Phalse Phishing Phear
27 January 2008
I decided to purchase a half pound of coffee from you to see if I
liked it. After selecting "add to cart" my Norton Antivirus program
alerted me that your website may be a "Phishing" website and would not
let me proceed. Is there some way you can verify your web site through
some program or service that would present it as a valid website? (so I
don't get a warning)
I have sent you this e-mail through a disposable e-mail address in case
my Norton is correct.
I don't expect a reply. I'll just check your website again in about a month
Thank you, Ron
Of course the worries in the above email are totally unfounded. Kona Earth
is a legitimate business and we have done everything we can to make our website
as secure and professional as possible. There is nothing we can do to stop
the false alarms displayed by some security software. It is very frustrating
for us to work so hard creating a legitimate business just to have it unfairly blocked
for no good reason. It is scary to think of how much business we have lost
because of "security" software like this. I'm sure this is not the first
or last time we've lost business and I'm sure Kona Earth is not the only legitimate
business being blocked.
In case you're not familiar with the term, phishing is when a
fraudulent entity imitates a legitimate entity in an attempt to gain
sensitive information. The most common example is a phishing email
that says something like "Click here to verify your account
info." The email link may look valid but will take you to a fraudulent
website. Being tricked by a clever email is one thing, going
to a fake website on your own is far less likely.
Ron, the sender of the above email, found our website through a search
engine. He browsed around the website some, including a couple of the
blog entries which have pictures of our kids. He went to the Shop page
next and picked out some coffee he wanted to buy but when he tried to add it
to the shopping cart his Norton "security" software popped up and warned him
that Kona Earth might be a phishing website.
I'd like to think that at this point most people would say to themselves
"Kona Earth isn't a phishing website. A phishing website
wouldn't have pictures of that farmer dude and his kids. My silly
security software must be lying to me again."
The trouble with "security" software is that it often creates more problems
than it solves. It slows your system horribly, eats up
valuable hard drive space, creates all sorts of false alarms and is
generally a big pain in the neck. Even if you have the latest version
of Norton installed it is still quite easy to download viruses or
upload sensitive information.
The "security" software industry is very analogous to airline
"security" provided by the TSA. The TSA will
touch women's breasts,
confiscate your toothpaste and lie to you about needing to
show your ID
on board airplanes. The TSA provides
not real security.
Prior to 9/11 we had all been trained that if there was ever a
hijacking we were supposed to sit quietly in our seats and allow the
authorities to handle the situation. The 9/11 hijackings were
performed with box cutter knives. Now, if there is ever a hijacking
again, future hijackers will need a lot more weaponry than tiny knives.
Airline security is an important issue, I just don't think the TSA is the
Internet security is similar. There are plenty of ways for dishonest people
to abuse the Internet and you can't rely on someone else to protect you.
Most people have learned to not open unknown email attachments or click on
suspicious links that ask for personal information. Many people have
even learned that the 's' in https means the website is using SSL security.
A little knowledge and common sense does a much better job of providing
security than any third-party software ever can.
My specific problem stems from the fact that the Kona Earth website
does not have its own SSL certificate. (UPDATE: We do now have our
own SSL certificate so a URL redirect is no longer necessary.)
Most small businesses use
shared SSL certificates, it is a well known and accepted practice.
Using a shared SSL certificate means that when browsing the Kona Earth
website your browser will show KonaEarth.com as the domain but when you
add something to your shopping cart it will show
as the domain.
This is because the SSL certificate we use is owned by Yahoo! which
requires the domain redirection to their SSL servers.
The obvious solution is to get our own SSL certificate. SSL certificates
are not cheap and would not be cost effective for us. Very few small
businesses have their own SSL certificate. Many small business barely
understand how to make changes to their website and are totally ignorant of
things such as SSL certificates and server redirects. Expecting every
website to get its own certificate is not realistic and would create problems
of its own. Symantec (i.e. Norton) and McAfee understand all of this and
their software should behave accordingly. But it doesn't.
The "security" software industry has different motives. Symantec does
not make money if their software sits there quietly, they sell far more
products if their software displays lots of warnings and feeds people's
worries. Anti-virus software comes pre-installed on many computers and
is more difficult to uninstall than AOL. The software takes over your
computer and looks for any possible threat, real or imagined, then doesn't
hesitate to cry wolf. Feeding the public's paranoia is good for
business. It's like overzealous TSA agents confiscating bottled water
and arresting anybody that looks foreign just to show that they're doing their job.
Kona Earth uses Yahoo! as a service provider. Yahoo! is no novice to the
Internet industry and they certainly understand the troubles with phishing.
Unfortunately Yahoo! has done very little to help small businesses with
this issue. Yahoo!'s help center suggests using frames or subdomains to
hide the redirect. This would hide the SSL lock icon and make the problem
worse instead of better.
I have tried to contact both Symantec and Yahoo! but so far only Yahoo! has
responded. It took a few tries but I actually managed to get someone on
the phone that had a clue. Surprisingly, he spoke perfect English and
quickly understood the problem. He even admitted that he gets several
phone calls per month about the same thing. He then went on to say that
there was nothing Yahoo! could do and the SSL redirect is just the way
their servers work.
I doubt I will ever hear from Symantec. I wish I could get
Symantec to be a little more responsible about issuing false warnings but I
suspect they will only get worse, not better. This problem is absolutely
costing me sales. I'm sure there are thousands of small businesses losing
sales every day because of Symantec. Most small businesses don't realize
they are losing money but that doesn't excuse Symantec. If I wasn't so
averse to lawyers I might be tempted to think that this issue is prime for a
class action lawsuit.
I wish I could reassure Ron and others like him that Kona Earth's website is
legitimate. I emailed Ron but he gave me a disposable address that he
uses for spam so he will probably never receive my email. I'm sure
there are many others like him that don't even bother to email.
It's fine if customers don't want to use our shopping cart, they can email
us or call us or even visit the farm. Our
return policy and new
all state our contact information. The bottom of every page
shows our email information. We use SSL security and our shopping
cart is as safe as we can make it. We don't know what else to do.