Yesterday, the Authentication & Online Trust Alliance (AOTA) announced that more than 10,000 Web sites have adopted Extended Validation Security Socket Layer (EV SSL) certificates, up from 4,000 just 10 months ago. By January 2009, AOTA Chairman and Founder Craig Spiezle is confident that the number will reach closer to 12,000.

While the absolute number may not be as large considering the number of sites on the Web, Spiezle says, the mix is comprised of what he deems “the most impactful e-commerce sites,” some of which include:

- Bank of America;
- PayPal;
- Ebay;
- Schwab; and even
- Facebook.

Sites like Facebook aren’t typically classified in the same category as an e-commerce or online banking site, where trust is undoubtedly a more mission critical issue. Nevertheless, Spiezle says, due to the number of online trust issues, sites need to provide a high level of trust to ensure that consumers are communicating with the site they’re intending.

When the EV SSL certificate was launched in early 2007, PayPal was among the early adopters that had deployed the solution in late 2006, before its general availability. The online payment vendor was working on its on anti-phishing strategy around that time in an effort to help consumers “completely, reliably, and unambiguously” know they are on PayPal, says Michael Barrett, chief information security officer at PayPal. In the beginning, Barrett admits they didn’t know whether EV SSL would work (PayPal, at this point, was already 100 percent SSL but phishers quickly adapted and some even acquired their own SSL certificate, Barrett explains, but says it happened roughly only once a month). Sure enough, he says, “EV SSL was a gift from heaven to us.” Since 2006, PayPal has seen significant reduction, particularly in its attendance on the Top 3/Top 10 list for most phished Websites. As an online payment site, however, “we know we have the proverbial target printed on our backs,” Barrett says.

Whether or not the economic recession is motivating brands to beef up the security on their site may be anyone’s guess as consumers are certainly spending less and when they do, they want to know it’s going somewhere legitimate. No doubt, criminals rarely let an opportunity go to waste, taking advantage of “every calamity, every disaster,” Spiezle says, whether it’s seeking donations for earthquake victims in SiChuan, China, or preying on individuals struggling during the current mortgage and financial crisis.

The Internal Revenue Service (IRS) has certainly seen its fair share of spoofed emails and Web sites soliciting personal and financial information from citizens. It announced yesterday, in conjunction with the AOTA’s announcement, that by January 1, 2009, all “authorized IRS e-file providers participating in online filing of individual income tax returns [are required to] possess a valid and current EV SSL certificate,” according to the press release. Moreover, sites are required to provide privacy and information on safeguard policies, as well as to report any security breaches. They are also required to obtain a privacy seal indicating their IRS-approved status.

No doubt increased site security is a relatively new issue site owners are having to address. A year ago, Spiezle, who is also the director online safety and security at Microsoft, notes that only one Web browser supported EV SSL and that was Microsoft’s Internet Explorer. At one point, Microsoft, he says, was identifying over 1,000 unique phishing sites on a daily basis. Now, nearly every mainstream browser (e.g., Firefox, Chrome, and Safari) supports the certificate. “It’s a great example of how the industry and businesses are working together to protect their brand and the consumer,” he says.