Go Phish!


One of the most interesting features of Microsoft's Internet Explorer 7.0 browser is a visual alert system to identify potential phishing sites (sites that look as if they are reputable, well-known companies, but which are designed for identity theft). It's pretty cool: when visiting a site verified as legitimate, the address bar area of the browser turns green to connote safety. Suspect sites turn the address bar yellow, and known phishing sites turns the address bar red. On the surface, it seems like an elegant solution to a growing problem.

But to take the punch line from an old joke, "how do it know"?

How does Microsoft determine that a site is legitimate, suspect or fraudulent? It doesn't. Microsoft isn't validating companies or websites directly. Instead, it is relying on a program developed by the CA/Browser Forum, an industry group that has created a standards process for verifying legitimacy. These standards are in turn applied by a number of private companies (called "certification authorities") that actually do the certification work. A key screening criteria is a check of state incorporation records, meaning that unincorporated businesses currently aren't eligible for verification.

A fair amount of research on my part has not yet determined who identifies "suspicious" or "known" phishing sites, and who maintains this database of information. Good luck if you're ever accidentally included on this list, because there appears to be no appeal.

We're very bullish on the power of "3R" (rating, ranking and recommendation) features to add value to data. They can be even more powerful when tightly integrated into software tools, as in this new system. Yet, in its rush to do good, Microsoft (non-Microsoft browsers will participate in this program as well I should add) has made four major blunders:

  • The program doesn't currently cover everyone, relegating a large number of companies to the status of "unknown." This angers the excluded companies while reducing the value of the 3R system to users.
  • It has created a secretive blacklisting process that lacks any of the processes or safeguards you would expect of a system that has the power to put a company out of business virtually overnight.
  • Its high certificate fees (reportedly, prices now range from $300 to $1,200) pose a barrier for smaller businesses. This works against a high participation rate, which is critical to success.
  • It over-hypes the benefits of the system -- to qualify for "green" status, a company needs only to be legally incorporated somewhere, not exactly a demanding standard when you are vouching for the legitimacy of a business.

While the goal is laudable, this sloppily designed program has been rushed to market under pressure from the companies planning to become certification authorities. The lesson for information companies considering 3R systems of their own is don't rush to judgment, or ye yourself will be judged, and found wanting.

Labels: , , ,

Comment