Afraid of online hacks? Worry more about your phone

I talk a lot about the security problems and weaknesses of the internet, as well as the devices connected to it. It’s all true, and we badly need improvements. Yet the irony is that security in our online world is actually better than in our physical world.

Think of how many people are scammed by someone phoning to say their computer is infected and needs repair. As InfoWorld’s Fahmida Rashid recently chronicled, they typically say they’re with Microsoft or a Microsoft partner, and your computer is infected and needs fixing immediately. Unfortunately, millions of people fall for this scam and end up installing malicious software on their system. They sometimes even pay for the privilege, compromising their credit card numbers in the process.

The problem is there’s no easy way in the real world to quickly and easily prove these phone solicitors are fake or legit. In the digital world, all the major browser and email manufacturers spend a significant part of their coding to detect pretenders. My browser URL bar turns green in approval when I visit a legitimate website protected by an Extended Validation digital certificate. That means I can trust it.

There’s nothing like that in the physical world. In the case of the fake Microsoft repair company, the best case I can hope for is to independently call the right Microsoft phone number and ask for verification.

Any of Microsoft’s trained responders will readily and quickly tell you that you’re being scammed — mainly because Microsoft doesn’t proactively call people to tell them their computer is infected. But unless you know the phone number (800-426-9400) or the Microsoft website, or you enter the right words in an internet search engine, it’s going to take time and possibly a bunch of calls to get an answer.

That’s not Microsoft’s fault. It’s a huge, global company with tons of locations and products. It has blogged about Microsoft phone scams dozens of times over the years, and it does advertise the right numbers and places to call for such inquiries. However, not everyone has heard of the scams or knows where to go when they have a question, so it takes effort. Contrast that with looking at a green URL bar in one second.

A few times I’ve been called, out of the blue, by a company I’m already affiliated with offers I’d normally be interested in — say, faster internet for less per month. It sounds great, and the company is ready to sign me up, but then asks for my “account password.” I ask the representative to tell me the account password on file, and I’ll verify it, but he or she says it doesn’t work that way. Thus, I hang up. If I try to call back in on the general, advertised phone number and get the same deal, it takes me an hour or I can’t find that call center at all.

My bank recently did the same. It was proactively calling to report that my debit card had been compromised. My bank had never called me before. How would I know that this complete stranger on the phone is who they say they are?

Brian Krebs recently related a story in which digital scammers claiming to be from Google called someone who used a two-factor-enabled Gmail account and asked the user to tell them the code sent to the victim’s phone (via SMS) to verify the account. Luckily, the victim was suspicious and brought in her security-minded dad, and they didn’t give up the code.

But it got me thinking. In this particular instance, two-factor digital authentication was the strongest part of the authentication chain. The phone call was the weak link and not easily verifiable. National Institute of Standards and Technology (NIST) now advises that SMS-sent two-factor authentications aren’t to be trusted, or at least not as trusted as we once thought them to be. But to be honest, most of the problems with two-factor authentication using SMS verification apply to the phone, not the computer.

We need a system that allows phone calls to be quickly and accurately verified. I want EV certificates for the physical world! I want multiple defensive software programs that investigate my incoming calls and alert me if something seems risky. Today most of those calls come in over cellphones. I have to think a centralized phone number repository and a local phone app could solve much of the problem. Heck, we’d easily be able to kill unsolicited junk calls at the same time.

The online world is nowhere near perfectly secure. But I’m quickly starting to realize that, though insecure, the digital world is often in better shape than the physical world. How about that irony?