BITS releases guide for implementing email authentication protocols

By Marcia Savage, Features Editor, Information Security magazine 11 Jun 2009 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A new paper released this week by BITS is designed to help financial institutions combat phishing attacks by providing a guide for implementing standards-based email authentication protocols.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The paper, "Email Sender Authentication Deployment", focuses on two protocols, DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). The document provides a high-level technical overview of the protocols and addresses deployment considerations, metrics and best practices.

SPF aims to thwart email spoofing by providing a framework in which the domain of an email sender can be authenticated. DKIM allows organizations to add a cryptographic signature to outgoing mail, certifying the message came from the domain displayed in the mail header. The protocol was approved as an official IETF standard in 2007.

Deploying the email authentication protocols can help financial institutions reduce phishing and boost consumer confidence, said Paul Smocer, vice president of security at BITS.

Phishing: Phishing attack uses pop-up message on bank sites: Security researchers have discovered a new phishing method that forces pop-up login messages to appear on legitimate banking websites. Phishers targeting smaller financial firms, credit unions: Financial institutions remain a target of phishing attacks, but it's no longer just the biggest firms that are under assault. Fortunately, companies are finding ways to fight back.

"Phishing is a big problem in the financial services industry. Obviously the spammers and phishers know where the money is, so they go after our industry more than others," he said. "So we're looking for a solution or solutions that allow us to cut down on the amount of phishing."

Financial institutions also want email to be secured and become a valid business channel, he said. "So we can get to a point where enrolling new customers or offering new products can be done through email with an assurance of legitimacy." The vast majority of institutions shy away from using email for those kinds of activities out of concern of email spoofing, he added.

"If we can secure email effectively, then it results in only a preventative measure, but it also creates an opportunity," Smocer said.

BITS, a division of The Financial Services Roundtable, developed the document with eCert Inc., a San Francisco-based service provider that works with organizations to implement email authentication protocols. The paper is intended to help financial organizations understand how to plan to deploy the protocols and the steps they need to take to implement them, he said.

Smocer said about 10% to 15% of BITS' 100 members have deployed SPF while many are interested or are in planning stages to deploy the newer DKIM.

According to a report released last year by the Authentication and Online Trust Alliance, 52% of the Fortune 500's consumer-facing financial services brands adopted DKIM and Sender ID (SIDF), Microsoft's version of SPF.

SearchSecurity radio:

Smocer said it's not technically difficult to deploy SPF or DKIM, but one of the challenges for organizations is locating all their sources of email. This can be especially difficult for large companies with many lines of business and contractors sending email for them. A company can start its deployment by focusing on the most important email, he said.

The second challenge, he said, "is getting the ISPs and email service providers to actually honor the rule sets you're creating around SPF and DKIM." BITS has talked with ISPs and email services providers to understand the challenges they face and plans to work with them to ensure "we have a methodology for those industries to support implementation of this," Smocer said.

Financial institutions of all sizes can benefit by implementing the email authentication protocols, he said. "There is value for an institution that uses email to communicate with its customer base to having these protocols implemented."

Tags: Secure user and consumer authentication methods,  Spam, phishing and social engineering attacks,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure user and consumer authentication methods Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication Winning the war: Personal information protection Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Study of banking malware analyzes underground economy Emerging themes in identity access management IBM USB banking device stops keyloggers, malware Spam, phishing and social engineering attacks Judge rejects TD Ameritrade breach settlement FDIC warns of bogus emails Two Romanians suspected in phishing scheme extradited to U.S. Social engineering tests should make sense, not headlines Zeus Trojan hitting banking customers hard Five considerations for choosing network access control products Proposed expansion of top-level domains generates security concerns Online scammers exploit bank brands and consumers' financial woes Banks using Twitter need to proceed with caution, experts say Financial fraud affects consumer bank behavior, Gartner finds

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary