Abney Associates News Blog Warning: Foiling Phishing With Authentication
In its new report on using e-mail authentication to fight phishing attacks, BITS offers a list of best practices and recommendations, including expanded use of the DMARC security protocol.
BITS, the technology policy division of The Financial Services Roundtable, believes that the Domain-based Message Authentication, Reporting and Conformance protocol plays a key role in mitigating phishing schemes.
DMARC standardizes how e-mail receivers perform e-mailauthentication by providing a uniform reporting mechanism that's built on reputation.
"DMARC is pretty helpful in a couple of different areas," says Andrew Kennedy, senior program manager for BITS' security initiatives, in an interview with Information Security Media Group [transcript below].
Kennedy sees DMARC as an overlay of the Sender Policy Framework [SPF] and DomainKeys Identified Mail [DKIM] protocols, which aid in e-mail authentication.
"If there was an authentication failure for one of those protocols, it leaves you in the lurch if you don't have a policy in place to deal with that, and DMARC helps close the gap there," he says.
Also in the interview, John Carlson, executive vice president of security programs at BITS, stresses that an essential component when fighting phishing is for banking institutions and their business partners and customers to follow similar authentication strategies. "It requires extensive collaboration from many different groups within the company and outside in order to implement these controls," he says.
During this interview, Carlson and Kennedy discuss:
All of the e-mail protocols that address phishing attacks and how the protocols work in tandem;
Why spoofed websites are increasingly concerning; and
Steps banking institutions are taking to get business-partner buy-in for the DMARC initiative.
At BITS, Carlson works with members to strengthen the security and resiliency of financial services through best practices and strategies for secure IT systems infrastructures, products and services. He also collaborates with the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, or FS-SCC, and co-chairs its Threat and Vulnerability Assessment Committee. He re-joined BITS in December 2011 after serving as a managing director at Morgan Stanley.
Kennedy, now the program lead for BITS' security initiatives, previously served as project manager for the BITS Vendor Management Program. He interned at BITS in 2006 and worked as an IT professional and security consultant in the biotech and software industry in California.
E-Mail Authentication Guidelines
TRACY KITTEN: Before we get into some of the details, could you talk a little bit about what prompted BITS to update the guidelines that it first issued about e-mail authentication back in 2009?
JOHN CARLSON: We'd be happy to talk about the BITS e-mail authentication policy and deployment strategy for financial institution firms. The reason why we had issued this paper was to help our financial institutions to better leverage several protocols and tools to detect and reduce the number of spoofed e-mail messages that reach consumers and business partners. A key component here is that e-mail is a critical communications channel for business today, and many of our institutions are dealing with spoofed e-mail messages that oftentimes are the vector for transporting malicious software or for tricking users into thinking it's coming from a legitimate user. We decided that it was important to issue this paper to help our financial institution member companies better leverage these protocols and gain some of the significant benefits from use of these protocols in terms of reducing fraudulent e-mail to customers and prospective customers, to reduce phishing attacks against high-value or trusted domains, to increase customer and partner confidence and trust in the authenticity of the sender's e-mail, and, very importantly, to enhance the brands of institutions in terms of the exposure of customers to phishing attacks that could lead to fraud or malware infection on their computers.