My good friend William Heath reported on his quite interesting Ideal Government blog how an intelligent member of the general public (in this case, himself) found it impossible to distinguish between legitimate bank communications and phishing attacks. Recently, via the excellent Payments News, I was alerted to an article containing the detailed anatomy of a 3D Secure phishing attack. As this shows, even a tolerably well-informed person finds it hard to keep themselves safe.
The article shows how difficult it is for members of the general public to stay clear of phishing and similar frauds even if those members of the general public have been told about the frauds and have taken steps to validate the communications. The solution, naturally, is better authentication. In the world of cards, as opposed to home banking, the card associations have been pushing out 3D-Secure (3DS) for authentication. If you don’t know what 3DS, it is the technology behind the Verified by Visa (VbV) and MasterCard SecureCode initiatives. MasterCard have a good online explanation of how it works. Bizarrely, I happened to stop to buy something online while I was writing the first draft of this article and found myself at a 3DS-enabled merchant. This is what I saw:
Clearly some way to go on the useability/stability front. I’m not picking on Visa and MasterCard 3DS implementations here, just illustrating that things go wrong even in well-designed and well-organised transaction environments. Here — and I swear this was just a coincidence — is what happened when I tried (on the same day!) to check the last few transactions on one of my American Express cards:
So what are consumers to do? They can’t tell the difference between a site that’s doing what it should and a phishing attack, they see crashes when they visit financial services organisations web sites (which must undermine confidence) and even if they take the trouble to understand SSL and certificates, they are presented with meaningless gibberish from companies they have never heard of. No disrespect, but Verisign means nothing to my mum.
In fact, as Ian Grigg of Financial Cryptography pointed out at the Digital Identity Forum a couple of years ago, there is a general problem at the intersection of security and brand. There is no brand associated with SSL certificates — no brand that has any resonance with the general public — and no obvious way for such a brand to develop (because public key certificates mean nothing to the general public).
Microsoft has been attempting to work with other browser developers to get the certificate authority names into the browser window alongside the padlock. But it’s not certificate authority brands that are, or should be, relevant to consumers. Shouldn’t it be bank brands there? Whether they are visiting their online bank or shopping or whatever, wouldn’t consumers feel more comfortable trusting their bank than anyone else?