SAN FRANCISCO -- More companies need to adopt email authentication methods to effectively tackle the problem of increasingly sophisticated phishing attacks and spam, security experts said during a panel discussion Wednesday at the 2010 RSA Conference.
The spelling and grammatical mistakes that used to be telltale signs of spam are disappearing, said Todd Inskeep, a senior vice president at Bank of America focused on authentication, customer protection and social spaces.
"We really need technical solutions…to protect all our customers, which is critical as the bad guys get more sophisticated," he said at the panel on securing email against phishing, spoofing and fraud.
Email authentication protocols can go a long way to fighting the phishing problem, panelists said. Last year, BITS published a guide for implementing DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). SPF aims to thwart email spoofing by providing a framework in which the domain of an email sender can be authenticated. DKIM allows organizations to add a cryptographic signature to outgoing mail, certifying that the message came from the domain displayed in the mail header.
According to statistics presented during the panel, 51% of all email had an SPF record, compared to 20% of email 18 months ago. During that same period, 16% of email was authenticated with DKIM, up from 2%.
"We hope to encourage more companies to authenticate their email so they don't become the weak link," said Mark Risher, senior director of product management for Yahoo Mail.
Smocer said getting to a higher level of authentication and trust would allow financial institutions to use email to provide more customer services than just alerts. "There are opportunities to enhance the service financial institutions can provide through the email channel if we can nail down the trust issue," he said.
There are limitations to the email authentication technologies, though, panelists said. Large institutions with multiple business lines have dozens, if not hundreds, of domains that may not be centrally controlled, Smocer said. Smaller organizations, meanwhile, may not have the expertise to deploy email authentication. There's also the issue of institutions reaching out to various ISPs about the rule sets they've created around SPF and DKIM, he said.
"We're trying to create a core service to operationalize a process where financial institutions can create their rule sets and ISPs have a place to look those up," Smocer said.
Steve Jones, a vice president and architect/strategist at Bank of America, said the first step to implementing email authentication is to establish a policy that has buy-in from all the lines of business. "You need that support across the organization," he said.
Email authentication isn't an end-all solution, but rather one layer of security, panelists noted. "Just because it's authenticated doesn't mean it's trustworthy," said panel moderator, Patrick Peterson, a Cisco Systems, Inc. fellow and chief security researcher. But the more the industry promotes email authentication, and large companies urge vendors to support the protocols, the easier it will be for smaller companies to adopt it, he said.
"You can start easily by figuring out the domains that are most important to you and just get started," Smocer said, adding that the problem of spoofed email is only going to be solved with widespread adoption of email authentication across the industry.