RE: Digital Certificates

[Darryl Green]

Point taken....   I am working on a "Real" answer.. This is one of the reasons I have been a little quieter on the list these days.   It became clear from our discussions a couple of weeks ago that, at best -- the 'identity' component of the certificate is not as critical to you as the incumbent market leading Certificate Authorities would have us believe and at worst, the whole idea of web certificates is an inadequate solution to the problem they are intended to solve (namely non-repudiation of commercial transactions).    I was particularly moved by the observation that it is really the merchant that is taking the risk of repudiation -- this is true. For credit card transactions the provider of the payment gateway/merchant account is trusted third party enough for the purposes of non-repudiation -- leaving the value of a web-certificate only in the encryption component. Personal identity that would benefit the merchant is accomplished through personal certificates and e-commerce merchants have thus-far chosen to accept the risk of not requiring them and/or verifying identity in off-line methods (only shipping to the same address as listed on the credit card, phoning the listed phone number on the credit card etc.).   However, without the identity component the end-user is not protected against fraudulent collection of information from an imposter (I have posted an article from today's Wall Street Journal below -- it shows a situation in which a fraud would have been prevented if users demanded a properly authenticated certificate -- ultimately that may have been what tipped the users off in the first place -- spelling errors and healthy scepticism were noted in the article).  This is of greater concern for some applications than others. The message I clearly received from our discussion is that you do not feel you need full identity verification for all applications. Just as long as the browser error message is avoided.   As stated before, I am working on a "Real" answer to your concerns. In the mean-time, for those applications that require full identification we now have the cheapest solution on the market and you should find the verification process running smoothly. If you don't you can let me know immediately and we will get it sorted out. Given some of the troubles in the last month we are on high alert right now to ensure that verification runs as smoothly and smoother than it did previously.   Regards Darryl Green [EMAIL PROTECTED] Tucows Inc. Phone:(416)538-5461 Fax: (416)-531-5584 96 Mowat Avenue Toronto Ontario M6K 3M1     'Spoofer' Tries Unsuccessfully to Snag Credit-Card Numbers of PayPal Users By STEPHANIE MILES and STACY FORSTER THE WALL STREET JOURNAL ONLINE Ben Cichanowicz received an e-mail Monday evening purporting to be from online payment service PayPal Inc. The note promised a $5 credit to his account if he visited Paypal-Secure.com and updated his account information, including his credit-card number. "All you have to do to claim your $5 gift from is update your information on our secure Pay Pal site," the e-mail claimed. While the e-mail had a PayPal return address, the Web site didn't quite look right. Mr. Cichanowicz, a systems administrator in Lexington, Ky., quickly suspected fraud. He and his wife were tipped off by several spelling errors, as well as by the fact that the site was missing security information, he said. "This was the first thing that caught our attention," he said. Indeed, PayPal-Secure.com was a "spoof" site -- a fraudulent Web page designed to trick PayPal users into giving up their credit-card and personal information. Mr. Cichanowicz, along with other recipients of the e-mail, alerted PayPal about the existence of the site. PayPal then asked DigitalSpace.net, the company hosting the site, to shut down the site, which it did. DigitalSpace said it is company policy to shut down sites when alerted of possible fraud. The PayPal-Secure incident is a twist on an old con. For years, giant America Online has warned users not to give out passwords or personal information, and online investors know to carefully check their news sources after fake articles buffeted stocks in several incidents. This isn't the first time PayPal (www.paypal.com), of Palo Alto, Calif., has been targeted by a spoof site. Last year, a site called PayPai.com was set up with the intent of stealing user names and passwords from users who typed the Web address by mistake. With spoofers, companies "can't control that they're under attack," said Avivah Litan, vice president of financial services for technology consulting and research firm Gartner Inc. "There's nothing you can do about it except educate consumers." "There's all types of scams and fraud that people try to pull in the online world -- just as they do in the offline world," said Vince Solitto, spokesman for PayPal. PayPal was alerted by a "few" customers about the site, Mr. Solitto said, declining to specify how many people contacted the company or received the e-mail message. He speculated that the PayPal-Secure entity probably sent out e-mail messages haphazardly to millions of people, hoping to hit some PayPal users. He added that there had been no indication that the PayPal network had been hacked or broken into. Image of "spoof" PayPal site According to domain-name registration records at VeriSign Inc., the PayPal-Secure.com address is registered to an entity called PayPalSecure. The record lists a phony phone number and address for the company. PayPal said it could subpoena the account information for the site from DigitalSpace.net, but that information would most likely be faked as well. "One of the problems with the Net is that it's easy to dummy something up to look like a legitimate entity, and you might have to click through further to ensure that it is the place that you think you are visiting," said Susan Grant, director of the Internet Fraud Watch for the National Consumers League. These types of scams make it harder for legitimate companies to gain users' confidence, she added. PayPal does warn its customers about fraud and says it is vigilant about protecting its users. The company says its customers are safe because they are reimbursed -- either by PayPal or by their credit-card company, depending on the situation -- for any fraudulent charges to their account. Online Service PayPal Sets Range for Its Proposed IPO (Dec. 14) The PayPal-Secure scam played on PayPal's earlier viral marketing campaign, which helped to fuel its exponential growth. The company, which launched in October 1999, had 10.6 million accounts as of Sept. 30, 2001, and processes an average of 171,000 payments per day totaling $8.5 million in daily volume, according to the company. During its early days, PayPal would give $10 to any user who signed up a friend, and gave the friend $10, too. PayPal still provides some bonuses, but the requirements for receiving one have become much stricter. Now, according to the PayPal Web site, customers must verify their account with a credit card, deposit $250 and sign up for a money-market account to receive the new account bonus. The attack comes at an inopportune time for PayPal, which last week set the range for its proposed initial public offering. The company is already under scrutiny from investors nervous about its exposure to liability from credit-card fraud, in part because PayPal promises to reimburse any customer whose credit card or account is fraudulently used. PayPal is used primarily by users of eBay Inc. and other auctions to process payments for online transactions. In the past, customers have complained to the Better Business Bureau and Federal Trade Commission about PayPal's fraud protections. Over the last year, however, the company has aggressively worked to combat credit-card fraud at the site. "They have very good fraud protection," said Gartner's Ms. Litan. PayPal's fraud rates are better than average, with about 0.87 % of its sales lost to fraud, according to its SEC filing. Neither PayPal nor Digital Space said they notified law enforcement authorities after PayPal-Secure.com was taken offline. "We certainly wouldn't bother the FBI about it," said Mr. Solitto, who called the "spoof" category of fraud "not particularly novel or sophisticated." PayPal said it hasn't received any reports from customers who were actually tricked into entering their personal information. Mr. Cichanowicz, for his part, said he didn't give up any account information, but is still disturbed that he was targeted for fraud. "This is a terrible time for unsuspecting people to be had by this, especially so close to the holidays," he said.      -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Allen Sent: Wednesday, December 19, 2001 11:14 AM To: Matthew Feinberg Cc: [EMAIL PROTECTED] Subject: Re: Digital Certificates That's why I am REALLY considering, and more than likely signing up today.  It has been a week with no "Real" answers from OpenSRS. Just a statement saying they are working with  EnTrust with a new procedure..   Mike Allen, 4CheapDomains.Net [EMAIL PROTECTED] http://www.4CheapDomains.Net    (812) 275-8425 - Office (815) 364-1278 - Fax ----- Original Message ----- From: Matthew Feinberg To: 'Mike Allen' ; [EMAIL PROTECTED] Sent: Wednesday, December 19, 2001 10:55 AM Subject: RE: Digital Certificates I have already switched over to Entrust and it it going well. I could no longer spend 5 to 8 hours of time on SSL Cert issue per Cert to only make $25.   Entrust, never once delivered a certificate without us chasing them around. 1 customer took 4 weeks to get the Cert... Terrible!   Matthew -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Allen Sent: Tuesday, December 18, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: Digital Certificates Hi Guys... About this digital certificate thing and our current problems... If open SRS is going to fix things, it better be fast. GeoTrust just contacted me and they are making us a very sweet offer for re-selling. Chuck, you may even want to re-consider the prices for these certificates and maybe offer also the QuickSSL with a GOOD price...   Mike Allen, 4CheapDomains.Net [EMAIL PROTECTED] http://www.4CheapDomains.Net    (812) 275-8425 - Office (815) 364-1278 - Fax