Friday, 23 December 2016

Are Authentication Badges the answer to Conveyancing Website Fraud?

Both the SRA and the Council for Licensed Conveyancers (CLC) are currently focusing their attention on cyber crime and property fraud. The CLC’s recent  fraud webinar was extremely informative. I would wholeheartedly recommend any lawyer or estate agent spending the hour watching the recording.

With property fraud avoidance in mind the CLC have recently announced an anti-fraud scheme for it’s regulated firms. This is a mandated scheme. The CLC are to provide each firm with a unique piece of code that will provide a CLC “secure badge” for the firm to display on their own website. The CLC will then monitor use of that code to ensure there is no unauthorised use of the secure badge (an assurance that I will come onto later).
The expectation is that consumers will be able to click on the badge to see information about the regulated firm on the CLC’s website.
The CLC have plans to promote the secure badge to consumers and is encouraging firms to do the same. My concern is that in promoting a secure badge, the CLC may run the risk of promoting misplaced trust. A badge image itself has no net security value - site badges are easily copied just like any other image on the internet, and anyone wanting to do something bad wouldn't hesitate to do so. And this is the crux of the issue: Even if a percentage of users click on the security badge, the majority will not read the report and any assurance benefit will be based on the the presence of the shiny and official image.
I am very surprised by the CLC’s rather bold claim that the security badge: ‘will significantly reduce the risk of impersonation online through cloned or copied websites and will stop fraudsters setting up fake firms that claim to be regulated by the CLC’. I have my doubts that a trust badge such as this is will significantly reduce the risk of impersonation. There is a counter-argument to say that that it may even increase impersonation, because, as noted above, most users won’t click and so may be fooled by a counterfeit badge. The claim ‘....and will stop fraudsters setting up fake firms that claim to be regulated by the CLC seems to be unnecessarily assured.  
If ‘secure badges’ prevented or even reduced fraud why are bank websites not festooned with them? I note that the Law Society - who have their own well documented history of software issues - have only ventured to claim the CQS badge is an indicator of quality, and not an authenticator.
The CLC Secure Badge scheme is be administered by Yoshki. Intrigued, I looked at Yoshki’s a list of customers expecting to see banks or high profile shopping sites. To be fair, I have not explored thoroughly each client, but I could not see any sites that even take credit card payments.  Do the CLC really want to use a technology addressing the threats faced by the 'The National Air Duct Cleaners Association (NADCA)' ? We are dealing here with the serious issue of major fraud rather than talking a lot of hot air (I had to get that pun in)
As mentioned above, the CLC mention that they : will monitor use of that code to ensure there is no unauthorised use of the secure badge’. It may be true that a legitimate website displaying a false CLC secure badge would get complaints and be forced to take it down. But we’re not worried about legitimate sites here — we’re concerned about fly-by-night sites pushing malware and phishing scam pages. Those are the kind of websites that would most benefit from stealing this type of badge. They’re already breaking the law, so violating the badge-provider’s copyright isn’t a problem for them. It is also not a problem to create a fake CLC page mimicking the journey taken by a legitimate law firm's badge. In any event, can the CLC be certain that they can get to a fraudulent site before any damage is done?
The one thing members of the public can trust is how the firm’s site is viewed by a web browser. The web browser already has a mechanism for verifying the identity and integrity of a website in the form of TLS/SSL.  Basic TLS support is now free when using the right technology partner, and arguably regulators should focus on mandating firms being at least TLS-enabled.  The next  and preferred level of authentication and assurance is for the website operator to purchase an Extended Validation (EV) Certificate for a few hundred dollars a year.  In this case, the firm’s website displays a green name next to your address bar, that confirms the identity of the website owner. For example, in the screenshot below, my web browser has confirmed this is the real HSBC  site. It’s important to note that locks and green name indicators shown by the browser in the address bar represent verifiable security assertions that the browser companies can make about the identity of the website owner.  In contrast anything that appears in the content area of an insecure website may be manipulated of “spoofed” by an antagonist.  In the case of an ordinary http:// website, any security badges might be lies produced by the site owner themselves or interposed by a third party. It’s not just an image that can be copy-pasted all over the Internet. An image that appears on an insecure web page can’t reliably authenticate anything on its own.

Starting January 2017, Google Chrome will begin labelling HTTP (non-TLS) pages with password or credit card form fields as "not secure," given their particularly sensitive nature. From a fraud perspective this means that many firms could have their legitimate websites look less trustworthy than a cloned/illegal site. Perhaps lenders, insurers, CQS and regulators should be insisting that firms are, at the very least, SSL enabled.

No comments:

Post a Comment