A new paper released this week by BITS is designed to help financial institutions combat phishing attacks by providing a guide for implementing standards-based email authentication protocols.
The paper, "Email Sender Authentication Deployment", focuses on two protocols, DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). The document provides a high-level technical overview of the protocols and addresses deployment considerations, metrics and best practices.
SPF aims to thwart email spoofing by providing a framework in which the domain of an email sender can be authenticated. DKIM allows organizations to add a cryptographic signature to outgoing mail, certifying the message came from the domain displayed in the mail header. The protocol was approved as an official IETF standard in 2007.
Deploying the email authentication protocols can help financial institutions reduce phishing and boost consumer confidence, said Paul Smocer, vice president of security at BITS.
"Phishing is a big problem in the financial services industry. Obviously the spammers and phishers know where the money is, so they go after our industry more than others," he said. "So we're looking for a solution or solutions that allow us to cut down on the amount of phishing."
Financial institutions also want email to be secured and become a valid business channel, he said. "So we can get to a point where enrolling new customers or offering new products can be done through email with an assurance of legitimacy." The vast majority of institutions shy away from using email for those kinds of activities out of concern of email spoofing, he added.
"If we can secure email effectively, then it results in only a preventative measure, but it also creates an opportunity," Smocer said.
BITS, a division of The Financial Services Roundtable, developed the document with eCert Inc., a San Francisco-based service provider that works with organizations to implement email authentication protocols. The paper is intended to help financial organizations understand how to plan to deploy the protocols and the steps they need to take to implement them, he said.
Smocer said about 10% to 15% of BITS' 100 members have deployed SPF while many are interested or are in planning stages to deploy the newer DKIM.
According to a report released last year by the Authentication and Online Trust Alliance, 52% of the Fortune 500's consumer-facing financial services brands adopted DKIM and Sender ID (SIDF), Microsoft's version of SPF.
Smocer said it's not technically difficult to deploy SPF or DKIM, but one of the challenges for organizations is locating all their sources of email. This can be especially difficult for large companies with many lines of business and contractors sending email for them. A company can start its deployment by focusing on the most important email, he said.
The second challenge, he said, "is getting the ISPs and email service providers to actually honor the rule sets you're creating around SPF and DKIM." BITS has talked with ISPs and email services providers to understand the challenges they face and plans to work with them to ensure "we have a methodology for those industries to support implementation of this," Smocer said.
Financial institutions of all sizes can benefit by implementing the email authentication protocols, he said. "There is value for an institution that uses email to communicate with its customer base to having these protocols implemented."