Audit Finds Business, Government Fails at E-mail Authentication

As e-mail users, we’ve gone from being spammed to phished to precision-targeting spear phished, and the biggest companies on the Internet aren’t doing enough about it.

That’s the takeaway from a report out today by the Online Trust Alliance (OTA), a member-funded nonprofit group that has worked for the last decade on cleaning up the Internet. The Bellevue, WA-based group’s 2014 E-mail Integrity Audit finds that almost 92 percent of companies have failed to adopt the best technologies and practices to limit threats from bogus e-mail sent in the guise of their brands. As the alliance puts it, such widespread inaction indicates “a disconnect between the e-mail marketing community and security teams at many organizations.”

The e-mail audit comes on the heels of the alliance’s June Online Trust Audit, which evaluated 800 top consumer Websites and found that 70 percent of them were not following best practices for protecting data, user privacy, and their own domains.

When it comes to e-mail, it’s no surprise that nefarious actors are using some of the same precision targeting techniques as advertisers to appeal to people based on their individual interests. Cybercriminals using so-called spear phishing attacks can easily disguise their e-mails to look like they were sent from a legitimate source, enhancing their deception by including personal information about targeted individuals or businesses.

As the alliance audit makes clear, businesses and governments that communicate with their constituencies via e-mail—which is just about everyone—are not doing enough to prevent spoofed and forged e-mails.

These disguised attacks open the door to identity theft, data breaches, malware, and other online ills, “undermining the trust and confidence in e-mail,” the OTA says in the report.

(At Xconomy, we’ve looked closely at the value of e-mail in a modern context and come to some similar conclusions about the decreasing utility of the technology in light of these and other shortcomings.)

Federal government sites and top banks insured by the FDIC performed the worst, while major Internet retailers and social media companies were most likely to be using best practices, according to the OTA.

“The financial services sector, which continues to be targeted by spear phishing exploits resulting in millions of dollars of financial losses, has disappointing results—failing to reach 50 percent adoption” of the most important e-mail authentication best practices, according to the OTA. “Equally as concerning is the failure of U.S. Government sites to adequately protect 78 percent of their domains.”

The OTA’s E-mail Integrity Audit is meant to help companies deploy best practices for preventing the e-mail spoofs and forgeries that make possible the more damaging attacks on consumers and businesses. It focuses on three authentication and security practices that every major e-mail sender should employ:

Sender Policy Framework—a standard that indicates the IP addresses that a given domain’s e-mail should be coming from;

DomainKeys Identified Mail—a digital signature added to messages sent from a legitimate server; and

Domain-based Message Authentication, Reporting, and Conformance—essentially policies for what to do with e-mails that don’t pass the sniff test using the other two standards, and a way of notifying the owners of brands and domains that are being spoofed.

The first two standards have been under development for a decade and focus on outbound e-mail, with broad adoption particularly over the last three years. The third standard, which is more about incoming e-mail, was only introduced in 2012. Though the authentication standards were designed to complement each other, they aren’t always adopted in concert, the OTA says, with the Sender Policy Framework being older and easier to implement, and therefore more commonly used.

Implementing these practices, the OTA says, will protect consumers and brands, and increase the chances that legitimate e-mails will make it to their intended recipients. They can also protect companies from class action lawsuits and other liabilities.

But why, then, are so few companies doing the right thing?

The OTA suggests that some companies only go part of the way, perhaps thinking they’ve done enough. They might authenticate e-mail from certain sub-domains, for example, but not their top-level domain, which the OTA says is the most likely to be targeted.

“The inconsistent use of authentication is like reinforcing and locking the front door to your house, while leaving your side door or garage doors wide open,” the OTA says in the report.

Other causes include the outsourcing of e-mail marketing to third-parties that are not adequately supervised by internal security teams and may not be thinking in terms of protecting a company’s broader brand.

Moreover, the OTA blames “the low level of support and integration in the commercial systems and software used to send and receive e-mail” for both outbound and inbound authentication best practices.

The alliance expects that to change over the coming two years.

Its e-mail audit concludes:

“As the world economy and society at-large become increasingly reliant on the Internet, it is incumbent on the business community, government agencies, and associated trade organizations to embrace these practices, moving from a compliance mindset to one of stewardship. Collectively we have an opportunity to enhance trust and integrity in e-mail while helping to protect consumers from harm.”

Trending on Xconomy