- Bare Metal
- Bare Metal Cloud
- Big Data Benchmarks
- Big Data Experts Interviews
- Big Data Technologies
- Big Data Use Cases
- Big Data Week
- Data Lake as a Service
- Dedicated Servers
- Disaster Recovery
- Industry Standards
- Online Retail
- People of Bigstep
- Performance for Big Data Apps
- Press Corner
- Tech Trends
- What is Big Data
Thwarting Server-to-Server Communications Spoofing
Your business name is Bob Knows Best with a domain name of BobKnowsBest.com. Your customers receive an email saying that there is a problem with their account at Bob Knows Best, directing them to visit a website at Bob1KnowsBest.com. When they visit, they are asked a series of questions, including their name, address, phone number, social security number, account number, birthday, etc. Believing they are on your website, a business they know and trust, they comply and enter the information.
What just happened? It’s called server spoofing or domain name spoofing. It involves a nefarious entity (hacker, cyber terrorist, garden variety identity thief, etc.) spoofing one of your servers, thereby gaining access to data intended only for your business. Your customers have no idea they’ve given their sensitive information to someone other than you, and you don’t know that someone out there is making very bad use of your good name. What can you do about it?
Why is SSL Not Secure?
Consumers are often instructed to look for the “S” before entering sensitive information into a website, such as: HTTPS instead of HTTP, with the “S” meaning the site is secure. However, for some time there have been a number of known insecurities related to HTTPS, or SSL certificates. Primarily, there aren’t actually any issuance standards related to receiving an SSL certificate, meaning Joe Blow Hacker can get one as easily as PayPal, Bank of America, or you.
Additionally, there are no real rules about what those fields mean, and no guarantee that the organization named in the URL is the actual owner of the business it conveys itself to be. Hence, many consumers have been victims of spoof sites like “PayPol,” “BunkofAmurica,” “CityBenk,” etc.
Sometimes the changes are so trivial that it’s difficult for the human eye to differentiate between the real business name and the spoof site—such as substituting the lowercase L for the number one or adding a hyphen like NumberOne versus Number-One. In fact, the practice is so commonplace that most sizeable organizations have a special landing page dedicated to consumers reporting such spoof sites.
Using EV SSL to Improve Security
EV certification is a better practice than using SSL certifications because EV certification involves a stronger method of authenticating a website. EV stands for Extended Validation, and comes with a set of rules for qualifying for a certification. A business has to go through a series of procedures in order to validate their rightful ownership of a domain name.
However, EV certification is not a cure-all. It can only authenticate the domain, not the actual organization; hence companies like PayPal, Bank of America, and other high-profile targets for hackers and phishing scams still have to remain vigilant in finding and shutting down spoof sites preying on their customers.
Preventing Server-to-Server Communications Spoofing
If big companies like PayPal can’t stop spoofing, what can you possibly do? First, establish a solid policy for communicating with your customers, and regularly educate your customers on what these policies are. Policies should include stipulations that:
• Your company will never send out an email asking for sensitive information like account numbers, social security numbers, etc.
• Your company will never phone customers asking for this type of information.
• Customers should always visit your established website; never use a link in an email, Facebook post, etc, to visit your website.
• Outline for your customers how they can reach you by email, by phone, via website, etc. regarding questions about a solicitation or questionnaire bearing your business name.
Unfortunately, spoofing is one of the hazards of doing business online. To get more information on security using the Full Metal Cloud, visit the Bigstep website today.