If you believe you’re safe from online fraud or phishing attacks because you only browse websites which have EV SSL certificates, you are – sadly – wrong. Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. Extended Validation (EV) was added ten years ago and widely deployed as an extra layer of security. The thinking behind it was that the longer paper trail required for the verification of the applying entity’s identity would put off scammers.
Unfortunately, researchers have now identified that it is fairly easy, quick and cheap for fraudsters to set up a fake company with an EV certificate – due to the amount of stolen identities readily available on the Dark Web as a result of the plethora of recent data breaches. Even more brazenly, hackers can easily use the name of a genuine company when setting up their online presence, with imperceptible differences in URLs making it nigh impossible for the average user to spot the trap. A secure (and valid) EV certificate then completes the sham and gives users an even greater false sense of security.
So what to do? Uhm…just be extra vigilant and… maybe also prepared to get hacked.