[cabfpub] Obtaining an EV cert for phishing

Kirk Hall Kirk.Hall at entrustdatacard.com
Tue Nov 28 01:58:07 UTC 2017


As someone familiar with corporate law, it is the national or state/provincial authorities who decide what names a company can use.  If they allow a company to be formed under a name, such as “Identity Verified”, then that’s a valid name and a valid company under UK law.  Normally, I have seen jurisdictions require something after the name such as “Co.”, “Company”, “Ltd.”, “LLC”, etc., but apparently UK law does not require this – and certainly CAs should not be in the position of telling a real company with a real corporate name (and not even a trade name like “Coke”) that it can’t use it corporate name in a cert.

I would also point out that it’s a trivial matter for anyone to look up the company’s address (or its address for service of legal process, which is the way of reaching a company in all cases) by using a public website which shows the address and other information – in this case here: https://beta.companieshouse.gov.uk/company/10875639  So anyone harmed by an action of “Identity Verified” can seek legal recourse and law enforcement against the actor who used the domain in the cert, 0.me.uk, to cheat the public, engage in phishing, etc.  In contract, if the author had simply gotten a DV cert for 0.me.uk, there would have been no way to seek legal recourse and law enforcement against the actor.  So the EV cert in this case did exactly what it was intended to do – it identified the site owner, and provided an address where the owner could be found.

The article Included the following tantalizing statement:

Now finally, I began searching for a company to incorporate this new company on my behalf and after a good hour of researching on Google, I found the right one. I won't say the company name here for legal purposes but I will say that the process was incredibly easy to do; no ID check to my knowledge and it costs less than £40. It took the next day for the company to be incorporated by Companies House.

Er… yes.  That’s exactly how it’s supposed to work – anyone can simply go online and incorporate in Oregon (where I live) or the UK (where the author lives) and create a real, legal company in minutes using a credit card and providing the required information.  (There was no need to use an outside company, and the author could have revealed the name of the company he used because the company didn’t do anything wrong.)  If you lie to the government in your registration information, you are committing a crime and if you use your corporation to do illegal things the government may come after you for that.

Please note that no other person can create a second UK company named Identity Verified, because each jurisdiction insists that each corporation name be unique for recourse purposes and to avoid confusion among the public, so the author’s company will be the ONLY company in the UK named Identity Verified, and if the company does anything wrong we will know how to find it using the identity information (including address) contained in its the EV cert.

So, Gerv, I’d say this was much ado about nothing.  So far as I can see, there was nothing wrong with the EV cert that Symantec issued, and the author was confused in thinking he had pulled off some amazing coup – he didn’t.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Public
Sent: Monday, November 27, 2017 1:37 PM
To: James Burton <james at sirburton.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [EXTERNAL]Re: [cabfpub] Obtaining an EV cert for phishing

I don’t think we should require a landline.  Too many places are deprecating them in favor of only mobile numbers (see Norway for example).

I’m not sure the name should have raised alarm bells as it assumes the verification was done in the US or by English speaking natives.  Although this is true for the current scenario, all you’d need to do is translate it into Spanish or use a US name through a non-US based CA for the same effect.  I also don’t think there’s anything inherently wrong with the name.  Perhaps you are providing identity services for online dating or passport expedition. You could have a product that verifies the identity of each contact you are adding to an address book. There’s too many realistic use cases to consider this name inherently misleading. To improve, the emphasis would either need to be on post issuance mitigation of actual phishing or pre-issuance controls to ensure law enforcement can easily find and shut-down operations of a phishing entity. EV was originally built on the latter.

From: James Burton [mailto:james at sirburton.com]
Sent: Monday, November 27, 2017 2:26 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: Re: [cabfpub] Obtaining an EV cert for phishing

Hi Jeremy,

The company "Identity Verified" was incorporated using a legitimate address. The company could have been incorporated using a service address bought online to assert its legitimacy as a real company for the application of the EV SSL and in turn would have same outcome. The company name in question should've started the alarm bells ringing long before the vetting process in my opinion as its really implausible.company name as its way too common. If it was me doing the vetting I would've been very sceptical of this company name and never issued the EV SSL certificate in the first place.

The requirements specified in the EV guidelines for phone number verification are way too relaxed in my opinion as it shouldn't be possible to get a EV SSL without a proper landline telephone number. The phone number specified on this application was my mobile number and as you can pick up these sim cards for nothing from mobile providers its too easy to bypass these requirements.

The idea of vetting each client face to face by video stream is the way forward in vetting the company individuals for EV SSL certificates.

Thank you,

Regards,

James

On Mon, Nov 27, 2017 at 7:52 PM, Jeremy Rowley via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
Hi Gerv,

I have information about this now. Sorry for the delay.

Basically, Symantec verified the organization using the UK companies house, which qualifies as a QGIS. Because it's a QGIS, the data source can be used to validate most of the requirements under the EV Guidelines, including address and legal existence.  The phone number was verified using QIIS and a call to the number, answered, of course, by the applicant. The result is James ended up forming a real company with fake address information. The failure was in the government process for vetting any kind of information before forming the company, which is a problem.  Speaking to other government entities, this is common and they usually catch these fake businesses on renewal (the business never receives the renewal notification because of the fake address/phone).  Note that the issuance itself was fine - the entity really existed and was located at the address specified for all governmental intents and purposes.  Increasing the number of data sources wouldn't have prevented issuance as many sources pull their info directly from the government resources. What do you do when the government fails?

To answer your specific questions:

11.4: Verification of Applicant’s Physical Existence. How was that done in this case, and what was the address which was verified?
- The address provided was verified with the UK Companies House.

11.6: Verification of Applicant’s Operational Existence. How was that done in this case? Which clause of 11.6.2 was used? What were the results?
- Operational existence was verified under (2) using a QIIS.  The QIIS specified the company existed at the address specified in the UK companies house.

One way I can think of to lock down issuance would be requiring a face to face validation (through video software) with each applicant if the company was formed within three years (operational existence).  The applicant would still get the cert if they were verified, but there would be a video record of the identity of the application, making law enforcement easier. Of course, the applicant could still use a fake ID, but obtaining the cert would be more risky because of the video recording. Plus, if the verifier determined the ID as fake, the applicant would be blacklisted from getting additional cert and potentially reported to authorities.  Another idea are to require phishing checks (such as through Google's API) daily/weekly to determine if the website is a phishing website.  We  are still trying to get D&B to engage in a conversation about self-reported data, but with little success.

Jeremy


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Gervase Markham via Public
Sent: Thursday, September 14, 2017 7:08 AM
To: CABFPub <public at cabforum.org<mailto:public at cabforum.org>>
Subject: [cabfpub] Obtaining an EV cert for phishing

As noted in the Paypal/Let's Encrypt meeting yesterday, James Burton has published a blog post claiming that it's not difficult to get a fraudulent EV certificate:
https://0.me.uk/ev-phishing/

Now, they didn't actually get a fraudulent one, and it did take them a few days and a reasonable amount of manual work, but if we accept for the sake of argument their claim that valid stolen personal ID can be obtained online easily, it does seem that the other steps are not too onerous.

As someone noted at the meeting, fraudsters often don't pay for things with their own money. To my mind, the "cost" of EV is in the requirement to either reveal your true identity, or to spend prohibitive time on a successful effort to fool the checks.

I hope we can use this as a learning experience. Because a certificate was not misissued, there is no obligation on them to do so, but I hope that in the cause of making EV better, Symantec would be willing to discuss their EV verification steps and what happened in this case, so we can look and see if the EV process needs improving.

Some areas I'd particularly like to consider:

11.4: Verification of Applicant’s Physical Existence. How was that done in this case, and what was the address which was verified?

11.6: Verification of Applicant’s Operational Existence. How was that done in this case? Which clause of 11.6.2 was used? What were the results?

Gerv


_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171128/72d5d7bb/attachment-0003.html>


More information about the Public mailing list