Netcraft’s anti-phishing toolbar community identified a noteworthy phishing attack against PayPal in December. FasterPay – which describes itself as the UK’s only safe, all-in-one Internet Banking payment service – was apparently hacked, and a subdirectory on the company’s own website at www.fasterpay.co.uk was used to host a PayPal phishing site.
The veracity of the phishing attack was enhanced by the Extended Validation SSL certificate used by the FasterPay website. This meant that any victims of the phishing attack would have been presented with the reassuring green EV indicator in (or near) the browser’s address bar. This attack acts as a reminder that users must do more than merely look for the presence of an EV certificate when deciding whether or not it is safe to submit personal or financial data to a website.
The CA/Browser Forum defines a strict set of guidelines [pdf] that a certificate authority must adhere to when issuing an Extended Validation certificate. These guidelines clearly detail the steps required to verify the identity and legitimacy of an organisation when it applies for a certificate, as well as the security processes that must be implemented by the certificate authority.
Each certificate authority must maintain a comprehensive security program to protect all EV processes, including carrying out regular risk assessments. However, no such requirements are placed upon the owners of websites which use EV certificates, which perhaps highlights a weakness in the current guidelines.
According to these guidelines, one of the secondary purposes of EV certificates is to address the problem of phishing, but the attack hosted by FasterPay demonstrates how this type of protection can be undermined and rendered trustworthy – if a user is conditioned to be reassured by the presence of an EV certificate, he will be more susceptible to any phishing attack that is hosted on a site with an EV certificate. FasterPay is by no means the first EV-toting website to have exhibited a security vulnerability, which raises the question of whether the issuance guidelines for EV certificates should also require the applicant to provide similar assurances regarding the security of the website on which an EV certificate is to be deployed – for example, by carrying out regular automated vulnerability scans or manual web application security testing.