The consumer's dependence on "legit-sounding domain name", a green SSL key, and recognizable corporate logos and website layout as the "proof" of authenticity is passe.
In this era of online ubiquity there should be another layer of opt-in validation, ring of trust, p2p feedback and rating, that can all be plugged into the consumer web experience.
IMO, the best solution to the problem is friction. Criminals are criminals because it's easy. If opening a fraudulent store is 90% as difficult as opening a legit one, no one is going to bother.
I see what you're saying: if you add more startup cost then it makes it harder for spammers without legitimate business interest to profit. I think I disagree, though. Legitimate "mom and pop" businesses experience all the pain of learning the process of setting up a store, creating real products and pricing, inventory, delivery etc. They don't need more friction.
These criminals on the other hand are likely automating everything and have the advantage of lessons learned from dozens of iterations.
The article indicated the mimic sites accept credit card numbers but don't actually process them -- to me that is the Achilles heel of the process. If credit card companies started requiring instantaneous verification of the card's actual use (via a card chip reader or an app on user's phone, for example) instead of allowing payment via static information vulnerable to replay at any time, I think that could do a lot more to improve security of online transactions than green check boxes.
There’s danger on the other side of this: Credit card companies are already stifling creators because of the power they have when CCs are the primary payment method. Additional security gives them a tighter grip.
Computers with built in NFC readers could allow you to pay for your purchases with your phone and use fingerprint/passcode/faceID etc. for verification.
That would be convenient enough for most people that it's usable.
Organised criminal syndicates are behind most of these operations. They have immense resources from which to draw. It's another example of the saying, 'It takes money to make money.'
IOW, adding friction wouldn't be a sufficient deterrent. Criminals are resourceful, and enriching themselves further is a strong motivator.
Aside from that, in today's online world, any time friction is added, people come along and make some grease for it. Making a storefront from scratch? Difficult! Using WooCommerce on Wordpress? So easy a sufficiently motivated 12 year old can figure it out.
If you add some system for site verification, first someone will make tooling to facilitate it and soon after someone will offer a service to provide it for you and in a matter of months these spam sites will be up and running just like they are now, only it will be more difficult for a legitimate newcomer to get started in the same arena.
To me it's very simple: nation states should have their own layer that uses the national registry for companies to verify a domain.
When you register a business you also provide your official domains and so the validity of the website is checked against the validity of the business.
First with domain names. The domain "nissan.com" is not owned by the well-known car company but by a completely unrelated computer company. As "Nissan Motors v. Nissan Computer" settled, this is totally fine and Nissan Computer still owns the domain.
Besides exact matches there are also similar-looking names. For example, a student named Mike Rowe started a small webdesign company called MikeRoweSoft, which drew the attention of Microsoft, leading to "Microsoft v. MikeRoweSoft" - which was settled out of court and resulted in the domain being transferred to Microsoft.
Second are Extended Validation domains - which used to show the company name in the URL bar. As Ian Carroll demonstrated[0] this isn't really worth a lot, and browsers no longer bother showing it at all[1].
Company names also often overlap when they are active in different areas, such as Apple Corp (record label founded by The Beatles) and Apple Inc. (tech multinational) - which over the years have shifted towards a rather impressive market overlap!
Some companies are split with both sides keeping the original name, such as Motorola Inc.'s split into Motorola Solutions and Motorola Mobility.
Sometimes products are sold under a completely different brand name, such as HMD selling Nokia-branded smartphones, or TP Vision selling Philips-branded televisions while MMD sells Philips-branded gaming monitors!
The thing is, reality is just too complicated for a "very simple" register. How are you supposed to fit in all of the scenarios listed above while still keeping it usable?
Your name confusion is missing the point. It's the central registration done at a national level, not a True delimitation of which domain names which companies can own. A company could use downloadfreeram.tk, as long as it's officially registered in the national company register.
OK. What do you do in the United States where every state (and territory and the federal administrative district) has its own company register? Or where a vast number of businesses are sole proprietorships that have registered their trade name in their local county office?
Semi-OT: You just reminded me of dealing with subsidiaries in the1980s and 1990's. (Before chain of certs).
I spoke up about it on a mailing (probably an IETF one) list about subsidiary companies should be required to have not xyz.com but xyz.<owning company>.<over-seeing owner company>.com as their address.
Example: In the U.S. it's not simple to get /real/ xyz with all the vitamins. So a hypothetical xyz.com should really turn up on search result as xyz.<parent company>.com.
Adjust as fit. Maybe $xx/year or the quantity of companies underneath the majorowner before compliance.
I was praising the value of something I did know the USian market had a distributorship over [in the geographical real] with a sub-standard product.
Let me know that I am looking at stats on y product (only served in z country).
Let me know that xyz name in my country is different ta your place.
> To me it's very simple: nation states should have their own layer that uses the national registry for companies to verify a domain.
I think this can just add layers of bureaucracy that don't address the problem anyway.
In the early days of widespread internet use in Sweden it was quite difficult to register a .se web-address: not only were company documents needed, but the authority that granted use of the address also split your right to it geographically within Sweden, so that if you wanted the address to stretch across the whole country you needed to make multiple applications (using a subdomain system).
This process just made it almost impossible for a small personal startup to own a Swedish domain, and it was completely impossible to register a domain on a 'try-it' basis, to see if a nascent business idea would take-off.
In other words it just entrenched the dominant position of incumbents.
What happened instead, was that Swedes registered .com addresses, or .nu ('now' in Swedish), or other variations. And the same sort of thing would happen now: the international fraudulent sites would still be possible - just legitimate registrations would become much harder.
A little like what happens with pirating, where people using pirated software often have to jump through fewer hoops than legitimate users, who've paid for their installs, but need to constantly dial-up to be allowed to keep using the tools they've bought.
tldr; more bureaucracy for legitimate businesses, but doesn't address the core problem for end-users.
I'm not saying that you need to be a company to have your own domain. I'm saying that if your domain represents a company there should be some way to automatically check that against a database of registered businesses
In Germany we have an approach with a somewhat similar effect.
For any site with an commercial intent (which is pretty loosely defined) it is mandatory to have an Imprint with the person representing the company, the address of the HQ as well as the companies registration number and court location. It makes it somewhat more transparent what company is behind the site and gives you information you can lookup in public registries.
I hate it from a privacy perspective but it’s okay for for consumer protection.
My rude opinion: imprint is nonsense. It does not protect you from fake shops at all. It’s no brainer to copy one from another shop. As a legit seller you can be sued by shady layers for errors in imprint. Who is looking in public registers while shopping online…
I actually do know quite a few people who look up the imprint before shopping there, especially when they buy stuff as a business. You’re obviously right but it’s fairly easy to copy an imprint, and the whole shady lawyer thing for minor errors also is absolutely a pain.
I don’t think it’s completely useless, but it’s certainly not perfect either. As the parent comment suggested having a business register It’s legit domains would probably makes sense from a consumer protection point of view.
However, with the current state of the digital administration in Germany this change would introduce so much overhead that it would lead to a lot of justified opposition.
Family members as commercial buyers not only read imprints, but also check the seller and his company in various scoring portals. In commercial domain nice consumer protection does not exist anymore.
For well known shops: Probably nobody. But if I find a good price on an unknown (to me) shop I'll check the tax ID from the imprint on Google.
CRT.sh is also nice to figure out how long an operation has been using SSL (e.g. mtz-elektronik[dot]de is used by scammers on hacked Amazon shops since a few days).
Oh they do copy this information! I became victim of such a fraud because the whole website looked really legitimate to me, and I am the "tech guy" in our family. Thing is: fraudsters create good looking websites and just copy all the company information from other stores, put in a non-working telephone number and email and they are good to go. There are thousands of small businesses that sell stuff online.
One would argue that there is a Handesregistereintrag (record of commerce at the officials) that might help, but it only contain information about the seller including contact details and what the does, and not domains. And the record is not needed for small businesses.
TLDR: Germany seems to have hurdles for fraudsters, but they are easily taken by simply copying information from legit stores.
Yes copying that information is obviously fairly easy and allows the scammer to make at least short term legit looking websites.
Adding the legit domains to the Handelsregister doesn’t seem like the worst idea to me. However, as the digital access to government services is still basically non-existent this would lead to a whole lot of additional bureaucracy and slowed down processes.
Let's say I set up a site that's critical of an authoritarian government. I fund it with sales of merch and books and such.
I want to be anonymous - for obvious reasons - but if I have to register my details I can't be.
Also, accountability doesn't work without international authority. Some countries are more enthusiastic about accountability and the rule of law than others, and the ones who aren't can make money by selling "credible" domains to bad actors.
Of course after a while those domains will become less credible. But there are a lot of TLDs out there now, which makes the system very difficult to police without international cooperation.
In reality I can run a scam operation from a beach in Thailand, bank the money, shut it down, then run a very similar scam operation from a beach in Vietnam or Costa Rica. That won't change until there's some kind of international cyberpolice agency which will hunt me down across borders.
But then you get the anonymity problem.
Not simple, and no registration system will fix this.
Internationally and more broadly, you're totally right. In the subthread of Germany and their existing Imprint registration system though, we have the technology for making it so the imprints can't just be copied by scammers, or at least make it harder than it currently is.
Yes, I do think it’s absolutely sensible to make something like this mandatory for people who sell stuff or have some kind of commercial interest.
However, the law is pretty unclear about what is considered commercial interest. This effectively leads to the situation where basically any site of any kind is expected to have an imprint or otherwise, you can expect to get a nice and expensive writing from a lawyer.
To register a .com.au or .net.au domain, you have to provide your ABN (Australian Business Number). The problem with that, however, is you don't have to prove you have the authority to do so. You can enter any business's ABN.
Some countries do _kinda_ have this, for registering `.no` domains you need to be a Norwegian citizen or do it through a Norwegian company. Not sure how much that actually helps tho?
Even better, let's get rid of names as identifiers. We all know names are problematic.
We could use government-issued tokens, maybe on a government-run blockchain.
And we could use the same for our personal (corporate) selves, such that all of our economic interactions were moderated through a government-run identity blockchain.
I want the mark on my forehead please, not the wrist, so I can pay by bowing my head to the money-god instead of just laying my wrist on the sensor.
What database are you referring to? Is there an international database for all businesses registered in every single country that everyone universally signs up for when they incorporate?
Every nation has its own. Nations that want to make their citizens safer when surfing the web could open up a standard API to make such automated queries
In practice consumers just go straight to Amazon because they're afraid of the wider internet and depend on the return policy to save them when they get scammed. Doubt any "opt-in validation, ring of trust, p2p feedback and rating" will change that in the next decade.
This and the fact that they have your cc and shipping already on file, which makes things a lot easier. More than once I have found a product on some site and then purchased it from Amazon just because it is so much easier.
Thanks for investigating this and ultimately getting the fraudulent store taken down. I saw the same social media post regarding the fraudulent store and was surprised that a small local store was targeted with this kind of attack. A good mix of small stores and major corporations in the list. I wonder if they target the small stores because SEO is easier?
It's inspiring to see you follow up like this and help out a wonderful mountain shop. A great reminder and inspiration to be more involved in my community.
Ish. But there are two significant flaws for ecommerce:
1. Knowing that the company using the certificate is who they say they are, doesn't necessarily mean you can trust them not to be fraudulent traders.
2. Control of the domain names and associated certificates can change hands after the fact, officially through buyouts/merges or via more nefarious means, just like any other certificate.
and of course the other key question to address which is:
3. How do you trust those validating the certificate. The average user is not going to know/care that a rogue CA exists and it might take some time for their actions to be noticed and for appropriate revocations to happen.
However they were intended to be used, HTTPS and certificates for it are used to protect data in transit and not really for identity assurance.
----
There is also the more cynical view that the main thing EV certs addressed was the desire for CAs to bring in some revenue, especially as standard certs became more and more a commodity item (now effectively free) with low or zero margins.
Off-topic, but something seems dangerously off with urlscan.io (a service I had never heard of before).
If I go to urlscan.io and look at the recently scanned sites (which are live-updated), every now and then I can find links with potentially sensitive information.
I found OneDrive and SharePoint links. I was unable to actually access the documents in them (it asked me to login), but I could see their content (or metadata) with UrlScan's "live screenshot" feature.
At one point, it scanned a "reset password" link with the authentication token in the query string (!). I was able to access that link and I would likely be able to reset the password for that specific user. I won't share the underlying website so others don't go ahead looking for it, but it was for a non-US government service.
The impression I have is that some email provider (or perhaps some antivirus software?) is automatically scanning user emails and the links are being shared publicly, alongside a "live screenshot".
Makes me question if URL-as-all-factors is a secure way to authenticate someone/thing. Even with SSL encrypting the path , there is the risk of someone sharing that URL since it is a familiar thing to do to share links.
With SAML IIRC the IdP request is GET (but hey that one is fairly public - no credentials have been supplied yet)
and the response is POST back to the origin site.
If homophones are the pattern to follow, then (since a large collection of legitimate stores can be thought of as a "mall") perhaps the new word should be "a maul" or "a mawl" (suggestive of being something that swallows your money, and doesn't give you anything of value in return).
In this era of online ubiquity there should be another layer of opt-in validation, ring of trust, p2p feedback and rating, that can all be plugged into the consumer web experience.