Technically Speaking

The Official Bigstep Blog

 

Thwarting Server-to-Server Communications Spoofing

Your business name is Bob Knows Best with a domain name of BobKnowsBest.com. Your customers receive an email saying that there is a problem with their account at Bob Knows Best, directing them to visit a website at Bob1KnowsBest.com. When they visit, they are asked a series of questions, including their name, address, phone number, social security number, account number, birthday, etc. Believing they are on your website, a business they know and trust, they comply and enter the information.

Your business name is Bob Knows Best with a domain name of BobKnowsBest.com. Your customers receive an email saying that there is a problem with their account at Bob Knows Best, directing them to visit a website at Bob1KnowsBest.com. When they visit, they are asked a series of questions, including their name, address, phone number, social security number, account number, birthday, etc. Believing they are on your website, a business they know and trust, they comply and enter the information.

What just happened? It’s called server spoofing or domain name spoofing. It involves a nefarious entity (hacker, cyber terrorist, garden variety identity thief, etc.) spoofing one of your servers, thereby gaining access to data intended only for your business. Your customers have no idea they’ve given their sensitive information to someone other than you, and you don’t know that someone out there is making very bad use of your good name. What can you do about it?

Why is SSL Not Secure?

 

Consumers are told to look for the secure HTTPS when doing business online, but that doesn’t assure the transaction is secure.

 

Consumers are often instructed to look for the “S” before entering sensitive information into a website, such as: HTTPS instead of HTTP, with the “S” meaning the site is secure. However, for some time there have been a number of known insecurities related to HTTPS, or SSL certificates. Primarily, there aren’t actually any issuance standards related to receiving an SSL certificate, meaning Joe Blow Hacker can get one as easily as PayPal, Bank of America, or you.

Additionally, there are no real rules about what those fields mean, and no guarantee that the organization named in the URL is the actual owner of the business it conveys itself to be. Hence, many consumers have been victims of spoof sites like “PayPol,” “BunkofAmurica,” “CityBenk,” etc.

Sometimes the changes are so trivial that it’s difficult for the human eye to differentiate between the real business name and the spoof site—such as substituting the lowercase L for the number one or adding a hyphen like NumberOne versus Number-One. In fact, the practice is so commonplace that most sizeable organizations have a special landing page dedicated to consumers reporting such spoof sites.

Using EV SSL to Improve Security

EV certification is a better practice than using SSL certifications because EV certification involves a stronger method of authenticating a website. EV stands for Extended Validation, and comes with a set of rules for qualifying for a certification. A business has to go through a series of procedures in order to validate their rightful ownership of a domain name.

However, EV certification is not a cure-all. It can only authenticate the domain, not the actual organization; hence companies like PayPal, Bank of America, and other high-profile targets for hackers and phishing scams still have to remain vigilant in finding and shutting down spoof sites preying on their customers.

Preventing Server-to-Server Communications Spoofing

 

Your customers need to know how to identify you in order to complete transactions safely.

 

If big companies like PayPal can’t stop spoofing, what can you possibly do? First, establish a solid policy for communicating with your customers, and regularly educate your customers on what these policies are. Policies should include stipulations that:

• Your company will never send out an email asking for sensitive information like account numbers, social security numbers, etc.

• Your company will never phone customers asking for this type of information.

• Customers should always visit your established website; never use a link in an email, Facebook post, etc, to visit your website.

• Outline for your customers how they can reach you by email, by phone, via website, etc. regarding questions about a solicitation or questionnaire bearing your business name.

Unfortunately, spoofing is one of the hazards of doing business online. To get more information on security using the Full Metal Cloud, visit the Bigstep website today.

Got a question? Need advice? We're just one click away.
Sharing is caring:TwitterFacebookLinkedinPinterestEmail

Readers also enjoyed:

Is Big Data the Answer to Your Security Questions?

The year 2014 became known as the Year of the Hacker, even before it mercifully came to an end. In fact, many security experts predict that the trend…

4 Takeaways from the Recent Data Breach of US Government Security Agency

Today is not a good day to be an employee of the US federal government. One of the worst data breaches in history has compromised the private, sensitive…

Leave a Reply

Your email address will not be published.

* Required fields to post your comments.
Please review our Privacy Notice in order to understand how we process your personal data and what are your rights in this respect.