The free CallingID toolbar unmasks the true identity of any Web site's owner and checks
for other specific problems that may signal fraud. A green Verified button means
everything looks fine; if a yellow Low Risk or a red High Risk button appears,
clicking it gets a full explanation of the rating. The toolbar can expand to
display the full name and address of the site's owner. If you attempt risky
behavior such as sending private data to an unverified site, CallingID pops a warning and asks for confirmation. The toolbar is
available for Internet Explorer and Firefox.
Where some antiphishing solutions rely
on blacklists (which may be out of date) or on identifying HTML code that looks
suspicious (which can yield false positives), CallingID pulls its results from a
wide variety of sources. It starts by matching the site to a real owner at a
real, physical address, consulting multiple databases including Dun &
Bradstreet and Yellow Pages listings. Sites that hide their ownership get an
automatic red flag. If CallingID finds the registered owner but can't
satisfactorily prove its existence, it may give the site a Low Risk rating. DNS
spoofing, where you're redirected from a valid site to a phishing site, rates as
another High Risk factor. Many other factors go into the rating: having an
invalid certificate, running on a server in a suspected country, being on a
phishing blacklist, even having words such as "crack" or "warez" in the domain
name. Clicking the button always shows the reason for a site's rating. As a
bonus, CallingID can also display the high-risk/low-risk/verified status of
third-party sites that could receive data from the page you're currently
viewing—for example, those sites providing banner ads.
By the time CallingID's toolbar reports
the site you're visiting as High Risk, you're already there, possibly suffering
some kind of exploit. To help you stay away from those sites, CallingID analyzes
the results found by popular search engines including Google, MSN, and Yahoo! When you hover the mouse over a link, CallingID displays that link's
status. If you see red, don't click! Unlike SiteAdvisor, which shows its
analysis for every link on the page, CallingID gives information only about the
link under the mouse cursor. And you can't get CallingID's detailed information
without actually visiting the site in question.
CallingID checks consumer rating
databases and displays a smiling or frowning face next to the status button when
such information is available, but it doesn't offer any real details. When
CallingID has verified the security certificate for a secure (https) site, it
sticks a lock icon to the left of the site name. And if you think the company
has wrongly rated a site as good or bad, you can click a button to register your
disapproval.
Like many of the popular security
suites, CallingID can protect specific personal information such as credit card
numbers or PINs. But CallingID is more flexible than most such solutions. You
can configure it to alert you only on non-verified sites, and you can choose to
protect passwords only, passwords and personal information, or all data. If you
choose the last option, you'll get a warning when you send any information to a
site for the first time. In addition, it can warn you when you send your e-mail
address to a site that's known to send spam.
CallingID Put to the
Test
I put CallingID through its paces and
found it helpful. Its queries to the CallingID database don't slow the loading
of the Web page itself. This is a good thing, as the program occasionally took a
minute or two to return the verification data, which is a bit annoying. Big-name
sites like google.com or pcmag.com got the green light, naturally, but I found
that quite a few smaller sites were flagged as Low Risk for the sole reason that
"Site owner is not listed as an active organization." CallingID's CEO verified
that this could also mean that the owner moved or changed its name, or that
CallingID simply failed to find its details.
The automatic red-flagging of sites
whose domain contains words like "crack" and "warez" was problematic: Frito
Lay's crackerjack.com, the "Florida Cracker" blog, and Crack-a-Jack Studios in
Australia are all wrongly marked High Risk. Also, not every phishing site gets
red-flagged: I found a page pretending to be the Chase Manhattan Bank that was
brazenly registered to an individual in Florida. CallingID clearly showed the
real owner yet still did not red-flag the site, because the owner didn't try to
hide his identity.
Helping You Think Twice
About Spilling the Beans
When CallingID is set to protect all
data, a warning message interrupts the moment you type one character in any Web
form. The warning lists the owner's physical address, its server location, and
its verification status. You can choose to allow or block sending data on the
site always or one time only, much like a typical firewall warning. Most users
will choose to protect only passwords and stored personal information, and only
masochists enable protection on nonrisky sites. The password and personal info
protection kicks in the instant you finish typing the protected data—even before
you submit it. If you're sending personal info to a nonsecured page, you'll have
to confirm a second time that you really, really want to.
CallingID provides a genuinely useful
service. If the site you surfed to or found by searching is red-flagged, click
away fast. Think twice if the verified owner is different from what the page
claims. If you're fooled by a phish, CallingID can still keep you from giving
away personal info at the wrong site. And it's free, so you can try it out any
time.
