'Kiwi' websites no safe haven from fraud
The war against scammers is not being won and the country's Domain Name Commission could do more to improve confidence in ".nz" websites, cyber-safety organisation Netsafe says.
Executive director Martin Cocker said Kiwis shoppers had a false sense of security about ".co.nz" websites, which despite appearing to have a Kiwi connection, could be set up by anyone in the world under a fake identity.
Domain name commissioner Debbie Monahan opened the door to a significant concession, telling Stuff that the non-profit company could consider random checks on the ".nz" registry to check details provided by website owners were not fake.
Shirley Boys student Loyal Patelesio fears he may have learnt the hard way that websites are not necessarily more trustworthy just because they end in ".nz".
* Scam leaves Wellington woman out of pocket, with fake Nike shoes
* Out with the .co and .org, and in with the .nz
* OPINION: 'Education and awareness' not the only options to tackle cyber-crime
He is worried he will be left $200 out of pocket after ordering a pair of Nike basketball shoes through nzsneaker.co.nz.
The shoes were for his birthday and to use during a national basketball secondary schools competition, but he was concerned they would not show up after reading warnings about the site since placing his order.
Watchdog website scamadvisor.com described the online shoe shop as "high risk" and carried comments from shoppers who said they had been overcharged and received fake goods.
Melbourne-based Nike spokeswoman Jamie Williams said it had reported nzsneaker.co.nz to the "relevant authorities" in New Zealand.
"Counterfeits are likely to be of inferior quality, and Nike is obviously unable to stand behind a counterfeiter's product," she said.
Monahan said red flags on nzsneaker.co.nz included the fact it used a Hotmail address for email contact. The payment page where customers are asked to enter their credit card details is not encrypted.
According to Google's Chrome web browser, that means any credit card information entered is not secure and could be stolen.
Like all ".nz" websites, nzsneaker.co.nz is supposed to provide a contact name, address and phone number which can be searched online through the "who is" register operated by the Domain Name Commission.
Nzsneaker says on its website that it has "a unique heritage spanning over 35 years".
But online checks show its website was first registered with New Zealand's DNC in 2015 by a "Chaofeng Wu" with an address in China.
The phone number Wu supplied the DNC was not answered last week.
"What I can't understand is the fact that this website is still allowed on the internet," Patelesio said.
Checks by Stuff showed another online shoe store with a similar sounding address, www.nzsneakers.co.nz, had registered its website to a Robert Ralph – using the address and main reception phone number of the Marriott Hotel on New York's Times Square.
Monahan said the DNC did not verify the details website owners supplied unless it received a complaint, in which case it would follow up and cancel the domain if they weren't corrected.
But Cocker believed it should conduct more checks.
"I would like to see the DNC do everything it can to maintain the integrity of domain names – not just the technical integrity but to build consumer confidence that if you are registered with a '.co.nz' address that at least information about you is verified," he said.
"Most people think that because something has a '.co.nz' address, it is a New Zealand business, but the address gives you no real information about the location of the company."
The result was "absolutely" a false sense of security, he agreed.
"When it comes to online scams and fraud, we are really struggling as a community to come up with any serious response," Cocker said.
"We are not getting successful prosecutions. We are not preventing people falling for scams, and we have got an environment that enables people to pop up scam sites and then disappear.
"We have good progress with things like cyber-bullying and this is the next thing we really need to focus on.
"We have entered into an era with the internet where we are looking to build confidence in the infrastructure and businesses – that is a responsibility for all of us now."
Meanwhile, a DNC policy change that will take affect next month will make website ownership more opaque.
From November 28, registrants who are setting up non-commercial websites have the option of leaving their details off the "who is" database altogether to protect their privacy.
Although commercial website owners are not supposed to have that option, the DNC has acknowledged it won't be able to tell whether the exclusion should apply or not at the time of registration.
Cocker said he understood the privacy concerns behind the policy, but it "certainly didn't help" organisations such as Netsafe and the police who might want to monitor and investigate websites.
"It is going to add an extra step to that process."
There are more than 680,000 ".nz" web addresses.
Monahan said it would not be appropriate for the DNC to act as "judge and jury" by policing their activities as that would give the DNC "too much power". But it did take down "one or two" sites a month in response to complaints about breaches of its rules.
Registering ".nz" sites is a big earner for the DNC's owner, non-profit society InternetNZ, which last year raked in more than $10 million in ".nz" website registration fees.
But only $2m of that went to the DNC, and Monahan said the DNC was constrained by the fact it was a small company with only six staff.
Other big expenses for InternetNZ include community initiatives and lobbying.
Monitoring one in 100 sites each year to check registration details were correct "might very well be something we would look at", but at the moment the DNC was "quite busy", Monahan said.
She said it was planning an "information campaign" around its November policy change which she expected would make people more aware of their rights to complain about fake registry details.
The DNC could add its own phone number to its own website – in addition to its email address – to make it easier to contact, she agreed.
Working out whether a shopping website is trustworthy is as much an art rather a science, but there are clues.
What to look for
* Do the contact details appear genuine? Does the business publish an address and phone number so you know you can contact them if there is an issue? Many legitimate businesses choose not to do this, but you may want to vote with your wallet.
* Enter the website name into a watchdog service such as scamadviser.com or just Google it along with the word "review" or "scam". See what comments people have posted. But remember, even legitimate websites are likely to have some unhappy customers.
* Look up the site up on the DNC's "whois" database (dnc.org.nz/whois) if it ends in ".nz", or on one of a number commercial websites such as whois.com for most other addresses. There will be technical gobbledygook but check the registrant's (owner's) details.
* Is their country as you would expect (it may be false)? Google the address and/or phone number they have provided. You may want to check when the site was first registered.
* Before keying in any payment information, check the payment page is encrypted. The site address prefix should be displayed as "https" rather than "http". Depending on your browser, there may a padlock or key symbol in the address bar or elsewhere in the browser window to show the webpage is secure. Don't enter your card details if not.
What to ignore
* A website ending in ".nz" may appear to be trustworthy, but there is no reason to assume it will have any connection to the country.
* Polished photographs, a professional appearance and customer testimonials on the website itself can easily be "lifted" from other websites. Just because a website has a picture of an expensive looking shopfront or showroom doesn't mean it exists.
Is New Zealand's airport security stringent enough?Related story: Risky objects bypass Wellington Airport security