GeoTrust aims to get you off the phish hook

After the rather heavy discussions of policy over the past few weeks, I wanted to hang a “gone fishing” sign on my office door and take a break. Unfortunately, too many people, it seems, have “gone phishing” recently and it’s time we at Identity Management Central took notice of it.

If your inbox is anything like mine, you get a few e-mails each week (although its becoming almost a daily occurrence) from a bank, or credit card company, or service provider asking you to go to a site to re-enter your personal information due to some catastrophe or hacker break-in which has compromised your data.

One recent note I received began: “Recently there have been a large number of identity theft attempts targeting SunTrust Bank customers. In order to safeguard your account, we require that you confirm your banking details. This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension.” Except I don’t have a SunTrust account.

Still, I’ve received similar notes that apparently do come from institutions with which I have an account. While it’s easy to spot the falsity of some, many people are caught by this “bait” (which is why it’s called “phishing”) and reveal their personal information to identity thieves. The question resolves to “how do I identify the legitimate and the fraudulent Web sites?”

Legitimate financial institutions have their Web sites certified. The certificate can be automatically checked by your browser, which can pop up a warning should there be a problem with the certificate. But if a site doesn’t have a certificate, then the browser has nothing to check. The fake sites that the phishers send you to don’t have certification.

GeoTrust wants to help.

GeoTrust’s major business is providing those certification services (along with a few other companies, such as VeriSign) but as Neal Creighton – president, CEO and co-founder of GeoTrust – told me last week, you can’t validate a non-existent certificate. So the company has gone one step further and released a free Web browser toolbar (currently supporting Internet Explorer 5.01 and above), which will give you a color-coded analysis of any Web site you visit. Using a standard traffic light metaphor, you’ll see a site’s status as soon as you go there:

* VERIFIED (a green light) – A Verified rating means that TrustWatch has checked that the site has been Verified by a Trusted Third Party and is not listed on the TrustWatch ‘blacklists’ of disreputable sites. 

* NOT VERIFIED (a yellow light) – A Not Verified rating means that TrustWatch cannot determine that the site has been Verified by a Trusted Third Party. However, the site has not been listed on the TrustWatch ‘blacklists’ of disreputable sites. You should use caution before exchanging sensitive or confidential information with this site.

* WARNING (a red light) – A warning rating means that the site has been found on a TrustWatch ‘blacklist’ of disreputable sites. And/or a Trusted Third Party has indicated that a Web site’s identity should no longer be trusted. You should be advised that exchanging sensitive or confidential information with this site could put you at risk for identity and/or financial fraud.

Anticipating the reaction of the phishers, GeoTrust warns that Web pages that do not display the TrustWatch Toolbar (including newly displayed windows or pop-ups) should be considered Not Verified and submitting personal or confidential information is not recommended.

It’s free, it’s easy to install and it’s always working. Isn’t your identity worth doing that much?