GeoTrust Alert Internet Users to New Phishing Vulnerability

GeoTrust, Inc. (www.geotrust.com), a provider in identity verification solutions for e-business and the world's second largest issuer of SSL (secure sockets layer) certificates for web security, today released a white paper entitled "Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks and Consumer Fraud" that describes new risks for fraud associated with first-generation authentication, which is still used by some certificate authorities (CAs). GeoTrust also cited the results of the April 2005 Netcraft study that showed second-generation SSL certificate authentication methods, which GeoTrust pioneered, are growing at a rate twice that of first generation manually-based authentication processes.

The April Netcraft survey marks the first time that the internet research firm has segmented the market for SSL certificates based on the validation methods of the certificate authorities into "domain-validated" and "organization-validated" categories.

"Manual vetting of organizations creates a huge vulnerability that can be
used to the benefit of phishers and identity thieves. I hope that certification authorities who are still using first-generation processes will understand why they should migrate to advanced authentication without delay."

GeoTrust's second-generation authentication technology utilizes automated domain control, email and telephone validation, combined with sophisticated fraud-detection algorithms, to virtually remove the potential for web merchant fraud and eliminate significant phishing holes created by more vulnerable organizational vetting processes.

The following example illustrates the dangers of relying on organization validation for SSL certificates. A company, Seaside Details, obtained a certificate with the organization name "Charter One."

The white paper, written by noted expert on secure sockets layer certificate verification Kirk Hall, examines the traditional, paper-based manual vetting process, or organizational assurance vetting, still employed by some certificate authorities.