Home > Identity Theft > VeriSign, Pillar of Internet Security, Hacked

Comments 6 Comments

VeriSign Inc., the company responsible for assuring that more than half the world’s websites are authentic, was hacked multiple times in 2010, and the thieves succeeded in stealing information.

The company is one of the major pillars of the Internet, responsible for assuring the authenticity of many major websites that end in .com, .gov and .net. VeriSign also processes up to 50 billion web queries a day, defends companies’ websites against cyber attacks, and tracks international hackers.

Some computer security exerts worry that this could shake the very foundations of the Internet.

“It represents an attack on the rails of trust of the Internet,” says Brian McGinley, chief of data risk management for Identity Theft 911, Credit.com’s sister company. “This was the last bastion of what you could trust.”

The security breaches were reported in a quarterly filing in October 2011 with the Securities and Exchange Commission. The filing was first discovered by Reuters. According to VeriSign’s account, the company was the victim of “several successful attacks against its corporate network,” sometime in 2010.

VeriSign told federal regulators that its Domain Name System network—the part of the company that provides the domain services of many major websites—was probably not affected.

“We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network,” according to the company’s filing for the fourth quarter of 2011. VeriSign did not respond to calls seeking comment for this story.

But the announcement fell short of an ironclad guarantee, McGinley says. And it made clear that at least some data from its corporate computer systems was stolen, though the exact nature of that information remains unclear.

VeriSign’s prominence, and its importance to the safety of the Web, makes the breach especially troubling, according to some security experts.

“VeriSign is the major player in website authentication and registration,” says Ondrej Krehel, information security officer at Identity Theft 911. “It shows there’s a significant weakness among the companies that provide trust on the Internet. It calls into question trusted authentication and domain model on the Internet. Completely.”

Update: In 2010, Verisign, Inc, sold the portion of its business that provides secure authentication via secure certificates to Symantec. Symantec released a statement saying that the SSL certificate business it acquired from Verisign, Inc. was not impacted by the breach.

What Might this Mean?

The trouble is endemic to the fundamental architecture of the Web. When users click on a website, or on a hyperlink that would carry them to a secure website, their browser should automatically check the site’s security certificate to make sure that it’s authentic. If there’s a problem with the certificate, the browser may present a warning screen advising the user of possible security threats, or it may block access altogether.

If hackers gain access to those certificates however, they can make their own copy that looks exactly like the real thing. That would enable them to run a virtually fool-proof phishing scheme, diverting users to a fake website in order to steal account passwords, Social Security numbers and other valuable private data.

Hackers pulled off a similar successful attack in March 2011 against Comodo, a company that, like VeriSign once did, issues security certificates for websites. The attack was discovered and thwarted within hours, enough time for the hackers to copy the certificates of seven websites, according to a blog post by the company.

“If you have these certificates, you have the ability to recreate any trusted website,” McGinley says.

The attack on VeriSign was more worrisome, McGinley says, partly because the company is much larger than Comodo, and handles significantly more websites. VeriSign claims its information security group shut the breach down, and is doing its best to prevent similar attacks in the future. But the company remains unsure whether those steps will work.

“(G)iven the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information,” according to the filing.

Deeper Issues

Also, the company’s filing suggests that its internal reporting systems may have been faulty. “(T)he attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011,” even though the breaches occurred sometime in 2010, according to the report.

Perhaps even more troubling, there is little that consumers or legitimate companies can do to protect themselves from such an attack if in fact certificates were compromised, Krehel says. Since a fake website with a real certificate looks and functions just like the real thing, there’s no way for users to tell the difference. And it would be difficult for a large website like Google or Bank of America to detect such a scam, since hackers would likely divert too few users to be detected.

“In the digital world, a copy is as good as the original,” Krehel says. “And the real companies wouldn’t find it out. The bad guys are smart. Once they got what they need, they would shut it down.”

VeriSign acknowledges that its computers, which are central to the functioning of the Internet, remain vulnerable.

“The Company as an operator of critical infrastructure is frequently targeted and experiences a high rate of attacks. These include the most sophisticated form of attacks…making these attacks virtually impossible to anticipate and defend against,” according to the company’s disclosure. “Despite our security measures, our infrastructure may be vulnerable to physical break-ins, computer viruses, attacks by hackers or nefarious actors or similar disruptive problems.”

Image: ~Brenda-Starr~, via Flickr.com

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team