A new e-mail authentication process expected to have profound impact.
By James Hobson
Major e-mail providers, including Google, Yahoo! And Microsoft (Bing) are poised to launch a robust initiative for improving email authentication, thereby making phishing scams more difficult to work. The major search engines have the support of other major sites such as LinkedIn and Facebook – all of whom have to deal with phishing scams around the world. Phishing scams cost consumers billions of dollars each year, and cause substantial problems for legitimate businesses operating online.
It is worth noting that these measures are being done without government direction or mandate, and without any need for suspect legislation such as SOPA.
This initiative is also supported by most of the top email service and technology providers including Fidelity Investments, Bank of America, PayPal, Ebay and more. These companies often take the heat for phishing scams, and spend millions of dollars each year to investigate and address phishing scam problems. PayPal is reported to detect and block over 1,000,000 phishing emails each week.
Google has filed a patent application for a process of using an over-layed image for authenticating sites. The search engines may take the extra measures of disabling links on suspected phishing sites. Google’s extensive wealth of information is a cornerstone in being able to identify phishing websites.
Another proposed method of fighting phishing sites si a new security initiative that would move emailers well forward of traditional SMTP processes. The new process being proposed is called DMARC , an acronym for Domain-based Message Authentication, Reporting and Conformance.
A DMARC press release includes the following:
". . . The DMARC specification addresses concerns that have traditionally hindered widespread deployment of an authenticated, trusted email ecosystem. Today, email receivers lack a reliable way to know the extent to which an email sender uses standards like SPF and DKIM for authenticating their messages. As a result, providers must rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer.
By introducing a standards-based framework, DMARC has defined a more comprehensive and integrated way for email senders to introduce email authentication technologies into their infrastructure. For example, a sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks. The specification also creates a mechanism for email providers to send detailed reports back to email senders to help catch any gaps in the authentication system. This feedback loop raises the trust level within the email ecosystem and makes it easier to detect and stop phishing attempts. . . "
Any of these improvements will be a huge gain for consumers and service providers. While the problem of phishing scams will not be fully stopped, it will make it much more difficult for current phishing scams to work.