Digital certificates by ps94506


									                                                       Digital certificates
Many charities use an online payments service such as Bmycharity or Worldpay to collect
donations and other payments from members and supporters. Although these particular services
are, of course, secure and utterly trustworthy, recent incidents demonstrate that fraudsters are
nevertheless able to set up fake sites that trick many people into thinking that their bogus site is the
real one, and obtaining their victims’ money by deception.

All bona fide payment collection services tell us that they use “secure web sites”, but what does
that really mean?

The technology used by secure websites is known as Secure Socket Layer (“SSL”), and makes
use of an encryption system based on “digital certificates”. A digital certificate is an electronic file
that authenticates the credentials of the web server and its owner. An organisation or individual
can apply to one or more certification authorities (such as Verisign) for a digital certificate for their
web site. The certification authority will carry out checks to see that the applicant is the owner of
the domain name for the web site in question (e.g. In the case of a
company, the certification authority will also check that the registration and location details of the
applicant match those of the company.

Once a certificate is granted, it can be installed on the server that hosts the organisation’s website
and this allows data transferred between the website and its users to be encrypted. The encryption
method used ensures that only the host website is able to decrypt the data that the user transmits.
SSL has proven to be a reliable and secure method of securing Internet data. Web pages that use
SSL are prefaced with https:// rather than http://, and (in Internet Explorer) a little padlock will be
visible in the browser status bar (near the bottom right of the screen). Double-clicking that padlock
will reveal the details of the digital certificate granted to that website/organisation.

So far, so good, but there would be nothing to stop me from setting up a company called
something like “Charity Donations Ltd” and registering the domain name such as      Then    I   can set      up my       secure    payments     website   on (These are fictitious names and in no way meant to represent any
existing persons or operations) So far, I have done nothing illegal and anyone wanting to give me
their bank details electronically using that website would be able to do so, no doubt comforted by
the thought that it is a secure website.

To persuade them to do this, now I get my fraudster friend to set up a website that looks exactly
like the website of a real charity (perhaps yours!), having bought a domain name that is similar
enough not to set any alarm bells ringing. I can register this website on a few search engines, so
that potential supporters of the real charity might come across the bogus one by mistake.
Alternatively, my fraudster friend might send out some spam emails purporting to come from your
charity, inviting them to visit “your” site and make a donation. The bogus website then directs
people to the “secure” payments site and collects their money
from them.

The lesson behind all this is that very few UK charities appear to have a digital certificate for their
own website, instead relying on the security offered by a third party such as Bmycharity or
Worldpay. Supporters may know a lot about the charity, they may know nothing about Bmycharity
or Worldpay. Many of them probably wouldn’t think twice about clicking on a link to a secure site
Digital certificates

called if they thought that they were looking at the charity’s
genuine website.

People might think that they don’t need a digital certificate if there is nothing confidential on their
site or they are not going to sell things or take donations. However, the example above shows that
it would be easy for fraudsters to set up a bogus site that does take donations and trick some of
their supporters into parting with their bank details. Apart from the loss of income this represents,
the adverse publicity for the charity could be very damaging. People would say “How was I
supposed to know that this wasn’t the charity’s real website”?

One easy and inexpensive way that charities could help protect themselves against this sort of
scam is to apply for an SSL Certificate for their own domain name. (Another would be to buy up all
similar domain names to prevent fraudsters getting them).

If the charity uses a third party to collect donations etc., the page on the charity’s own website that
links to the secure collection website should be secured, so that users can verify the charity’s
details on the charity’s digital certificate before being transferred to the secure payments site.

Even if the charity doesn’t think it needs its website to be secure, it may wish to have a digital
certificate icon on one of its pages (e.g. the “about us” section), so that its members and
supporters can check the authenticity of the site. Any literature that the charity produces could then
advise people to check the authenticity of its website by clicking on the “about us” link and viewing
the certificate details.

SSL Certificates cost from around £250 per year (depending on the “strength” of the encryption
used), but purchasers who use an ISP should first check with them what their options are, as the
certificate needs to be installed on the ISP’s web server. For e-commerce transactions, 128-bit
encryption is required, but 40-bit encryption would probably be satisfactory for general
authentication purposes.

Of course, fraudsters will always find a way of conning people out of their money, and the growth
of online systems has made it easier for fraudsters and other malicious individuals to operate.
Charities need to be constantly alert to their information security risks, and find ways of mitigating
those risks.

To top