Security Risks of Online Political Contributing

Security researcher Christopher Soghoian gave a presentation this month warning of the potential phishing risk caused by online political donation sites. The Threat Level blog reported:

The presidential campaigns' tactic of relying on impulsive giving spurred by controversial news events and hyped-up deadlines, combined with a number of other factors such as inconsistent Web addresses and a muddle of payment mechanisms creates a conducive environment for fraud, says Soghoian.

"Basically, the problem here is that banks are doing their best to promote safe online behavior, but the political campaigns are taking advantage of the exact opposite," he says. "They send out one million e-mails to people designed to encourage impulsive behavior."

He characterizes the current state of security of the presidential campaigns' online payment systems as a "mess."

"It's a disaster waiting to happen," he says.

Fraudsters could easily send out e-mails and establish Web sites that mimic the official campaigns' sites and similarly send out such e-mails that would encourage people to "donate" money without checking for the authenticity of the site.

He has a point, but it's not new to online contributions. Fake charities and political organizations have long been problems. When you get a solicitation in the mail for "Concerned Citizens for a More Perfect Country" -- insert whatever personal definition you have for "more perfect" and "country" -- you don't know if the money is going to your cause or into someone's pocket. When you give money on the street to someone soliciting contributions for this cause or that one, you have no idea what will happen to the money at the end of the day.

In the end, contributing money requires trust. While the Internet certainly makes frauds like this easier -- anyone can set up a webpage that accepts PayPal and send out a zillion e-mails -- it's nothing new.

Posted on October 16, 2007 at 12:20 PM • 13 Comments

Comments

SteveJOctober 16, 2007 1:28 PM

Of course there are two different issues here: trust and identity.

Creating a false charity/campaign, which doesn't really do what it claims with donated money (trust), isn't quite the same thing as posing as a particular charity/campaign and pocketing the donations (identity).

It amounts to much the same thing to someone who is successfully scammed, but the countermeasures are different.

sooth_sayerOctober 16, 2007 1:44 PM

The real risk of course is that everyone finds out you are a real dunce for giving money to the crooks, which almost all politicians with very very very very very few exceptions are.

BetaOctober 16, 2007 2:57 PM

I've long held the opinion that charities are in the business of selling warm feelings. How many philanthropists actually check to see what happens to their donations? I'm never very surprised to hear that some organized charity has been pocketing 99% of what it collects (although I am still a little shocked when one makes things worse for the sake of its own business, e.g. buying children in Africa at well above market price and setting them free, thereby breathing life into a dwindling slave trade). An organized charity takes your money and lets you feel virtuous, and a fraud can do just the same thing.

Rich WilsonOctober 16, 2007 3:40 PM

I take exception to: "banks are doing their best to promote safe online behavior"

banks are doing their best to maximize their profits, which means balancing the savings of safe online behavior with the cost of promoting such behavior.

At the risk of sounding like a broken record, banks could do a great deal by not putting any links in any emails, and including a short note explaining why. Users would get used to this, and not jump to click every link in an email.

AFAIK only one bank does this- the Royal Bank of Canada.

guvn'rOctober 16, 2007 3:49 PM

@Rich Wilson, many banks and other financial institutions avoid such links. Even if they all did there would be so much spam embedding links that most users would never learn.

AnonymousOctober 16, 2007 4:06 PM

@sooth_sayer the real risk is ending up giving money to the wrong side, and being found out.

Say some unscrupulous campaign sets up a fake website purporting to collect donations for their opponent. Not only do they identify his supporters for special attention, they collect the funds to pay for their activities focused on those supporters.

Pat CahalanOctober 16, 2007 5:05 PM

This isn't limited to online fraud; parking lot setup tables, door-to-door, mailings, I can think of a number of ways to leverage this sort of attack.

The problem is compounded by the fact that nonprofits and political organizations are exempted from spam/cold calling rules (at least in the US). I personally avoid this by making a blanket policy not to give money over the phone or online unless I instigated the transaction myself, by finding the charity/political campaign contact information and originating the transaction.

It does lead to an awful lot of, "Sorry, I don't donate over the phone" conversations, though.

AlanOctober 16, 2007 8:50 PM

So... where exactly would be the difference between giving money to fraudsters and giving money to fraudsters impersonating other fraudsters?

FrancesOctober 16, 2007 9:19 PM

And, Rich Wilson, I take exception to your whole comment. I have never received an e-mail from either of my 2 Canadian banks, let alone one with links in it. And my banks' websites say over and over again that they will never ask for private information in e-mails to their customers.

Also, I presume that you would prefer a bank that makes a profit to one that doesn't.

SteveJOctober 17, 2007 4:51 AM

@Alan: "So... where exactly would be the difference between giving money to fraudsters and giving money to fraudsters impersonating other fraudsters?"

The difference is that if I give money to a fraudster (especially if I am a professional lobbyist), then I might get something in return (e.g. pork-barrel legislation). If I give money to a fraudster impersonating a fraudster, then I definitely get nothing.

markmOctober 17, 2007 7:35 AM

So the difference is in whether the person making the contribution actually gets legislation to screw others, or just gets screwed.

Too bad I'm too honest for even that justification for fraud to work...

Mr BOctober 17, 2007 9:26 AM

Rich Wilson - To be honest, it makes fuck all difference if a bank sends out emails with links in or not.

Customers will always be stupid, and people who have never, ever received an email from their bank will still click on the link.

People who, after the have logged onto internet banking, get presented with a HUGE windows saying "Don't click on links!" will click on the link. Then they give their details to the fraudster, then they tell the bank they would never do such a thing.

People who are not even customers of that particular bank will, instead of being suspicious, call the bank to tell them to stop sending them emails, or will forward it to a friend in case they have an account with that bank.

Such is the fantastic human brain.

AnonymousOctober 17, 2007 6:22 PM

Well, perhaps there's an upside to all this... ...
if the political contribution sites get scammed and the politicos don't get the moneis they were expecting, perhaps they'll finally get some legislation and efforts with teeth in them to address the frauds, web security, etc.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..