26 July 2008

TechTip: Who Is Getting Your Credit Card Information?

When sending credit card or other sensitive information through your browser, phishing is a serious problem. Maybe your browser is showing "https://www.mybank.com" in the address bar, but somebody else is getting the information.

This can be avoided very easily by just remembering to click somewhere. No degree in IT or installation of additional programs needed.

First, make sure that https is used (see the URL in the address bar), then check who owns the SSL certificate. Lets take for example https://mail.google.com.

Firefox

Click the grey lock on the right of the web address and it should say:
"mail.google.com verified by Thawte Consulting".
Internet Explorer
Click the yellow lock on the right of the web address and select "view certificate". It should say:
"issued to: mail.google.com, issued by: Thawte SGC CA".
If it says "issued to criminals who want to steal your money", then something's wrong.

(Inspired by Bruce Schneier recommending to check SSL certificates in his article Man-In-The-Middle Attacks (15 July 2008). He uses the recent hostage liberation in Columbia to explain how a MITM attack works.)
.

No comments: