GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Payment fraud, rising to the challenge

Patti Murphy
The Takoma Group


Industry Update

Did hackers gain insight into RSA's methodology?

Comodo compromise draws swift response

PCI SSC dials up call center compliance

Fifth Third seeks innovation through open platform

Trade Association News


Do Tell

Innovations in check scanners

David Peterson

B2B payment fraud

Integrating your marketing efforts

Selling Prepaid

Prepaid in brief

Momentum builds for maritime cards

Providing prepaid self-serve for global markets


PII and merchant portfolio acquisition

Daniel Federgreen

Social redemption at the POS

Paul Rasori
VeriFone Inc.


Street SmartsSM:
Straight talk on professional certification

Bill Pirtle
MPCT Publishing Co.

Leads, leads, leads - Part 3: Lead nurturing

Peggy Bekavac Olson
Strategic Marketing

Coach your way to a stronger organization

Vicki M. Daughdrill
Small Business Resources LLC

Projecting confidence, inspiring trust

Jeff Fortney
Clearant LLC

How to reboot a stalled PCI program

Tim Cranny
Panoptic Security Inc.

A brief on prospecting

Jeffrey Shavitz
Charge Card Systems Inc.

Company Profile

Merchant Implementation Services

New Products

A CRM solution for MLSs

Powerhouse Sales Agent CRM
Powerhouse Payments LLC


Stick with the truth


10 Years ago in
The Green Sheet


Resource Guide



2011 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

April 11, 2011  •  Issue 11:04:01

previous next

Comodo compromise draws swift response

In a recent cyber attack, nine secure sockets layer (SSL) certificates across seven domains were fraudulently obtained from a registration authority (RA) affiliated with the Comodo SSL Certification Authority (CA). Comodo issued an incident report March 15, 2011, stating that all nine certificates had been revoked, which affected domains of Mozilla, Firefox, Yahoo and others. The RA account in question was suspended pending further forensic investigation.

Web security expert Phillip Hallam-Baker stated on a Comodo blog that the "attacker obtained the user name and password of a Comodo Trusted Partner in Southern Europe." He added that the information was used "to log in to the particular Comodo RA account and effect the fraudulent issue of the certificates. ... While the involvement of two IP addresses assigned to Iranian ISPs is suggestive of an origin, this may be the result of an attacker attempting to lay a false trail."

Comodo's incident report provided an interpretation of the attack. "The circumstantial evidence suggests that the attack originated in Iran," the report stated. "The perpetrator has focused simply on the communication infrastructure, not the financial infrastructure as a typical cyber-criminal might. The perpetrator has executed its attacks with clinical accuracy."

Comodo founder and Chief Executive Officer Melih Abdulhayoglu said the attack targeted the "Authentication" layer of the Internet and "what is being obtained would enable the perpetrator to intercept web-based email/communication."

Considered the most popular security protocol on the Internet, SSL digital certificates issued by third-party CAs enable web browsers to establish secure Internet connections with authentic websites.

"Being in that kind of a position at an ISP and trying to fraudulently obtain certificates for some of these social media services and communications services, that's definitely a strong indication of somebody wanting to get in the middle of the communications between two points, somebody using that service and the provider of that service," said Brian Trzupek, Vice President of Managed Identity and SSL for Trustwave.

Trzupek further stated that, in this case, "it definitely seems like the attack was more coordinated from one geographic region, specifically one ISP within that country. And at the ISP level you have more controls over what you can do on the network if you're trying to fraudulently do something, because you're controlling the network for that country, in effect."

Payments industry not targeted

According to Comodo, circumstances surrounding the incident suggest the motive of the attack was not financial. "To make use of the fraudulently issued certificates, the perpetrator would have to have the ability to direct Internet users to their fake sites rather than the legitimate ones. This in turn requires control of the DNS [domain name system] infrastructure, which requires government-level resources to achieve on a large scale or for an extended period," Comodo reported.

While the payments industry was spared this time, future attacks could penetrate further. In this case the fraud was detected early, but according to Trzupek, Google Inc. indicated the same login credentials could be used for some payment services on the Google network. Trzupek added that in Mozilla's case, organizations with financial plug-ins that work with Firefox could also be compromised.

Steps to avert future attacks

Following the Comodo incident, members of the CA/Browser Forum, an organization of leading CAs and certain application software suppliers that provides guidelines for standardized procedures for issuance and management of extended validation certificates, held discussions to address preemptive measures for preventing future attacks.

"We just had a call last week, and it's mostly confidential information, but everybody that's there is completely interested in what has happened here," said Trzupek, who is a member of the forum. "One of the good things here is that it's caused a lot of us CAs to communicate about things that I don't think people have communicated about much in the past. There's a broader sense of us communicating and working together as a more secure network of individuals, instead of working in silos and trying to shield that from each other."

Comodo, too, has forged ahead with its own security efforts, reporting that new controls have been introduced in the wake of this latest threat to the authentication platform. "The threat model is changing, and Comodo had already initiated a proposal for new standards in 2010, which would help mitigate some of these attacks," Abdulhayoglu said.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios