FTC To ControlScan: Your Web Site Security Seals Are Lies

Written by Evan Schuman
March 2nd, 2010

The U.S. Federal Trade Commission (FTC) on Thursday (Feb. 25) screamed “the Emperor has no clothes” by reporting to consumers that one of the largest firms issuing “Verified Secure Breach Protection” seals doesn’t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.

The settlement against five-year-old ControlScan said that “contrary to the statements” ControlScan made to retailers, the company “in many instances conducted little or no verification of the privacy and/or security protections for consumer information provided by companies displaying its Business Background Reviewed, Registered Member, Privacy Protected and Privacy Reviewed seals. Instead, in many instances, ControlScan provided the Registered Member seal to a company that failed to qualify for the Verified Secure seal because an electronic scan of its Web site identified an actual or potential severe vulnerability on the Web site and permitted the company to display the seal indefinitely while taking no action to assess whether the company was working to resolve any vulnerability identified by the Web site scan.”

That last charge is particularly significant because it moves these accusations beyond mere neglect (they never bothered to check) to true, all-American lying (they checked, found bad stuff and gave them the seal anyway, as long as they paid their bill).

But there were also accusations—in this settlement that ControlScan has now agreed to—of neglect. The filing said that ControlScan “provided the Privacy Protected seal to a company that posted a privacy policy on its Web site, with no review of the company’s underlying privacy or information security practices and provided the Privacy Reviewed seal to a company that failed to qualify for the Privacy Protected seal because it failed to post a privacy policy on its Web site.”

Also, the verified dates posted on the seals—to give consumers confidence of ongoing security verification—were bogus, the filing said. “Contrary to the current date displayed in each seal’s date stamp, ControlScan did not review a company’s practices on a daily basis. Instead, in many instances, ControlScan, for a company displaying the Business Background Reviewed, Privacy Protected and Privacy Reviewed seals, conducted no ongoing review of the company’s fitness to display the seals. And for a company displaying the Verified Secure seal, conducted only a weekly Web site scan of the company’s Web site and for a company displaying the Registered Member seal, conducted a weekly Web site scan but imposed no requirement that the company take steps to resolve any actual or potential severe vulnerability identified by the scan.”

ControlScan’s E-Commerce sites appear to be mostly smaller merchants. But the potential damage to consumers’ faith in E-Commerce could extend far beyond ControlScan’s customers. Fortunately for E-Commerce sites, there is little credible evidence that consumers ever believed—or even noticed—the seals in the first place. Like a corruption charge against a politician widely believed to have been corrupt for decades, it’s likely to cause little change in that politician’s reputation.

But ControlScan does get mucho chutzpa points for prominently listing on its Web site 42 retailers that had displayed the seals when they hadn’t paid for them, as opposed to retailers that displayed the seals when they didn’t deserve them. As long as they paid, everything was fine. (Speaking of fine, ControlScan and its founder owe the government $750,000 as part of the settlement.)


One Comment | Read FTC To ControlScan: Your Web Site Security Seals Are Lies

  1. Joseph A'Deo Says:

    It really is a shame that security seals are receiving such a bad rap, because in the hands of a stellar e-security company they really CAN make a difference. I work in this space (as an online evangelist for VeriSign) and see a lot of various trust seals on the market that do a host of different things, but not all are worth their salt, and separating the wheat from the chaff is no easy task. Seeking out testimonials from trusted consumers is an important step in the trust seal purchasing process, as is visiting sites that are protected by the seal — if you then encounter an issue the seal is supposed to address, it’s safe to assume the seal vendor is not doing what it promised to do.

    It’s just like taking your car to the mechanic–people don’t actually sit and watch their car get worked on, but if the problem persists, you can assume the mechanic didn’t fix it. This is why people take their cars to reputable shops with stringent processes and many years of experience. But if a mechanic fails to fix your car because they didn’t do something properly, it’s not fair to assume that all mechanics are crooks or poor at their job, and trust seals are no different — they’re only as good as the company that issues them.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.