Security Risks of Online Political Contributing
Security researcher Christopher Soghoian gave a presentation this month warning of the potential phishing risk caused by online political donation sites. The Threat Level blog reported:
The presidential campaigns’ tactic of relying on impulsive giving spurred by controversial news events and hyped-up deadlines, combined with a number of other factors such as inconsistent Web addresses and a muddle of payment mechanisms creates a conducive environment for fraud, says Soghoian.
“Basically, the problem here is that banks are doing their best to promote safe online behavior, but the political campaigns are taking advantage of the exact opposite,” he says. “They send out one million e-mails to people designed to encourage impulsive behavior.”
He characterizes the current state of security of the presidential campaigns’ online payment systems as a “mess.”
“It’s a disaster waiting to happen,” he says.
Fraudsters could easily send out e-mails and establish Web sites that mimic the official campaigns’ sites and similarly send out such e-mails that would encourage people to “donate” money without checking for the authenticity of the site.
He has a point, but it’s not new to online contributions. Fake charities and political organizations have long been problems. When you get a solicitation in the mail for “Concerned Citizens for a More Perfect Country”—insert whatever personal definition you have for “more perfect” and “country”—you don’t know if the money is going to your cause or into someone’s pocket. When you give money on the street to someone soliciting contributions for this cause or that one, you have no idea what will happen to the money at the end of the day.
In the end, contributing money requires trust. While the Internet certainly makes frauds like this easier—anyone can set up a webpage that accepts PayPal and send out a zillion e-mails—it’s nothing new.
SteveJ • October 16, 2007 1:28 PM
Of course there are two different issues here: trust and identity.
Creating a false charity/campaign, which doesn’t really do what it claims with donated money (trust), isn’t quite the same thing as posing as a particular charity/campaign and pocketing the donations (identity).
It amounts to much the same thing to someone who is successfully scammed, but the countermeasures are different.