Phishing and GeoTrust: Yeah, Right

Picture credit: http://www.colorado.edu
Here's yet another apparent "boil the ocean" approach that purports to solve the problem of phishing. According to News.com, GeoTrust plans to offer tools for "trusted search". Later this year, it will reportedly introduce tools that will help consumers detect fraudulent phishing storefronts.

As an aside, I've always wondered about the PR folks behind stories like this. Over the years, I never found a public relations person capable of getting stories like this into the press. Consider the pitch: "sometime, later this year, but we can't say exactly when, we may come out with a technology similar to that of, say, Thawte Secure Site. Plus, it may require a download." Damn. That's one heck of a PR person.

The first problem I have with this approach? It looks like it requires a download. I call that a "boil the ocean" tactic: everyone has to download the client to get the benefit. Sorry, that business model is -- to put it bluntly -- about as feasible as stuffing Michael Moore into a Mini Cooper. Unless you're Google, don't expect folks to install yet another piece of client software. And I won't even bring up the support issues... oops, I guess I just did.

Next, consider the opportunities for spoofed GeoTrust downloads. A bad guy could easily offer a free download on thousands of freeware/shareware download sites that purports to be GeoTrust or a like-named product. Instead, it's a malicious trojan that serves as a gateway into your PC for some crook in Al-Qaeda-stan.

The GeoTrust software will apparently display a "badge or mark" of some kind to designate a legitimate site. Should I mention the fact that this approach has been used for years (e.g., Thawte's Secure Site)? And it's vulnerable to visual spoofing similar to that used by classic phishers?

Finally, I believe this problem has to be solved either on the server side (I proposed an anti-fraud checklist for financial institutions a while back) or integrated directly into the browser. FireFox is an excellent candidate for providing a more sophisticated suite of anti-phishing technologies.

But these guys have really good P.R. people.

Later this year, the company plans to offer tools for "trusted search," CEO Neil Creighton said during a meeting at the AlwaysOn conference in Palo Alto. In a nutshell, this means that search results will feature a badge or mark to indicate whether a company has been properly identified and authenticated through GeoTrust's software. The lack of a badge doesn't mean that a company is fraudulent, but consumers will at least know that businesses featuring the badge have been vouched for. In turn, Creighton theorized, authenticated companies may see higher click-through rates because of the visible authentication badge... A large broadband provider later this year is expected to include GeoTrust's software in its toolbar.

News.com: New search tools aim to identify phishers, fraudsters