Email authentication methods critical in fight against phishing

Companies need to implement email authentication in order to protect customers against increasingly sneaky phishing attacks, experts say.

SAN FRANCISCO -- More companies need to adopt email authentication methods to effectively tackle the problem of increasingly sophisticated phishing attacks and spam, security experts said during a panel discussion Wednesday at the 2010 RSA Conference.

The spelling and grammatical mistakes that used to be telltale signs of spam are disappearing, said Todd Inskeep, a senior vice president at Bank of America focused on authentication, customer protection and social spaces.

"We really need technical solutions…to protect all our customers, which is critical as the bad guys get more sophisticated," he said at the panel on securing email against phishing, spoofing and fraud.

RSA Conference 2010

For all the latest news, podcasts and more direct info from the show floor in San Francisco, visit our RSA Conference 2010 special news coverage page.
Many users' systems are getting infected from phishing attacks, making "it critical to cut down on illegitimate email," said Paul Smocer, vice president of security at BITS, a division of the Financial Services Roundtable, a forum for financial services leaders that focuses on best practices and technical infrastructure. The financial industry has been hit hard by phishers spoofing their brands, he said, adding, "It doesn't do our industry any good from a reputation perspective to have this situation."

Email authentication protocols can go a long way to fighting the phishing problem, panelists said. Last year, BITS published a guide for implementing DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). SPF aims to thwart email spoofing by providing a framework in which the domain of an email sender can be authenticated. DKIM allows organizations to add a cryptographic signature to outgoing mail, certifying that the message came from the domain displayed in the mail header.

According to statistics presented during the panel, 51% of all email had an SPF record, compared to 20% of email 18 months ago. During that same period, 16% of email was authenticated with DKIM, up from 2%.

"We hope to encourage more companies to authenticate their email so they don't become the weak link," said Mark Risher, senior director of product management for Yahoo Mail.

Smocer said getting to a higher level of authentication and trust would allow financial institutions to use email to provide more customer services than just alerts. "There are opportunities to enhance the service financial institutions can provide through the email channel if we can nail down the trust issue," he said.

There are limitations to the email authentication technologies, though, panelists said. Large institutions with multiple business lines have dozens, if not hundreds, of domains that may not be centrally controlled, Smocer said. Smaller organizations, meanwhile, may not have the expertise to deploy email authentication. There's also the issue of institutions reaching out to various ISPs about the rule sets they've created around SPF and DKIM, he said.

"We're trying to create a core service to operationalize a process where financial institutions can create their rule sets and ISPs have a place to look those up," Smocer said.

RSA Conference 2010 Twitter updates

For up-to-the-minute RSA news and show information updates, be sure to check out the SearchSecurity.com Twitter.
There's also the issue of business partners that send email. Inskeep said Bank of America has lots of partners who send email on its behalf. "It's critical to build the alliance with your business partners and have them involved," he said.

Steve Jones, a vice president and architect/strategist at Bank of America, said the first step to implementing email authentication is to establish a policy that has buy-in from all the lines of business. "You need that support across the organization," he said.

Email authentication isn't an end-all solution, but rather one layer of security, panelists noted. "Just because it's authenticated doesn't mean it's trustworthy," said panel moderator, Patrick Peterson, a Cisco Systems, Inc. fellow and chief security researcher. But the more the industry promotes email authentication, and large companies urge vendors to support the protocols, the easier it will be for smaller companies to adopt it, he said.

"You can start easily by figuring out the domains that are most important to you and just get started," Smocer said, adding that the problem of spoofed email is only going to be solved with widespread adoption of email authentication across the industry.

Dig deeper on Enterprise email security and messaging security

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close