Moaning about stuff - Ep 1 - Barclays Digital Safety TV Ad

Barclays have been advertising ways to prevent against fraud for a while. Weather you trust them or not is another question with adverts such as don't give certain information over the phone to your "bank" being ironic as when I've had a phone call asking for information, hang up and then phone barclays to report it I then get told it was them.

Good start Barclays! Well that's one reason I don't bank with them anymore.

However on TV I noticed the new "Supercon" advert. Trying to teach that if a website doesn't have an SSL it could be fake.

Now just to make sure I haven't misunderstood it thinking that if it has an SSL it means it still could be fake. Let's transcribe the advert. Oh but it's on youtube pre-transcribed! Here's the transcript.

SUPERCONNNNN!
DEFENDER OF THE GALAXY!
COMPLETE WITH POWERFUL DISK CANNON! AND REALISTIC SOUNDING JETPACK!
DEFENDER OF THE...
Oh, you know what, I can't do this, it's all rubbish.
It's a scam.
If you order me, you'll get nothing.
Look, in there, you need a padlock, when you pay for stuff.
If there isn't one, the website could be fake.
Oh, look at that.
Defeat online fraudsters this Christmas.

[Source - https://www.youtube.com/watch?v=YhQzDafPSWI , Accessed 9/11/2017]

Now let's look at the two lines mentioning the padlock (Note in the video he's pointing to the SSL Padlock).

Screenshot-from-2017-11-09-09-15-16

Look, in there, you need a padlock, when you pay for stuff.

If there isn't one, the website could be fake.

No matter how you look at this the advert is saying if there isn't a padlock the website could be fake. Therefore teaching people a padlock means the site is safe!

And well with SSLs free or only £5 don't you think that there might be fake sites with padlocks?

I reported this one to Letsencrypt for phishing.
Screenshot-from-2017-05-22-15-42-23
I mean it's got the green padlock. It must be paypal, right?
Obviously the URL is fake and now this site flags up as dangerous because chrome has detected it as phishing.

Once again Barclays has taught wrong. Here's a quick list of things I'd say to look for HOWEVER not all of these does guarantee its safe!

1) SSL Certificates - Funny right?

Well an SSL certificate helps a little to prove its genuine however SOME sites have slightly better SSLs where the company that issues them verifies you are the company in question (however the methods they use to check could be argued).

For example lets use Barclay's, They have an EV SSL where the companies name shows in the SSL. EV SSLs usually cost a lot more (I used to pay around £130 a year) and an address is usually validated against them.

And inspecting it we see that it's been allocated against barclays.
Screenshot-from-2017-11-09-09-45-15-1

Here's an example of the data from my free Lets Encrypt one where it hasn't been allocated against the organisation.
Screenshot-from-2017-11-09-09-46-02

2) The URL

Another simple check is the URL, with the paypal phishing example it was clear it was not paypal.

3) Pay using Paypal if possible

Most shopping sites will offer Paypal as well as debit / credit card payments, some might only offer paypal and others might also offer Amazon Payments, Bitcoin and more!

Clicking the paypal button should then pop up or redirect you a window to paypal. Making sure the SSL has Paypal,Inc [US] and the URL Has https://www.paypal.com is a safer way to make sure it is paypal.

Also when paying with paypal if you're like most people it would either already have you logged in and ready to pay or your login details automatically filled in by the browser if you do that or your password manager should detect it. If not it might not be paypal that you've redirected to.

4) If you use autofill, trust it?

A very odd one for security, A lot of people would say auto fill is bad however:
If you already have accounts setup for sites you trust and get sent a link to one which is a phishing attempt, if the site isn't an exact match in the URL the auto fill won't have filled it in.

5) Common sense!

And usually common sense is the best. Why is this item which usually costs £50 available via this site for £5? Etc

Remember not any one of these means that a site is safe, you need to use all of them together to determine if you think the site is safe or not.