Alberry Information Security
Information Security

Blog

The latest from Alberry Information Security

Is the High Street Bank’s Digital Safety Campaign Effective?

In the run up to Christmas, a well-known high street bank in the UK have released a new campaign raising awareness for digital security and they have approached this with a series of television adverts.

One of these adverts tackles the issue of making online purchases on public wireless networks. Another addresses phishing emails advising us that if we’re sent an "offer that’s too good to be true”, we should check it's authenticity as it "could be from fraudsters".

However, the advert I found the most interesting was one that gives us the advice; "before you pay, look for a padlock". This padlock is, of course the padlock that our browser presents to us when we visit a website over HTTPS that has been issued a valid SSL/TLS certificate.

This is generally good advice, however there is a flaw in this advice that I believe could lure its audience into a false sense of security. There was no mention of the threat of ‘typosquatting’.

Typosquatting is an opportunistic threat that preys on users making errors when typing URLs. In this particular advert, the URL 'https://www.super-con.co.uk/' was used as the URL to demonstrate how the padlock appears in the browser for a ‘genuine’ site compared to a ‘malicious' site. An example of typosquatting in this instance could be an attacker registering the domain name 'super-com.co.uk' and host a cloned website that appears identical with the URL 'https://www.super-com.co.uk/'. As the characters ’n’ and ‘m’ are next to each other on a keyboard, there is a realistic possibility that users will visit this site in error. Both URLs even appear the same at first glance. As it’s becoming increasingly easier to obtain SSL certificates (even free of charge with services such as ‘Let’s Encrypt’), this website could also have ‘the padlock’. As a result, users could still become victims of online fraud whilst using the advice given to them by a bank they trust.

In my opinion, the bank should have provided the advice to thoroughly check the URL as well as the presence of a ‘padlock’. This would promote the awareness of these two vulnerabilities and prevent the false sense of security that I believe they may be creating. For this reason, I believe we should question the effectiveness of this campaign.

With regards to relevance to this module, we should consider the over-simplification of awareness training demonstrated by this campaign.

thoughtsPaul Alberry