try this at home -- I use a special isolated computer to protect myself and my PC against the viruses, worms, and other nasties that these sites often attempt to download to a user's machine.)

VULNERABLE ARCHITECTURE.  The e-mail had the usual giveaways to alert the wary. I'm not a customer of the bank. The link pointed to a numerical Internet address, not www.peoples.com, the bank's genuine site. And the bank's name was prominently misspelled "Peopel's" in one reference. Phishers have used the names of many banks and businesses in other phishing scams.

But the phony bank Web site the message linked to features a graphic of a VeriSign seal with the text "VeriSign Secure Site: Click to Verify." When I clicked on the seal, I got a page from a VeriSign server that announced in bold blue type: "PCB.PEOPLES.COM is a VeriSign Secure Site" and that its status was "valid." I had to read way down into the text on the page to be advised: "To ensure that this is a legitimate VeriSign Secure Site, make sure that the original URL of the site you are visiting comes from PCB.PEOPLES.COM" -- which, of course, it did not.

When I brought the matter to the attention of Mountain View (Calif.)-based VeriSign (VRSN ), Group Product Manager Tim Callan wrote in an e-mail: "This phisher has built his spoof on top of VeriSign's version 1 seal architecture. The version 1 architecture was conceived and created before phishing was a phenomenon, and so it was not designed with that attack in mind.

NOT PROOF.  "We're in the process of phasing out the version 1 seal architecture. Since many long-time VeriSign customers have displayed seals of this sort for many years, we need to help them migrate to the new architecture before shutting down this service. In the meantime, our antifraud team is quite expert at getting phishing sites taken down and vigilantly does so with any site we discover abusing VeriSign's brand to assist its criminal ventures."

The irony here is that VeriSign's original business -- and still one of its core products -- is selling digital certificates that servers can use to prove that they're what they claim to be. In this incident, VeriSign confirmed that pcb.peoples.com had a valid server certificate. But it apparently failed to ask the phony Web site that referred me to VeriSign to present a certificate confirming that it actually was pcb.peoples.com.

The Internet unfortunately is full of bad guys who are getting progressively more sophisticated and dangerous. When you can't be sure the good guys are who they say they are, we're all in trouble.


Wildstrom is Technology & You columnist for BusinessWeek. You can contact him at techandyou@businessweek.com
 BW MALL   SPONSORED LINKS
Buy a link now!


Get BusinessWeek directly on your desktop with our RSS feeds.XML

Add BusinessWeek news to your Web site with our headline feed.

Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video.

To subscribe online to BusinessWeek magazine, please click here.

Learn more, go to the BusinessWeekOnline home page
Back to Top


TODAY'S MOST POPULAR STORIES

  1. Why Apple Leaves Low-End Computers to the Competition
  2. Retailers: New Strategies for this Holiday Season
  3. Fertile Ground for Startups
  4. China's End Run Around the U.S.
  5. At General Motors, Loss Reduction Is a Good Start

Get Free RSS Feed >>
  MARKET INFO
DJIA 10270.47 +73.00
S&P 500 1093.48 +6.24
Nasdaq 2167.88 +18.86

Portfolio Service Update

Stock Lookup

Enter name or ticker



Copyright 2005, by The McGraw-Hill Companies Inc. All rights reserved.
Terms of Use | Privacy Notice

Media Kit | Special Sections | MarketPlace | Knowledge Centers
McGraw-Hill Cos.