<div dir="ltr"><span class="gmail-im" style="font-size:12.8px"><div><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.6667px">"Even if you use a Registered Agent’s address as the registered address for your company, you will leave fingerprints…"</span></font></div><div><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div></span><div style="font-size:12.8px"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.6667px">Actually, you don't need the information contained in the letters from Companies House. All of the information was sent to me by email from the 3rd party register including the authentication code. If you got one of these service addresses as the company address then all you need is to just send the letter to someone else's address somewhere which takes around two weeks to be delivered. Dun and Bradstreet update their database of new incorporation's every one or two days. Once you get the D&B ID by email after a day or so then you can send in a request to update the database with the phone number this takes around a day or so. Dun and Bradstreet have never verified the phone number given and just added it to the database. Overall the process from start to finish could take a week if started on Monday. There is only a small window of opportunity in this scheme to get the EV SSL but once the EV SSL is issued then it can be used at any time until expire date.</span></font></div><div style="font-size:12.8px"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div><div style="font-size:12.8px"><font color="#000000" face="Calibri, sans-serif"><span style="font-size:14.6667px">I did read the research some time ago and I found it was really interesting. Oddly enough the dates of the research and the article</span></font><span style="font-size:14.6667px;color:rgb(0,0,0);font-family:Calibri,sans-serif"> coincide with each other.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 28, 2017 at 5:03 PM, Kirk Hall <span dir="ltr"><<a href="mailto:Kirk.Hall@entrustdatacard.com" target="_blank">Kirk.Hall@entrustdatacard.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_-8488872435588691018WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks for the additional information, James. In the end, the EV Guidelines did exactly what they were designed to do – they provided a way for the public to
find you (as the company owner) if you used your EV certificate and domain to do something wrong. And again, if someone goes to all this effort and lies in any part of the process, they are subject to potential criminal liability from the UK government –
not a trivial matter for the ordinary hacker. Even if you use a Registered Agent’s address as the registered address for your company, you will leave fingerprints…<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">In contrast, a DV certificate for your same domain would leave no ability to find you if you use the certificate for evil purposes… And can be obtained quickly,
anonymously, and for free. That’s a big difference. And a DV phisher can be very successful using a cert for a domain it owns like
<i><u><a href="http://login.paypal.com.phishingsite.com" target="_blank">login.paypal.com.phishingsite.<wbr>com</a></u></i> – by now, I think there are over 20,000 such DV certs for fake phishing PayPal login pages, all anonymous.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Recent studies show that OV and EV websites are much less likely to be used for phishing than DV sites, and so are much safer for users – see attached pdf. This
study will be updated with additional data soon. If you are interested in other information about the value of website identity on the internet, there are resources here:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><a href="https://casecurity.org/identity/website-identity-documents/" target="_blank">https://casecurity.org/<wbr>identity/website-identity-<wbr>documents/</a>
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@<wbr>cabforum.org</a>]
<b>On Behalf Of </b>James Burton via Public<br>
<b>Sent:</b> Tuesday, November 28, 2017 8:49 AM<br>
<b>To:</b> Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><span class=""><br>
<b>Subject:</b> [EXTERNAL]Re: [cabfpub] Obtaining an EV cert for phishing<u></u><u></u></span></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">This company was incorporated as a limited company by guarantee with exemption from using the word limited at the end. This type of company differs from a normal share company and
cannot be incorporated through the official Companies House site. You can learn more here:
<a href="https://www.rapidformations.co.uk/blog/exemption-from-using-the-word-limited-in-a-company-name/" target="_blank">
https://www.rapidformations.<wbr>co.uk/blog/exemption-from-<wbr>using-the-word-limited-in-a-<wbr>company-name/</a>.</span><u></u><u></u></p>
</div><div><div class="h5">
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">To incorporate a limited company guarantee with a limited exemption in the UK, you'll need the following information:</span><u></u><u></u></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal">
Director's address, nationality, date of birth and three pieces of identifiable information (see attached info.png).<u></u><u></u></li><li class="MsoNormal">
Company address<u></u><u></u></li><li class="MsoNormal">
Special type of articles of association<u></u><u></u></li></ul>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">First, an attacker needs to get hold of someone's address, date of birth, three pieces of identifiable information and the person's nationality. This can be completed through social
media profiles, previous phishing attacks and from the so-called "Dark web" for few pounds. Second, an attacker needs a company address which could be the same as the director address or a service address. These service addresses can be bought online for less
than £30. Finally, the special type of articles of association can be bought when incorporating the limited company by guarantee from a 3rd party. </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">When I incorporated "Identity Verified", I never went through any ID checks from the 3rd party. Companies House probably does check the information but I've never been asked to provide
a passport photo or etc. The three pieces of identifiable information, DOB, and name are enough to identify the director and the Royal Mail database is enough to identify the addresses of both the director and company.</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Overall, the amount of work required to get the company incorporated is massive but it's achievable.</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Kirk, just to clarify that I didn't do this experiment to gain fame or pull off some amazing coup (in your own words). I did this experiment because I got an idea and wanted to see
if it worked. When writing this article I never thought that this article would become so successful and gain upwards of 2000+ views but it did. If you look at the dates of the incorporation and certificate issue can see that this article wasn't written up
straight after the experiment. I wrote this article on the 13th September 2017 which was over a month later. The article took me about an hour or two to complete and checked for spelling and grammar by a fellow mathmo. </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Also, you're right that no one now can re-incorporate the company "Identity Verified" in the UK. Eventually, I will dissolve this company in the near future and then it will become
available to incorporate again. I'm not sure if this company will be incorporated again because I might have been lucky that day. </span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">Anyway, I wouldn't dismiss this article out of hand as it does contain some interesting points.</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif;color:black">James</span><u></u><u></u></p>
</div>
</div></div></div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</div><div><div class="h5">
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">On Tue, Nov 28, 2017 at 1:54 PM, Gervase Markham via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<u></u><u></u></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">On 27/11/17 19:52, Jeremy Rowley wrote:<br>
> Basically, Symantec verified the organization using the UK companies<br>
> house, which qualifies as a QGIS. Because it's a QGIS, the data<br>
> source can be used to validate most of the requirements under the EV<br>
> Guidelines, including address and legal existence. The phone number<br>
> was verified using QIIS and a call to the number, answered, of<br>
> course, by the applicant. The result is James ended up forming a real<br>
> company with fake address information.<br>
<br>
As I read his blog post, he formed it with real address information, but<br>
his assertion is that it would have been just as easy to form it with<br>
fake address information, as the address information is not validated by<br>
Companies House in any way.<br>
<br>
James: is that correct?<br>
<br>
(BTW, as others have said, I'm not convinced that either rejecting<br>
"suspicious" names, or requiring a landline, is the way forward here.)<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><br>
Gerv<br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>