[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 10 December, 2004, 12:34 GMT
Beware the dark side of the net
Will the dark side of the web damage online confidence, wonders technology analyst Bill Thompson.

Computer user
Surfers need to be wary of phishing e-mails and other net dangers
Three years ago I bought my dad and his partner a laptop for Christmas, and since then I have watched with delight as they have taken to the net and all it offers.

Aileen in particular embraced the new technology as if born to it, signing up for training courses, buying a desktop machine to go with the portable and even making the big leap to broadband earlier this year.

Yesterday I discovered that she has joined the eBay junkies, with a bit of hand-holding from her daughter, and is merrily bidding away for china plates to replace broken items in her favourite dinner service.

Sadly, however, it seems that she is not quite as clued in to internet security as she might be.

She asked me why her computer kept telling her there were updates to install every couple of days and whether it was OK to ignore it, assuming that because she was always on, everything would just be sorted for her.

A quick tutorial in the mysteries of Windows Update was called for, but I also know that next time I go to visit I will have to put aside some time to search for spyware, adware, malware and all the other nasty programs that find their way onto the hard drive of the unwary user.

Fortunately she does realise that there are people out there who will try to trick her into giving away her username and password, and knows to avoid links in dodgy e-mails that might take her to phishing sites that look legitimate but are put there by fraudsters.

Pop-up tricks

Sadly for Aileen, I have just come across a new trick that might get round her defences. In fact it would almost certainly have got round mine.

Net security firm Secunia has discovered a way to use pop-up windows to fool even cautious users into thinking they are on an official site when in fact they are giving information to a phisher.

What happens is that a user clicks on a link in an e-mail or on a web page, and their browser opens up the real site, a bank or auction house, say.

Bill Thompson
It is already hard enough to make money online, and if people stop trusting the web for shopping or banking then we could see online retail growth level off or even stop altogether

But at the same time an invisible window onto a malicious site is opened. Then if the legitimate site opens a pop-up window, as many do, the malicious site is able to hijack it and write whatever it wants onto the screen.

This could be a link to another part of the malicious site or even a form asking for login details.

I tried it myself, using the demonstration on Secunia's website, and it worked with both Firefox and Internet Explorer.

Perhaps the worst thing about this exploit is that it is not technically speaking a bug. Everything works as it is supposed to, and there are no program errors or sneaky viruses involved.

It is just that the way pop-ups are handled by browsers does not inform the user when another browser overwrites the content that has been written by the original site.

The programmer in me admires the exploit. It is, after all, a cool trick, a bit of prestidigitation that merits applause.

Unfortunately this particular sleight of hand will not be used to charm innocent children or entertain seaside crowds. Its target will be the legions of online shoppers, auction hounds and anyone who banks online.

Of course it is only effective because most pop-ups do not display the browser address bar so you cannot actually see which website is being visited, but there are millions of sites out there which would have to be changed in order to implement this.

A quick fix would be for the browser itself to refuse to hide the address bar - an inconvenience for many but some protection for the innocent, but that will take time to implement and would require every user to update their software, something that is notoriously difficult to achieve.

Trust online

The new exploit is unnerving, but it is worth getting the danger in context before we panic.

While security firm MessageLabs has detected over 18 million phishing e-mail messages so far, a tenfold increase from the previous 12-month period, the actual losses seem lower than originally feared.

TowerGroup estimate that worldwide fraud losses from phishing will total $137m in 2004, a lot less than the $500m figure put about in September by the online privacy organisation TRUSTean.

Login screenshot
People need to trust in the net to take up online banking
Of course, even $137m is a lot of money, and for an individual who loses a few thousand the experience can be devastating.

But the wider impact may not be felt by the banks but online businesses as consumer confidence is dented. It is already hard enough to make money online, and if people stop trusting the web for shopping or banking then we could see online retail growth level off or even stop altogether.

I rarely use online auctions, partly because I crave immediate consumer gratification when I am buying and do not like the tension of bidding, but mostly because I can generally find things I want elsewhere.

But last week I tried to buy tickets to go and see the Kings of Leon in Cambridge as my daughter is a serious fan, and eBay was the only sensible option

In the end the price went too high for me to pay, but now that I am signed up I have been getting e-mails from them. And this morning I got an invitation to take part in a Christmas treasure hunt.

At least, it might have been. It came from an odd address and the links did not look quite legitimate so I deleted it instead of checking it out. I am not that interested anyway, and why take the risk?

Response rates to online advertising are already low, and many users have spam filters and other technologies in place to stop e-mails getting through.

If people are going to delete any e-mail that they are remotely suspicious of, and refuse to hand over personal details to websites when asked, then it is going to get very hard indeed to do business online.

Sorting out online security, clamping down on the fraudsters and stopping the scams has to be a priority, because without e-commerce the modern internet simply would not exist.

The net may have started as a publicly funded resource, but these days it is a private sector operation.

And I cannot see it being taken back into public hands if it is not commercially viable, at least not in the US or the UK.

Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific