Neither one has to last very long to have an impact….

 

With all the talk of lettuce and political longevity, it strikes me that a fraudulent identity can have a significant impact even in a short time. The industry tends to focus on individual identity and the damage that can result if an individual’s identity is stolen. There tends to be far less focus on institutional or enterprise identity, especially as it exists on the web.

There are several approaches fraudsters can use to mislead individuals.

  • It is an easy and inexpensive process to acquire a domain name. Similar website names or common misspellings of websites can lead a user into dangerous waters.
  • DNA hijacking is another way to misroute users to a fraudulent website.
  • Phishing attacks through email, SMS, or other popular messaging apps embed unrecognizable Web addresses that can lead to trouble.
  • Email addresses commonly provide legitimate-looking names of popular websites like Amazon, FedEx or UPS, or popular banks. 
  • There are many more; I have experienced nearly all of the above in the last 24 hours. It’s that bad.

The Denver Gazette recently reported that the local power company Xcel Energy is warning customers about fake websites with fake phone numbers being used to scam customers. According to the Gazette:

“Scammers, the company said, create legitimate-looking websites with fake contact numbers and then take personal information from callers, including social security and credit card numbers. They demand immediate payment to start services or get the power turned back on — something Xcel never does.”

Customers may not realize they have been scammed because the criminals later call Xcel, posing as the customer, and start the service, which conceals the up-front theft until bills from Xcel start arriving.”

Xcel, for its part, is providing customers with warning signs to help protect them (from the Gazette):

  • Customers should be suspicious if a caller requires a single form of payment, such as using a prepaid debit card. Xcel Energy offers many options for payment and will never ask or require a customer with a past-due account to purchase a prepaid debit card to avoid disconnection.
  • Xcel Energy will contact customers by U.S mail about past due bills, not over the phone. You will also be sent a disconnection notice in writing before your power is actually turned off.
  • Customers should never wire money, provide bank card numbers or offer social security numbers to an unverified source.

The real question is how can we reasonably expect customers to “verify a source”? Outside of the digital world, there are checks and balances. They are not perfect, but they make a difference. Physical companies have to get a license to operate. They have a physical presence. There is the BBB that can be referenced for reputation and online review tools like Yelp. For non-digital services, there is tangible contact. For digital presence, you cannot tell if the website is in America or Nigeria. Duplicating a website’s look and feel is pretty straightforward.

What is needed and does not exist today is website/online enterprise identity verification. Anyone can set up a website anywhere in the world. Search engines will happily take you there. It is their job to index the internet, not to pass judgment on it.

So what is the ultimate solution? How do we ensure that websites are legitimate? The possibilities are quite broad. 

On the one extreme, getting a website could follow a much more rigorous process. No website could be “turned on” without a background check and legitimate linking to a verified individual or corporation. It would be no different from opening a bank account in that sense. A distributed ledger, like a blockchain, could build a database of legitimate websites. By using distributed tech, it would avoid putting too much control and a target for hacking in any one place. The obvious downside of this is red tape. It would slow things down and create complexity concerning who might have the power to “license” websites. It seems unlikely that any nation would submit to another nation making these calls.

On the other extreme, the onus today is on individual enterprises doing their own policing. The Xcel Energy example above is an example of this approach. The approach is to educate their consumers to detect a false Xcel website, which is also not ideal for obvious reasons. 

Creating a more powerful web-wide solution would not require licensing websites but auditing them continuously. As new websites are discovered by web crawling carried out by search engines, legitimacy could be checked as new websites are discovered. This would not necessarily require international cooperation as it could be carried out on a country-by-country basis.

We need to do more than we do today. A fraudulent website could easily affect thousands of individuals, even if it only exists for the time required for a head of lettuce to wilt. Technology, especially internet technology, always seems to precede the governance necessary to make it safe. Solutions that depend on the user to keep up with today’s latest scams fall short. We need to be more deliberate. We need to do better.

 

Michael Frendo Headshot

SVP/GM High End Security BU Juniper, EVP Engineering Polycom, VP Engineering & Advanced Product Development Cisco, Founder VoIP Forum. Executive leadership roles at: Infinera, McData, Avaya, and Nortel.