Digital certificates Many charities use an online payments service such as Bmycharity or Worldpay to collect donations and other payments from members and supporters. Although these particular services are, of course, secure and utterly trustworthy, recent incidents demonstrate that fraudsters are nevertheless able to set up fake sites that trick many people into thinking that their bogus site is the real one, and obtaining their victims’ money by deception. All bona fide payment collection services tell us that they use “secure web sites”, but what does that really mean? The technology used by secure websites is known as Secure Socket Layer (“SSL”), and makes use of an encryption system based on “digital certificates”. A digital certificate is an electronic file that authenticates the credentials of the web server and its owner. An organisation or individual can apply to one or more certification authorities (such as Verisign) for a digital certificate for their web site. The certification authority will carry out checks to see that the applicant is the owner of the domain name for the web site in question (e.g. www.anycharity.org.uk). In the case of a company, the certification authority will also check that the registration and location details of the applicant match those of the company. Once a certificate is granted, it can be installed on the server that hosts the organisation’s website and this allows data transferred between the website and its users to be encrypted. The encryption method used ensures that only the host website is able to decrypt the data that the user transmits. SSL has proven to be a reliable and secure method of securing Internet data. Web pages that use SSL are prefaced with https:// rather than http://, and (in Internet Explorer) a little padlock will be visible in the browser status bar (near the bottom right of the screen). Double-clicking that padlock will reveal the details of the digital certificate granted to that website/organisation. So far, so good, but there would be nothing to stop me from setting up a company called something like “Charity Donations Ltd” and registering the domain name such as donatecharity.co.uk. Then I can set up my secure payments website on https://www.donatecharity.co.uk. (These are fictitious names and in no way meant to represent any existing persons or operations) So far, I have done nothing illegal and anyone wanting to give me their bank details electronically using that website would be able to do so, no doubt comforted by the thought that it is a secure website. To persuade them to do this, now I get my fraudster friend to set up a website that looks exactly like the website of a real charity (perhaps yours!), having bought a domain name that is similar enough not to set any alarm bells ringing. I can register this website on a few search engines, so that potential supporters of the real charity might come across the bogus one by mistake. Alternatively, my fraudster friend might send out some spam emails purporting to come from your charity, inviting them to visit “your” site and make a donation. The bogus website then directs people to the “secure” payments site https://www.donatecharity.co.uk and collects their money from them. The lesson behind all this is that very few UK charities appear to have a digital certificate for their own website, instead relying on the security offered by a third party such as Bmycharity or Worldpay. Supporters may know a lot about the charity, they may know nothing about Bmycharity or Worldpay. Many of them probably wouldn’t think twice about clicking on a link to a secure site Digital certificates called https://www.donatecharity.co.uk if they thought that they were looking at the charity’s genuine website. People might think that they don’t need a digital certificate if there is nothing confidential on their site or they are not going to sell things or take donations. However, the example above shows that it would be easy for fraudsters to set up a bogus site that does take donations and trick some of their supporters into parting with their bank details. Apart from the loss of income this represents, the adverse publicity for the charity could be very damaging. People would say “How was I supposed to know that this wasn’t the charity’s real website”? One easy and inexpensive way that charities could help protect themselves against this sort of scam is to apply for an SSL Certificate for their own domain name. (Another would be to buy up all similar domain names to prevent fraudsters getting them). If the charity uses a third party to collect donations etc., the page on the charity’s own website that links to the secure collection website should be secured, so that users can verify the charity’s details on the charity’s digital certificate before being transferred to the secure payments site. Even if the charity doesn’t think it needs its website to be secure, it may wish to have a digital certificate icon on one of its pages (e.g. the “about us” section), so that its members and supporters can check the authenticity of the site. Any literature that the charity produces could then advise people to check the authenticity of its website by clicking on the “about us” link and viewing the certificate details. SSL Certificates cost from around £250 per year (depending on the “strength” of the encryption used), but purchasers who use an ISP should first check with them what their options are, as the certificate needs to be installed on the ISP’s web server. For e-commerce transactions, 128-bit encryption is required, but 40-bit encryption would probably be satisfactory for general authentication purposes. Of course, fraudsters will always find a way of conning people out of their money, and the growth of online systems has made it easier for fraudsters and other malicious individuals to operate. Charities need to be constantly alert to their information security risks, and find ways of mitigating those risks.
Pages to are hidden for
"Digital certificates"Please download to view full document