[Infowarrior] - IE7 Software to Spot 'Phishers' Irks Small Biz Concerns

[Richard Forno]

Software to Spot 'Phishers' Irks Small Concerns
By RIVA RICHMOND
December 19, 2006; Page B1
http://online.wsj.com/public/article_print/SB116649577602354120-5U4Afb0JPeyi
Oy1H_j3fVTUmfG8_20071218.html

Joy Viren Murphy will be getting a lump of coal in her stocking this year.

The entrepreneur has been selling handmade Christmas stockings for 12 years,
the last eight of them online. Working from the attic of her three-story
Rock Island, Ill., Victorian house, Ms. Murphy makes a couple of thousand
stockings a year. During the busy months, October through December, her
sister and niece come over to help her cut, tack and stitch.

But her business, Aunt Joy's Personalized Christmas Stockings, is facing a
new, high-tech hurdle, thanks to Microsoft Corp's. new Internet Explorer 7
Web browser. IE7 has a security feature that will turn Web-address bars
green and display owners' identities when consumers visit secure sites from
businesses verified as legitimate. The color change will be a boon for
consumers, who have been barraged in recent years with "phishing" scams
designed to lure them to fake versions of popular Web sites, like eBay or
their bank, to filch their account numbers. The hope is that the program
will help reduce fraud, lift trust and boost e-commerce.

But browsers won't turn green when customers visit Ms. Murphy's site. That's
because sole proprietorships, general partnerships and individuals won't be
eligible for the new, stricter security certificates that Microsoft requires
to display the color. There are about 20.6 million sole proprietorships and
general partnerships in the U.S., according to 2003 and 2004 tax data from
the Internal Revenue Service, though it isn't clear how many are engaged in
e-commerce.

Ms. Murphy, a sole proprietor, worries what will happen once consumers grow
accustomed to the new bars. "Green means go shop with confidence. What does
not having the green bar mean?" Ms. Murphy asks. "For that new customer, are
they going to pass me by because I don't have a green bar?"

She'll know soon enough. Already available to those who have the Windows XP
operating system, the browser's use will mushroom when Microsoft rolls out
its long-delayed Vista system to consumers next month. And the green bar
will go into action shortly after the Vista rollout begins.

Microsoft says green shouldn't be considered a seal of approval, but rather
a sign that the site owner is a legitimate business. The display of company
names in the bar will allow consumers to confirm they're on the site they
intended to visit.

But Ms. Murphy and others say people will likely think green signals "go,"
particularly once they start using Microsoft's related Phishing Filter, a
free, optional service for online shoppers that turns address bars yellow on
suspicious sites and red on confirmed phishing sites. The Phishing Filter
was made available Oct. 18 to current XP users with the IE7 browser.

When Microsoft has no information about a site, presumably for businesses
like Aunt Joy's, the bar will be standard white.

Clearly, it will take time before the program infiltrates the consumer
consciousness. Many computer users will have to download IE7 and many
businesses will have to get the new certificates, which were only introduced
last week. But eventually, "are people going to trust the green more than
white? Yes, they will," says Avivah Litan, an analyst at Gartner Inc. and an
expert on online payments and fraud. "All the business is going to go to the
greens, it's kind of obvious."

Small businesses are largely unaware of the issue today, but that seems
destined to change after Vista reaches the market. "This is a ticking time
bomb that is going to explode," says Champ Mitchell, chief executive of
Network Solutions LLC, a Herndon, Va., Web-hosting company and certificate
authority whose clients include Aunt Joy's.

"The Internet has been great for American small business," by giving them
wide exposure at a low cost, he says. "Microsoft all by itself is getting
ready to tilt that field again at an 80-degree angle toward large business."

Microsoft says the number of companies left out will be minimal, noting that
limited-liability companies and partnerships, as well as S and C
corporations, will be able to get the certificates and thus green bars. In
the future it expects certificate authorities to bring more types of
businesses into the scheme.

(An S corporation meets Internal Revenue Service requirements to be taxed
under Subchapter S of the Internal Revenue Code, thereby giving a
corporation with 100 shareholders or less the benefit of incorporation while
being taxed as a partnership; a C corporation, which is the designation of
most major companies, has an unlimited number of shareholders.)

And Microsoft argues the green-yellow-red program will do tremendous good by
striking a blow against phishing. "This is a great step forward for the
Internet," says Markellos Diorinos, a product manager on Microsoft's
Internet Explorer team.

The new certificates, called extended validation secure-sockets-layer
certificates, or EV SSL for short, are affidavits from a certificate
authority both that private data are being encrypted and that the business
operating the site has been confirmed as real. By contrast, current SSL
certificates -- the technology that encrypts data and puts a small lock on
visitors' browsers -- can be obtained with little more than a credit card
and are considered ripe for abuse by con artists.

"SSL is great technology for secure communication, but it says nothing about
the identity" of the site's owner, Mr. Diorinos says. Scammers today are
creating bogus sites that look highly authentic, which has created a real
need for an identity component.

Guidelines for obtaining the new certificates were established by the
CA/Browser Forum, an industry group, after 18 months of debate. The Forum
excluded sole proprietorships, general partnerships and individuals because
its members couldn't agree on criteria for validating them effectively,
something some members said can be difficult. They decided it was better to
move ahead with a plan that would cover many companies, and particularly
those large companies most often targeted by phishers, rather than further
delay the rollout of the certificates.

"We will come forward with a draft that will include these organizations,"
perhaps within six months, says Spiros Theodossiou, senior product manager
for SSL at VeriSign Inc., a certificate authority. "Consumers online are
afraid to transact business, and we want to make it safer for online users.
We believe the current set of guidelines move us toward that."

But the inability of some legitimate companies to get green bars in IE7 soon
could rile small companies just as Microsoft is trying to woo them as
customers. Last month, the company promoted a new accounting-software
product with a search for the "most creative small-business idea in
country." The winner, to be chosen by a panel of celebrity judges in March,
will get $100,000 in seed money and one free year's rent in Manhattan.

Greg Waldron, chief executive officer of Waldron Co. LLC, which sells water
fountains online as Visual Water, is miffed even though he'll be able to get
a certificate as a limited-liability company. "This is a huge benefit for
the Amazons and Overstocks of the world," he says. Small businesses are "a
huge part of [Microsoft's] customer base, and they make a lot of money off
us, but they don't give us a second thought."

Mr. Waldron notes that there are plenty of fly-by-night e-commerce sites
that look safe but exist to gather credit-card numbers. "They are making
every small unincorporated company look like one of those second type of
phishing sites."

Ms. Murphy concurs. She made her first online stocking sale to an American
living in Japan on Dec. 11, 1998.

"The Internet made the world so big for small people like me," she says. But
now, having to contend with green bars and the like, Ms. Murphy feels her
horizons have shrunk. Her verdict on the stoplight system: "It just seems
like an excuse to shut out the small business like myself and make sure we
don't take too many of the dollars from the big boys."

Write to Riva Richmond at riva.richmond at dowjones.com3
      URL for this article:
http://online.wsj.com/article/SB116649577602354120.html

      Hyperlinks in this Article:
(1) 
http://release.theplatform.com/content.select?pid=JLX6emL6B7PJuT0kF6vkP3y8F1
mkROmF
(2) 
http://release.theplatform.com/content.select?pid=JLX6emL6B7PJuT0kF6vkP3y8F1
mkROmF
(3) mailto:riva.richmond at dowjones.com