Google, Facebook, Bank Of America Behind New Email Security Standard

  /     /     /  
Publicated : 22/11/2024   Category : security


Google, Facebook, Bank Of America Behind New Email Security Standard


New specification for preventing phishing and email domain abuse likely to help email security, but will enterprises adopt it?



Google, Microsoft, Facebook, the Bank of America, and PayPal are among a group of 15 companies that have banded together to help fill a major security gap in email, today releasing a specification for curbing phishing and other abuses of legitimate email domains.
The new Domain-based Message Authentication, Reporting and Conformance (DMARC) is a framework for protecting email at the domain level so fraudsters cant spoof a legitimate email senders account or domain for phishing or other nefarious purposes.
Some of the most devastating data breaches have begun with an eerily convincing spoofed email address used to fool an unwitting employee into opening a document or following a link. But members of the DMARC working group say their goal is to create Internet standards that provide better coordination and cooperation between email providers and the owners of an email domain.
Patrick Peterson, a founding member of the DMARC organization as well as CEO of email security vendor Agari, says the public launch of the specification is one of the most important days in email security. The insecure email channel is a criminals best friend, Peterson says. The state of [email] security in the last 10 years has been pretty damn crappy.
Agari and email security providers Cloudmark, eCert, Return Path, and the Trusted Domain Project are working with email service providers AOL, Googles Gmail, Microsoft Hotmail, and Yahoo! Mail, and Bank of America, Fidelity Investments, PayPal, American Greetings, Facebook, and LinkedIn in the working group. The group says its domain-level email approach is a first for setting up defensible email channels between senders and end users.
Google Gmail, Facebook, LinkedIn, and PayPal all are currently using DMARC to protect their email domains from being spoofed and ultimately targeting unsuspecting users and organizations. Google says about 15 percent of non-spam messages in Gmail are from DMARC-protected domains.
We’ve been active in the leadership of the DMARC group for almost two years, and now that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing, said Adam Dawes, product manager at Google, in a blog post yesterday.
But its unclear whether enterprises will clamor for it, says Chester Wisniewski, a senior security adviser for Sophos. The real issue is that most IT email managers will not want to bother with configuring all of their systems to comply with YAP -- Yet Another Proposal -- when they haven’t even began using SPF or DKIM on a large scale, Wisniewski says.
[More than 60 percent of users dont know how their Gmail, Yahoo, Hotmail, and Facebook accounts were hacked. See
Users Whose Accounts Get Hacked Find Out From Their Friends
.]
DMARC basically picks up where existing email authentication standards leave off. It provides a standard for how email receivers deploy the email authentication standard Sender Policy Framework (SPF), which validates email by verifying the senders IP address. Email administrators basically specify which hosts can send email from their domains, and DomainKeys Identified Mail (DKIM), which uses reputation of an organization to verify trust for a message, using cryptographic authentication.
But SPF and DKIM fell a bit short when it came to visibility of email domain abuse. Today there are great technologies like SPF and DKIM. We can publish a record with SPF and sign it with DKIM ... then send it out to the ether. People have to pray to the email gods and hope the postmaster will know if something was broken, Agaris Peterson says. There was no way to get global visibility on how a domain name was being misused.
Thats what DMARC does, as well as let the domain owner control who can use the domain. DMARC lets us register mail, authenticate it, and confirm that its not spoofed, he says. It used to be up to someone else to figure out spoofing.
An email domain owner can set policies for its email provider to block unauthenticated emails, and the email provider can send domain owners reports that illustrate how its authentication process is working or not working, for instance.
Googles Dawes says DMARC will ensure that email senders consistently get their messages authenticated on AOL, Gmail, Hotmail, Yahoo!, and any other email receivers that deploy DMARC. We hope this will encourage senders to more broadly authenticate their outbound email, which can make email a more reliable way to communicate, he says.
Email security vendors likely will offer push-button, cloud-based DMARC services for enterprises, says Agaris Peterson. And those who are already customers of the DMARC founders, such as Agari, already are getting DMARC authentication, he says.
So what happens if DMARC starts making a big dent on phishing attacks? The bad guys will realize they cant impersonate certain brands any longer, Peterson says. They will focus on finding unprotected brands.
Phishers also may opt to use domains similar to ones that use DMARC. If I want to phish someone for their Paypal credentials, I might just forge it to be from paypalsecurity.com or some other similar domain that is not signed or owned by the company I am posing as, Sophos Wisniewski says.
The
DMARC working group plans to deliver its specification
to the Internet Engineering Task Force (IETF) for its blessing as a standard for the Internet community.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google, Facebook, Bank Of America Behind New Email Security Standard