Web 'Safe' Mark May Elude New Merchants
Sunday, December 24, 2006; 8:36 PM
NEW YORK -- As an online shopper, Claudia Race knows she must look out for scams. So as an Internet entrepreneur working out of her home in New Braunfels, Texas, Race wants to use all the tools available to assure customers they can trust the vacation-rentals service she is about to launch.
But because her small business is so new, Race said she might not qualify for the online seals of approval that Overstock.com Inc. and other larger, established companies are getting to instruct Microsoft Corp.'s Internet Explorer browser to display a green address bar for "safe" when people visit her site.
  Melih Abdulhayoglu, chief executive of Comodo, an e-commerce company, poses at headquarters in Jersey City, N.J., Wednesday, Dec. 20, 2006. Comodo was among the companies that helped reject the draft guidelines in November, preferring to wait until the group could figure out how to validate smaller merchants. (AP Photo/Mike Derer) (Mike Derer - AP) |
"It would put me at a disadvantage," Race said. "I do not want anyone to have any questions, hesitate or have any fear factor. They have to know that I didn't just go grab a logo from somewhere and stick it on my site. I want them to know I'm a legitimate business."
What she's seeking is an extended-validation certificate, a response to the plethora of "phishing" attacks in which scam artists try to steal sensitive data by mimicking the Web site of a large bank or merchant.
Once Microsoft activates the feature in version 7 of Internet Explorer in late January, a green bar will appear when the browser sees an EV certificate, usually during a transaction or login. The tool complements a newly launched filter that displays a red warning for known phishing sites and yellow for suspicious ones.
"EV does not authenticate that your plasma TV is going to show up or that it won't have a crack through it," said Tim Callan, director of product marketing for VeriSign Inc., which issued its first EV certificate to Overstock this month.
Rather, Callan said, the EV certificate will tell consumers that the business does exist and operates at the location it says it does.
That's because VeriSign and its competitors will be required to perform extensive checks to verify that the business is legally recognized by a government agency and that the address registered for the certificate is valid, such as by matching it with a government filing or visiting the business in person.
Certificate issuers also must make sure that the company owns the domain name and that the individual requesting the certificate is authorized.
So a scammer can't register from overseas a domain name at "paypa1.com" _ with a numeral "1" instead of letter "l" _ and buy an EV certificate saying it is the eBay Inc. online payment service.
The certificate issuer would discover the person requesting it doesn't really work for eBay after obtaining eBay's contact information through independent means and asking directly, said Paulo Kaiser, vice president of operations for certificate vendor Comodo.
In the early days of e-commerce, merchants simply needed a standard security certificate for browsers to display a closed padlock. The makers of the Netscape browser, now owned by Time Warner Inc.'s AOL, developed the Secure Sockets Layer technology in the mid-90s, and many online shoppers over time knew to look for it.
