Friday, March 5, 2010

"ControlScan" Security Seal Fraud Exposed

The first domino has fallen... and it's about damn time.

The Federal Trade Commission has settled with the cheats over at ControlScan over their "misleading practices" and lying to customers about their site security.  DarkReading has more on the story here.  Personally, I think the opening paragraph of the summary says it best:

"ControlScan, a company that consumers have relied on to certify the privacy and security of online retailers and other Web sites, has agreed to settle Federal Trade Commission charges that it misled consumers about how often it monitored the sites and the steps it took to verify their privacy and security practices. The settlements will bar future misrepresentations. The founder and former Chief Executive Officer has entered into a separate settlement that requires him to give up $102,000 in ill-gotten gains."

Of course, some of us have been blogging and screaming about this type of crap for months, some of us years.  These "security seals" have always been seen as a joke by anyone with an ounce of brainpower and understanding of how security works - but people like the ControlScan folks have been peddling this crap to customers who own websites and don't actually care about their customer's security - only their money.  Whether you're talking about the ControlScan Seal, the HackerSafe seal, or the HackerProof seal - and there are others - it's all crap.

I fully realize that most of the security literate who read this blog know this already... and you're probably like me - when you see one of these seals you run and never go back to the site.  The problem is that the average web-surfing Joe doesn't know better and sees one of these idiotic seals and thinks they're safe.

It's good to see the FTC has finally woken up and is doing something about these deceptive vendors selling a false sense of security.  I can't wait to see the rest of them get lined up and taken down.

4 comments:

shewfig said...

That's why I use Scanless PCI for my personal website needs - it conveys exactly the same level of trust and assurance as all of the other embedded logos.

Anonymous said...

I'm totally with you. I wrote about these guys a while back. Glad to see the FTC cracking the whip.

http://www.redspin.com/blog/2009/09/16/automated-scanning-vendors/

Joseph said...

I work for VeriSign, which has a trust seal product (the VeriSign Trust Seal), so my thoughts are probably going to be taken with a grain of salt. However, I think it does depend on the seal -- anyone at all can issue or receive a seal that means nothing, but there are some "seal" features that are worth having. VeriSign's, for instance, comes with 24-hour malware scanning and erasure technology, and the same identity authentication process that our SSL customers enjoy.

The point being that it's a shame that security seals in general have been so misleading, because there ARE reputable ones (even if what makes them reputable has nothing to do with the actual seal itself). And, of course, caution should be exercised on ANY website, whether there's a seal or a padlock or nothing.

Anonymous said...

As a tiny retailer, sole proprietor,no web presence, my bank via the mandate of Visa/MC c/o wall st. big boys-- makes us complete aN senseless ANNUAL QUESTIONAIRE and charges us nearly $6 a month for nothing. THEY DON'T EVEN BEGIN TO ASK THE RIGHT QUESTIONS. MY BANK SAYS THEY CAN DO NOTHING ABOUT IT. I'M OUTRAGED!!!!! p

Google+