That Website Padlock Won't Protect You From Fraud

Let's have a talk about security, shall we? Take a look in the URL bar here on Forbes, and the likelihood is that you'll see a padlock of some kind, which gives you confidence that the site you are viewing is secure. That's smashing, and it means that anything you read on Forbes can't be monitored by a third party. But as that padlock becomes more common, there is a concern that people will trust it too much.

I was reminded of this recently thanks to a piece of spam. It was good spam, purporting to be from PayPal and warning me that suspicious activity had been detected on my account and that I should log in to confirm that it was fraud. The site linked was, however, not PayPal's, but a third-party scammer trying to steal my username and password. It was, however, a secure site.

My worry, and the worry of many others is that people will assume that "secure" means that the domain belongs to the company whose name appears in the URL, or on the site itself. Most people don't have sufficient interest in security to understand that it just means that no one can see your username and password as you unwittingly hand them over to scammers. At a push that's better than sending it to the whole web, but it's a problem that needs some work.

This issue comes from the fact that anyone can get a security certificate. In the past these were expensive, but now firms like Let's Encrypt allow anyone to have a certificate for free. I honestly believe that security for all is a really good thing, and personally use these free services on my own sites. However, for non-technical users they complicate security a bit and might lull people into a false sense of wellbeing.

In my example, the fake PayPal login site had a security certificate, but if you carefully compare it to the real PayPal you'll notice that the fake site says "Secure" in Google Chrome. The real PayPal site, however, replaces "Secure" with the name of the company, in PayPal's case "PayPal, Inc. [US]". This extra measure, called an Extended Validation Certificate, means the company you're dealing with is actually the one you think you're dealing with.

Using this "Extended Validation Certificate" means that a site is checked through non-automated means, and is confirmed as being genuine. Banks and, naturally, PayPal need to take security seriously, so they use this method. It's not free, or especially cheap, so a lot of normal business simply can't or won't pay for it. What it does do though is prevent scammers from duplicating the PayPal site on a new domain, and making it all look secure and wonderful. But people need to know what to look for - and I don't think they do.

So looking for this on a secure site is a much better way to have confidence that you're logging into a genuine place. As customers, we should be more keen to hassle companies to up their security game, especially if we feel unsafe when we're entering our details - we've all got sites we feel this way about, I'm sure.

Frustratingly, a lot of sites like Gmail, Outlook.com and many others only display "Secure". Which means you could, if you weren't careful, end up being tricked into logging into a fake site. Google Chrome compounds this issue by not displaying much information when you press the padlock. Instead, it has a load of options listed but doesn't even explain who the certificate is registered to. This is bothersome. To get to the security details of who the certificate was issued to you need to navigate through a developer console. Suboptimal at best, dangerous at worst.

This isn't one of the most glamorous topics in the world of tech. It's not a new phone rumour or some leak from within Apple. What it is, though, is something I consider essential knowledge for people conducting business and financial affairs online. Spread the word, it's easy to get caught out and that PayPal email could have caught me if I wasn't paying attention.