The politics of phishing

In early October of this year, Indiana University graduate student Christopher Soghoian gave a presentation in Washington, DC about the potential risks of online political contributions. While I wasn't able to attend the presentation (I was about 1,500 miles away from DC at the time), the subject is an interesting one at first glance. Soghoian's claim is that online political contribution channels provide a brand new means of defrauding Americans.

In the words of the above-linked Wired article:

The presidential campaigns' tactic of relying on impulsive giving spurred by controversial news events and hyped-up deadlines, combined with a number of other factors such as inconsistent Web addresses and a muddle of payment mechanisms creates a conducive environment for fraud, says Soghoian.

One wonders what behavior in particular Soghoian observed that prompted him to address the matter. In some respects, it seems he might be reacting to the pledge drives for Republican candidate Ron Paul, a dark horse candidate who went from "no chance in the world" to "largest single day of campaign contributions before the primaries in history", in part because of such a pledge drive. The Remember the 5th of November donation drive netted him more than four million dollars of donations in a single day.

There are of course other candidates attempting to achieve similar results. They tend to differ from the Ron Paul effort in a number of ways, however:

  1. They aren't generally grass-roots efforts. Most pledge drives for other candidates are organized with the official sanction and aid of the respective campaigns themselves, whereas the Ron Paul funding drive was organized as a grass-roots effort. There's another such effort gearing up for December 16th, too, apparently affiliated with the same people who got the November 5th effort going.
  2. They have not, at least so far, been as successful in terms of the money gathered or the sheer number of contributors.
  3. Nobody seems to care.

As such, it seems reasonable to assume the target of Soghoian's concerns is the Ron Paul campaign.

Again, from the Wired article:

Fraudsters could easily send out e-mails and establish Web sites that mimic the official campaigns' sites and similarly send out such e-mails that would encourage people to "donate" money without checking for the authenticity of the site.

In other words, Soghoian's concern is that irresponsible behavior on the part of candidates' campaigns may teach people to be irresponsible with their own financial security. Soghoian claims that impulsive behavior -- akin to the "impulse buy" items in the supermarket checkout lane -- is being encouraged to get people to open up their virtual wallets and give to Presidential campaigns. The positive result, at least from a Presidential candidate's perspective, is that more money flows into the campaign war chest of the candidate. The negative result, at least according to Soghoian, is that people are being subtly trained to be less careful with their decision-making about credit card use online.

Soghoian would have us believe that this somehow constitutes a new threat to the financial security of US citizens. The truth of the matter is that this is not a new threat at all, as Bruce Schneier pointed out. In Schneier's words:

Fake charities and political organizations have long been problems. When you get a solicitation in the mail for "Concerned Citizens for a More Perfect Country" -- insert whatever personal definition you have for "more perfect" and "country" -- you don't know if the money is going to your cause or into someone's pocket. When you give money on the street to someone soliciting contributions for this cause or that one, you have no idea what will happen to the money at the end of the day.

The problems here, as "SteveJ" (one of Schneier's commenters) pointed out, are twofold:

Of course there are two different issues here: trust and identity.

Creating a false charity/campaign, which doesn't really do what it claims with donated money (trust), isn't quite the same thing as posing as a particular charity/campaign and pocketing the donations (identity).

This is a matter of authentication, put quite simply. Somehow, the place where you're donating the money must be authenticated to the satisfaction of the individual being exhorted to donate. We, as active members of US politics, must serve as individual authentication systems to ensure that any donations we give are being given to "the right person" -- both in terms of believing what the candidates say and in terms of making sure that the site you're using for your donation is actually going to put the money into your favorite candidate's campaign.

Soghoian's solution is to centralize and certify all campaign contribution management with specific corporate organizations serving as clearinghouses. The specific examples cited by Soghoian and Markus Jakobsson, co-author of a whitepaper on the subject, are Paypal and Google.

Ultimately, if you're paying attention enough to consider Google or Paypal to be more trustworthy than some candidate campaign Website, you're paying enough attention to be able to make some determinations of your own about who or what is trustworthy enough to send money. The difference is, at most, negligible. This also does not particularly protect you against the specific concerns Soghoian brought up for a number of reasons:

  1. If you are directed to a donation page from a Website designed to look like the campaign's official site, that site can be spoofed no less easily if it's at than if it's at -- the same techniques for phishers apply.
  2. The high-pressure marketing tactics of many pledge drives will not be changed by where the actual donation link leads, and neither will a change in link destination change the potential negative effects those tactics might have on the security awareness of their target demographics.
  3. Centralizing the management of all Presidential campaign donations creates a single target on which phishers and other malicious security crackers can focus, and success may bring them far greater rewards. Why settle for redirecting the donation activities for a single candidate when you can target them all simultaneously?
  4. A conspiracy theorist might accuse Soghoian of trying to sideline any less well-known candidates who are less likely to be able to get into Google or Paypal donation clearinghouses. Even though that is probably not his intent, it is a more likely outcome of such a centralization of management than generally improved donation security.

Finally, I doubt many campaigns will even consider such an idea, except as an auxiliary source of campaign contribution revenue that is secondary to the on-site "official" donation channel. After all, in politics -- as in most of the rest of the world of online financial transactions -- going through a third party to handle your financial transactions is viewed by many as a sign of a lack of professionalism.

Having to direct would-be contributors via someone else's logo is perceived by some as indicative of the notion that you might not be able to handle the important matters of your campaign yourself, and while that is an obviously silly assumption for those of us who understand something about the IT industry, it is a no less common assumption. Even worse, though, is the fact that linking to Google or Paypal from the campaign website for handling all official donations is indivisible in many estimations from endorsement of those corporations, and such apparently direct endorsements can rarely be afforded by political campaigns.

To wrap this all up, I'll provide you with some quick hints on how to judge whether you are donating to the genuine article:

  1. Never donate to any Website other than the official campaign site. While there may be safe alternate channels for online donations, your best bet is always the official campaign Website.
  2. Never click on a link from a third-party pledge drive Website. Take a direct route to the campaign website, perhaps by checking the URL to which the link directs you and typing it into the address bar of your Web browser yourself. This will help you avoid spoofed sites.
  3. Do not copy the URL from a third-party site and paste it into the browser's address bar: actually type it. Use of Unicode characters to spoof the URLs of legitimate websites is something you want to be able to circumvent.
  4. Do some research via a search engine to ensure that the apparent official campaign site URL you are using is in fact the genuine article, and not a fly-by-night fake. For instance, is the URL for the official John Edwards Presidential campaign Website, but and are (as of this writing) still available. Either one might conceivably be used as a temporary landing area for misdirected would-be campaign contributors.
  5. Only contribute via campaign Websites that provide encrypted access for the transaction, and assess the security of the donation process yourself as far as possible before committing to a donation. If your candidate of choice does not provide adequate security, contact a campaign representative and inform them of your concerns. Then, either contribute offline or wait until the problems with online contribution security are fixed. You don't want your bank account to be cleaned out by malicious security crackers just to give your favorite candidate $100, I'm sure. Losing $10,000 of your hard-earned money is probably an unacceptable outcome for you, especially when you cannot be guaranteed that even that $100 donation will get through to the candidate's campaign if security is not sufficient to protect the contribution transaction.
  6. Vote your conscience, not your fears.

Granted, that last point has nothing to do with online financial security, at least in any direct sense. The rest, however, will serve you well in ensuring that your online campaign contributions are safe and end up in the hands of the people to whom you intended to donate them.