March, 11 2020

How EV SSL Certificates Build Online Consumer Trust & Protect Your Brand

“It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.”

In the world of online transactions, those words by Warren Buffett are especially true. 

A company’s brand represents trust and a promise to do right by its customers. It allows consumers to quickly make purchases without questioning whether they can trust the receiver.

Scammers understand this, and the internet provides a perfect opportunity to take advantage of trusted names. Through phishing, nefarious actors use copycat sites to capture personal and financial data from unsuspecting customers. Man-in-the-middle attacks take this enterprise a step further by intercepting data intended for legitimate companies and stealing it for financial gain. 

As more daily services move online, consumers are increasingly educating themselves on ways to stay safe online. One of the ways they accomplish this is by identifying online trust signals like EV SSL certificates. It’s up to legitimate companies to display these trust signals so that customers can engage and transact with them comfortably. 

EV SSL certificates are a way to enhance your trusted status in the online world

 

We’re living in an online world of insecure comms where anyone’s listening

Online communications are vulnerable to eavesdropping third parties with nefarious intent. 

Picture the following scenario. You’re an employee at a multinational firm. Every week, you send updates on top secret product developments from your office in NYC to headquarters in LA. You ask questions by shooting tiny slips of paper through a giant glass tube that travels across the continental U.S.A. 

Across this crystal clear transmission tube, your competitors watch these secret missives go by. Eventually, an employee of one of these competitors has an idea. Why not drill a hole in the tube, read the message, and then send it back on its way, patching up the hole so both parties are none the wiser? There you have it. Your multinational firm is now the victim of a real-world man-in-the-middle attack.

But wait. Another competitor thinks up an even better idea. Why wait for either party to send a message? Why not build an offshoot of that pipeline and request information the competition’s dying to know? Since the NYC team thinks they’re communicating securely, they’ll answer the questions assuming they’re talking to a trusted colleague. In essence, they become victims of a physical phishing attack. 

Man-in-the-middle and phishing attacks operate in a similar style online, instead that team in NYC (aka “the client device”) is actually transmitting personal information and credit card data. HQ in LA, which is supposedly sending back solutions, is the networking equivalent of your “server”. 

Now, imagine if there were a bit more security supporting that cross-country, translucent tube. Instead of shooting messages into the ether, companies would first authenticate the end user by calling ahead to let them know a package was en route. And if that message happened to be intercepted, the message would be in a cryptic code impossible to break without the right key.

In essence, this is what Secure Sockets Layer (SSL) provides for businesses and consumers who want to securely exchange information on the internet today. 
 

SSL certificates are today’s arbiters of online trust, but there are levels to their effectiveness

Different SSL certificates offer different degrees of authentication. (Pexels)

At minimum, consumers expect websites to provide encrypted communication transfers. 

Of course, it’s easy for anyone to claim they use proper encryption standards. As a result, SSL certificates are issued to a company’s server by Certificate Authorities like Symantec or GeoTrust. When a customer tries to connect to the site, their browser ensures there’s an encrypted SSL link by matching a public key with the server’s private key. Information can flow right past a hacker without being compromised.

But there are two massive misconceptions about SSL certificates that are worth addressing. 

  1. Encryption is the same thing as authentication

  2. All SSL certificates are created equal

There’s a big difference between encryption and authentication

Imagine developing an iron-clad secret code of communication with someone, using it to share your most private info, and then learning that the person on the other end isn’t who you thought they were. 

Technically, your encryption was flawless. No one who intercepted the messages ever deciphered them. But your information has still been compromised because you failed to authenticate the “trusted” person who held the key on the other end. 

In the online world, this is an extremely important distinction to understand. Even if a website offers encrypted services, they may not be a trusted party to begin with. It’s important to know who’s on the other end, which brings us to our next point. 

There are different types of SSL certificates

There are three types of SSL certificate, and each certificate comes with varying degrees of authentication: 

  • Domain Validation (DV) Certificate

  • Organization Validation (OV) Certificate

  • Extended Validation (EV) Certificate

What’s the difference between a DV, OV, and EV certificate and which one does my business need?

 

Leading companies like Symantec and Apple use EV certificates that display their company name directly in the browser. 

The short answer: The difference is authentication, and if you’re a business interested in cultivating iron-clad trust online, you should invest in an EV certificate. But of course, it’s important to understand the difference between these three.


 

All three certificates offer secure, encrypted connections, but they offer varying degrees of authentication. 

Domain Validation (DV) Certificate

A domain validation certificate only authenticates that someone owns a specific domain name. Today, it’s become the bare minimum for online security. Even non-business websites like personal blogs are expected to carry this certificate to be considered legitimate places on the web. But for enterprises where trust is crucial, like online shopping or financial services, this level of authentication won’t do. Just because there’s an identified person behind a domain, doesn’t mean they’re the person with whom you’re trying to transact. 

In other words, while your communication is encrypted from bad actors in general, it may still be travelling to one bad actor in particular. Think of it like securing your house with a state-of-the-art security system that a burglar builds. While the system will keep most bad guys out, it’s still totally accessible to the bad guys who built it.

Organization Validation (OV) Certificate

An organization validation certificate proves that there’s an actual organization behind that domain name. To obtain an OV certificate, it’s not enough to say that John Smith in Portland, Oregon owns the domain, “moneytransfersworldwide”. You need proof of a valid business to back it up. And to satisfy the Certificate Authority you’d need to provide proof of your business’s existence, confirm its local presence, undergo telephone and domain verification, and participate on a verification call. 

Generally speaking, this has become the bare minimum for large organizations in online commerce, software as a service, and financial services. But trust is absolute, and if there’s an additional way to show your customers you care about obtaining their trust, it pays to pursue it. 

Extended Validation (EV) Certificate

An extended validation certificate takes the authentication process a step further. In addition to the due diligence conducted for the OV certificate, you also must provide a physical address. 

While some browsers identify sites with EV certificates by making their URL green, this isn’t always the case. For instance, Google Chrome doesn’t change the color of the address bar. What it does do is include the full name of your parent company in the address bar to provide an added visual signal that you are who you say you are. While scammers can forge DV certificates by adding their certificate to a browser’s trusted certificates list, it is impossible to do the same with an EV certificate, providing your customers added protection. 

EV Certificates Protect Customers From Phishing Attacks

Phishing attacks rely on social engineering tactics that can fool even the most web savvy consumers

A phishing attack can cost a small business tens of thousands of dollars and a medium to large business millions. They target customers where they feel the most comfortable - their email and cell phones - and redirect them to seemingly legitimate sites to capture valuable personal information. These scams have serious repercussions on customer trust and consumers’ level of comfort using online services.

Consequently, consumers navigate the online world with caution. The undeniable convenience of e-payments, mobile banking, online shopping, and more means that using the internet for daily services is here to stay. But that doesn’t mean consumers aren’t wary, and that fear is slowing down growth. 

According to research by Paysafe, half of consumers say fear of fraud prevents them from moving to frictionless payments, otherwise known as paying through apps. Horror stories about identity theft and online auctions for stolen credit card numbers have consumers still hesitant to fully embrace online shopping as recently as 2018.  

Think phishing scams only work on the internet illiterate? Think again. Phishing scams rely on clever social engineering tactics designed to lower a person’s defences over time and convince them to click on a link thinking it’s from a colleague. According to researchers, almost anyone can fall victim to an aggressive form of phishing called “spear phishing” which uses intense targeting to convince users to click. Indeed, some of the most headline-making hacks like the one that hit Clinton presidential campaign chairman John Podesta, were due to phishing. 

The last thing your company wants is hesitant, fear-driven online engagement. So how can you help customers feel comfortable engaging and transacting with your brand online? 

You can do this by offering clear trust signals like a visual indicator that they are communicating with the right enterprise. 

EV SSL Certificates Generate Revenue Through Increased Conversions

One of the main reasons for cart abandonment is a lack of trust indicators or card security

Cart abandonment is a huge challenge for e-retailers. On average, e-commerce stores lose 75 percent of their sales due to shopping cart abandonment. Imagine investing countless dollars into PPC campaigns, social media marketing, and blogging only to lose your customers because they can’t be sure their data is safe?

 

Photo by Lovefreund ( https://Lovefreund.de )

Lack of trust indicators or card security is a leading cause of cart abandonment 

Consumers continuously educate themselves about how to transact safely online, and they keep their eyes peeled for trust signals to help them separate the good players from the bad. According to PwC’s Consumer Intelligence Series report, 88 percent of consumers reported that their willingness to share personal data like contact information and credit card numbers is tied to how much they trust the company in question. Moreover, 87 percent of consumers will look for alternatives if they’re not confident in a company’s ability to protect their data. 

Today, consumers recognize padlocks in the browser and understand that it represents third-party verification. But as cybersecurity tactics become more sophisticated so too do cyber schemes. Rather than viewing the early iteration of security certificates - domain validation certificates - as a threat to cybercrime, hackers saw them as a way to lull customers into a false sense of security. Since DV SSLs only verify that a person owns a domain, not that the domain belongs to a legally registered business, scammers quickly caught on to the fact that they could use DV SSLs to trick customers into handing over their data.

On the other hand, the enhanced version of SSLs, extended validation SSLs, require a series of verifications that would be difficult for a scammer to pass. As consumers continue expanding their awareness of online authentication, chances are they’ll grow increasingly resistant to shopping through sites without enhanced authentication. 

How do the leading EV SSL providers compare?

When you’re ready to snag an EV certificate, it pays to go with a trusted provider whose specifications meet your organization’s needs. 

Provider

Brand Reputation

Affordability 

Comodo

Great customer service, but a long validation process

Affordable

DigiCert (Symantec)

Extensive support from the recent acquisition of Symantec’s web security business 

Expensive

Entrust Datacard

Strong reputation built on expert, speedy validations

Expensive 

GeoTrust

Excellent enterprise solutions

Expensive, but offers value for a high-end service

GlobalSign

Excellent enterprise solutions that offer scalability

Expensive

Thawte 

Holds 40 percent of the market for SSL certificates and promises to complete EV background checks in 1 to 3 days

Affordable 

 

Ready to protect your online brand? Start the process to secure your site’s EV certificate today.