A large collection of fraudulent web stores(chair6.net) |
A large collection of fraudulent web stores(chair6.net) |
In this era of online ubiquity there should be another layer of opt-in validation, ring of trust, p2p feedback and rating, that can all be plugged into the consumer web experience.
If we have centralised "licensing" solution it is abused by large capital to wash off smaller - there is plenty of examples.
If we have decentralised solution (which is basically what review is) - it is immediately abused by "marketers".
There is no simple and easy solution to the problem.
When you register a business you also provide your official domains and so the validity of the website is checked against the validity of the business.
First with domain names. The domain "nissan.com" is not owned by the well-known car company but by a completely unrelated computer company. As "Nissan Motors v. Nissan Computer" settled, this is totally fine and Nissan Computer still owns the domain.
Besides exact matches there are also similar-looking names. For example, a student named Mike Rowe started a small webdesign company called MikeRoweSoft, which drew the attention of Microsoft, leading to "Microsoft v. MikeRoweSoft" - which was settled out of court and resulted in the domain being transferred to Microsoft.
Second are Extended Validation domains - which used to show the company name in the URL bar. As Ian Carroll demonstrated[0] this isn't really worth a lot, and browsers no longer bother showing it at all[1].
Company names also often overlap when they are active in different areas, such as Apple Corp (record label founded by The Beatles) and Apple Inc. (tech multinational) - which over the years have shifted towards a rather impressive market overlap! Some companies are split with both sides keeping the original name, such as Motorola Inc.'s split into Motorola Solutions and Motorola Mobility. Sometimes products are sold under a completely different brand name, such as HMD selling Nokia-branded smartphones, or TP Vision selling Philips-branded televisions while MMD sells Philips-branded gaming monitors!
The thing is, reality is just too complicated for a "very simple" register. How are you supposed to fit in all of the scenarios listed above while still keeping it usable?
[0]: https://arstechnica.com/information-technology/2017/12/nope-... [1]: https://www.troyhunt.com/extended-validation-certificates-ar...
I think this can just add layers of bureaucracy that don't address the problem anyway.
In the early days of widespread internet use in Sweden it was quite difficult to register a .se web-address: not only were company documents needed, but the authority that granted use of the address also split your right to it geographically within Sweden, so that if you wanted the address to stretch across the whole country you needed to make multiple applications (using a subdomain system).
This process just made it almost impossible for a small personal startup to own a Swedish domain, and it was completely impossible to register a domain on a 'try-it' basis, to see if a nascent business idea would take-off.
In other words it just entrenched the dominant position of incumbents.
What happened instead, was that Swedes registered .com addresses, or .nu ('now' in Swedish), or other variations. And the same sort of thing would happen now: the international fraudulent sites would still be possible - just legitimate registrations would become much harder.
A little like what happens with pirating, where people using pirated software often have to jump through fewer hoops than legitimate users, who've paid for their installs, but need to constantly dial-up to be allowed to keep using the tools they've bought.
tldr; more bureaucracy for legitimate businesses, but doesn't address the core problem for end-users.
For any site with an commercial intent (which is pretty loosely defined) it is mandatory to have an Imprint with the person representing the company, the address of the HQ as well as the companies registration number and court location. It makes it somewhat more transparent what company is behind the site and gives you information you can lookup in public registries.
I hate it from a privacy perspective but it’s okay for for consumer protection.
We could use government-issued tokens, maybe on a government-run blockchain.
And we could use the same for our personal (corporate) selves, such that all of our economic interactions were moderated through a government-run identity blockchain.
I want the mark on my forehead please, not the wrist, so I can pay by bowing my head to the money-god instead of just laying my wrist on the sensor.
What could possibly go wrong?
These sites are literally made to steal my grandma's money when she's buying presents for Christmas and what not.
It's inspiring to see you follow up like this and help out a wonderful mountain shop. A great reminder and inspiration to be more involved in my community.
1. Knowing that the company using the certificate is who they say they are, doesn't necessarily mean you can trust them not to be fraudulent traders.
2. Control of the domain names and associated certificates can change hands after the fact, officially through buyouts/merges or via more nefarious means, just like any other certificate.
and of course the other key question to address which is:
3. How do you trust those validating the certificate. The average user is not going to know/care that a rogue CA exists and it might take some time for their actions to be noticed and for appropriate revocations to happen.
However they were intended to be used, HTTPS and certificates for it are used to protect data in transit and not really for identity assurance.
----
There is also the more cynical view that the main thing EV certs addressed was the desire for CAs to bring in some revenue, especially as standard certs became more and more a commodity item (now effectively free) with low or zero margins.
Fairly sure you could do a HTML search with Google, 7 stores having extremely similar HTML and images seems rather unlikely.
Effectively, it's virus total but for copycat sites.
If I go to urlscan.io and look at the recently scanned sites (which are live-updated), every now and then I can find links with potentially sensitive information.
I found OneDrive and SharePoint links. I was unable to actually access the documents in them (it asked me to login), but I could see their content (or metadata) with UrlScan's "live screenshot" feature.
At one point, it scanned a "reset password" link with the authentication token in the query string (!). I was able to access that link and I would likely be able to reset the password for that specific user. I won't share the underlying website so others don't go ahead looking for it, but it was for a non-US government service.
The impression I have is that some email provider (or perhaps some antivirus software?) is automatically scanning user emails and the links are being shared publicly, alongside a "live screenshot".
I might be missing something, but this is weird.
It sounds a bit like you just want WHOIS, which in practice turned out to be a bit useless.
I spoke up about it on a mailing (probably an IETF one) list about subsidiary companies should be required to have not xyz.com but xyz.<owning company>.<over-seeing owner company>.com as their address. Example: In the U.S. it's not simple to get /real/ xyz with all the vitamins. So a hypothetical xyz.com should really turn up on search result as xyz.<parent company>.com.
Adjust as fit. Maybe $xx/year or the quantity of companies underneath the majorowner before compliance.
I was praising the value of something I did know the USian market had a distributorship over [in the geographical real] with a sub-standard product.
Let me know that I am looking at stats on y product (only served in z country).
Let me know that xyz name in my country is different ta your place.
Businesses usually have domain names just like they have physical addresses.
If the database were to include the domain names we could make automatic checks to give the user more assurances.
Your reply is mind boggling and totally foreign to the topic.
These criminals on the other hand are likely automating everything and have the advantage of lessons learned from dozens of iterations.
The article indicated the mimic sites accept credit card numbers but don't actually process them -- to me that is the Achilles heel of the process. If credit card companies started requiring instantaneous verification of the card's actual use (via a card chip reader or an app on user's phone, for example) instead of allowing payment via static information vulnerable to replay at any time, I think that could do a lot more to improve security of online transactions than green check boxes.
That would be convenient enough for most people that it's usable.
IOW, adding friction wouldn't be a sufficient deterrent. Criminals are resourceful, and enriching themselves further is a strong motivator.
If you add some system for site verification, first someone will make tooling to facilitate it and soon after someone will offer a service to provide it for you and in a matter of months these spam sites will be up and running just like they are now, only it will be more difficult for a legitimate newcomer to get started in the same arena.
I don’t think it’s completely useless, but it’s certainly not perfect either. As the parent comment suggested having a business register It’s legit domains would probably makes sense from a consumer protection point of view.
However, with the current state of the digital administration in Germany this change would introduce so much overhead that it would lead to a lot of justified opposition.
CRT.sh is also nice to figure out how long an operation has been using SSL (e.g. mtz-elektronik[dot]de is used by scammers on hacked Amazon shops since a few days).
It doesn't stop the fraudulent "potato-shop.de" from trying to look like the real "potatoshop.de".
One would argue that there is a Handesregistereintrag (record of commerce at the officials) that might help, but it only contain information about the seller including contact details and what the does, and not domains. And the record is not needed for small businesses.
TLDR: Germany seems to have hurdles for fraudsters, but they are easily taken by simply copying information from legit stores.
Adding the legit domains to the Handelsregister doesn’t seem like the worst idea to me. However, as the digital access to government services is still basically non-existent this would lead to a whole lot of additional bureaucracy and slowed down processes.
Now, it they made it into a standard that could be included into the browser's UI...
However, the law is pretty unclear about what is considered commercial interest. This effectively leads to the situation where basically any site of any kind is expected to have an imprint or otherwise, you can expect to get a nice and expensive writing from a lawyer.
Then browsers could query it and show that's it legitimate.
But it's probably really hard to implement for technical and legal and organisational reasons.
Let's say I set up a site that's critical of an authoritarian government. I fund it with sales of merch and books and such.
I want to be anonymous - for obvious reasons - but if I have to register my details I can't be.
Also, accountability doesn't work without international authority. Some countries are more enthusiastic about accountability and the rule of law than others, and the ones who aren't can make money by selling "credible" domains to bad actors.
Of course after a while those domains will become less credible. But there are a lot of TLDs out there now, which makes the system very difficult to police without international cooperation.
In reality I can run a scam operation from a beach in Thailand, bank the money, shut it down, then run a very similar scam operation from a beach in Vietnam or Costa Rica. That won't change until there's some kind of international cyberpolice agency which will hunt me down across borders.
But then you get the anonymity problem.
Not simple, and no registration system will fix this.