Industry group gives government a failing grade in e-mail authentication
Connecting state and local government leaders
Agencies' failure to implement e-mail authentication technology creates the opportunity for their e-mail domains to be spoofed for phishing attacks against citizens, according to the Online Trust Alliance.
Fewer than half of government agencies examined in a recent study by the Online Trust Alliance (OTA) are using authentication technology to protect against e-mail fraud and phishing.
E-mail authentication technology, usually transparent to the end user, lets servers verify that e-mail traffic is indeed coming from the domain or sender that it purports to be from, and that the sender is authorized to use that domain. The OTA study showed that only 11 of 25 government domains examined use such authentication. A similar study of top commercial sites showed that the private sector is doing a little better, with 55 percent using some form of e-mail authentication.
“It is incomprehensible that in this period of escalating online scams and diminishing consumer confidence these agencies and businesses continue to sit on the sidelines,” said OTA Chairman Craig Spiezle.
Because the addresses of an e-mail sender can be easily spoofed, the address of a supposedly trusted source can be used to get a message through spam filters and to lure victims to dangerous Web sites where malicious code can be downloaded to a computer or confidential information gathered that could lead to ID theft.
Such attacks not only harm the victim whose data is stolen, but also damage the reputation of the agency or business whose domain is being exploited. These issues are becoming increasingly important as businesses do more business online and government is looking for more ways to provide online services to citizens.
Available authentication tools include Sender Policy Framework or Sender ID, an open standard that allows the user to verify that the reputed sender is authorized to use the sender’s domain, based on policy information published by the domain’s owner. Domain Key Identified Mail is an authentication scheme in which e-mail is digitally signed by the outgoing server using PKI. This lets a receiving server verify that it actually came from the source it claims to. Both of these schemes are carried out without the intervention of the user sending or receiving the e-mail.
Among agencies using some form of e-mail authentication are the Census Bureau, the CIA, the Federal Deposit Insurance Corp., the Federal Trade Commission, the IRS and the Social Security Administration.
Those without some authentication include the Homeland Security Department, the FBI, the Secret Service and the White House.
OTA based its study on public DNS records of the domains, as well as an examination of more than 20 million e-mails purporting to have come from those domains. Criteria for the top 25 government agencies included past incidences of phishing and spoofing of the e-mail addresses, volume of site traffic and the potential for exploiting financial or personal data.
OTA is a nonprofit industry organization promoting the adoption of authentication technology to combat online crime and fraud. Members include companies engaged in online commerce, such as Bank of America, and IT vendors such as GoodMail Systems, Cisco Systems, Microsoft Corp., Symantec Corp. and VeriSign.