22 Nov,2012 11:14 IST
Getting A Hang Of Website Security
Symantec's Sarabjeet Khurana explains the need for extended Validation (EV) SSL certificates in an online world
Apprehensions Of The Online User
At the same time, experts predicting that online banking, and other accounts, will grow to become the primary customer touch-point over the next decade. One factor that hampers the uptake of online transactions continues to be the reluctance to conduct transactions due to concerns about protecting confidential information. Although research has proved that identity theft occurs more often in an offline world than online, many Internet users are nonetheless extremely wary of identity theft.
The apprehension of an online user is easy to understand with the following behavioural patterns:
• Abandoned shopping carts add up to lost sales and missed revenue.
• Click-through tracking shows that potential customers reach enrollment forms, but do not complete them.
• Search analytics and alerts show how brands and company names are hijacked to lure customers away from legitimate sites.
The Evolved Phishing Scam
With scams on the internet becoming more advanced and sophisticated, trust which is the most important aspect of the online business ecosystem is eroded. Emails and websites are getting more legitimate in appearance to trick visitors into sharing confidential information. SSL stripping, a type of man-in-the-middle attack, redirects users to “secure” websites that are fake (i.e., some security measures have been taken, and are displayed, but the website is not really the one the visitor believes they are visiting). These types of attacks often target webmail applications, secure sites, and intranets. In the month of April this year, phishing on Indian brands was 0.22 per cent of the global phishing statistics which increased to 0.33 per cent in six the month of September. Also it is interesting to note that in May 2012, all phishing attacks on Indian brands targeted the banking sector - with 1 in 4 using a .IN domain.
The Answer To Confident Online Transactions – Extended Validation
To help prevent phishing attacks from being successful and to build customer trust, online businesses also need a way to show customers that they are engaging in legitimate business. Extended Validation (EV) SSL Certificates are the answer, offering the highest level of authentication available with an SSL Certificate and providing tangible proof to online users that the site is indeed legitimate.
Most users often check visual indications that a website is using SSL – the closed padlock and “https” in the URL are examples. Fraudsters have found a way around this and abused this trust by taking advantage of lax validation policies used by some Certification Authorities (CAs), and purchased SSL certificates for fake domains. They have used these SSL certificates to create “secure” sites from which to launch phishing and man-in-the-middle attacks, thereby undermining overall consumer confidence. EV SSL certificates provide an extra layer of protection for consumers and website owners by requiring that applicants follow a strict issuance and management process, as defined by the CA/Browser Forum, prior to being issued an EV SSL certificate. Support for EV SSL has become a standard security feature in mainstream Web browsers such as Internet Explorer and Firefox, and on mobile devices on various platforms. These browsers recognize EV-secured websites and show the presence of EV in a visually distinctive way so that users can easily see that the website can be trusted.
The Value Of EV SSL – The Relevance Of The ‘Green Bar’
With the increase of EV SSL, the green address bar is becoming a “must have” for a wide range of industries doing business online. The ability to track impressions, clicks, and interactions make it possible to measure the return on investment in EV SSL and quantify the value of better security to any company’s bottom line. A prerequisite to convert shoppers into buyers and visitors to members requires a high degree of trust and confidence in a given website. Also, for companies that must comply with regulatory standards related to securing personally identifiable information, EV SSL certificates help reduce risk of non-compliance and communicate the implementation of rigorous protection measures against well-known threats. By using EV SSL and educating customers to look for the green bar, companies mitigate the risk of mid-stream interception and demonstrate efficacy of security measures.
With the inevitable growth of online services and sales becoming key drivers of growth for businesses of all sizes across a wide range of industries, certificates with EV are a proven tool that makes it easy for online users to feel confident about sharing their personal information. They are a “must have” for businesses that want to maximize their online growth potential. Also, in and online world where fraud and scams are common, the rigorous authentication process behind EV SSL can enable a reputable online business to stand out from the rest.
(The author is Director, Website Security Solutions, Symantec India)