« Card Security Week at First National Bank | Main | Fraud Education Efforts from Around the World »

The Future of Authenticated Email

By Jim Bruene on December 4, 2003 12:40 PM | Comments

Quick quiz. Does the icon at left represent
 (A) second prize at the state fair
 (B) bad clip art of a holiday wreath
(C) a solution to the fake email problem?

We hope the answer is C, although currently most consumers would choose A or B. The little-known icon is used by Outlook to indicate an authentic digitally signed email (see screenshot below).


Despite the recent proliferation of mass phishing, it’s a problem that is largely solvable. The technology to send and receive verifiable email messages is already robust and affordable. Receiving is a little trickier since the major webmail providers (e.g., Yahoo, Hotmail) do not currently support digitally signatures (the message is delivered with an oddball attachment). But even among Outlook users, there is little awareness of the feature. And that’s no small issue.

Since large organizations, especially financial institutions and other trusted advisors, must have a means of communicating electronically with users, it is only a matter of time before verifiable messaging becomes commonplace. Within two years, most financial institutions will add some type of authenticating code to messages so that recipients, ISPs, and spam filters will know the message is genuine (not a spoofed From address).

For users of newer versions of Microsoft Outlook and other email systems that support S/MIME, the technology is already available, though seldom used. In Outlook digitally signed messages have an icon in the upper right portion of the preview pane (see screenshot left). Curious users can click through the icon to verify the certificate. The only downside for users is a several-second delay as their PC authenticates the key.

While the use of digital signatures doesn’t completely eliminate phishing; crooks could still send fraudulent, digitally signed messages from look-alike companies, e.g., www.WellsFargoBaking.com . However, it would be much more difficult, since the crook would have to obtain a fraudulent digital certificate and they would not be able to spoof the email From address.

In fact, until you provide a basic level of user education, sending signed messages could be counterproductive. Wary users, seeing an unusual message, may deem it to be a hoax. So you need to send a series of educational emails prior to implementing digitally signed messages.


Industry Initiatives

The problem has sprouted a cross-industry workgroup, Anti-phishing.org <antiphishing.org> sponsored by email solutions provider Tumbleweed Communications. The group’s first meeting was Nov. 18 in San Francisco. OBR subscriber Ken Beer, Director of Product Development of Tumbleweed, called us the next day and summarized the discussion (see below). The next meeting will take place in January in London; watch its website for details on the exact time and place.

The meeting, attended by large ISPs such as Yahoo as well as banks such as Wells Fargo and Bank of America, discussed broad-based solutions to the problem. According to Beer, the industry is working to fight phishing both at the ISP and browser level.

Emailers would like to see controls in place at the gateway level that would verify that emails were actually sent by the company indicated in the email address. This would eliminate most phishing attempts from ever being viewed by the intended recipients.

ISP-level solutions are considered to be the best way to put an immediate end to phishing. End-user solutions will take longer to implement since many users don’t have the necessary software (e.g., later versions of Microsoft Outlook), or use webmail services that don’t currently support digitally signed email.

At press time, Yahoo announced a major initiative to block email messages with fake From addresses (the majority of unauthorized spam). Its open source Domain Key system would use a public system to verify that the email came from the domain contained in the From address. Emailers would need to sign their messages with a key. Yahoo hopes to implement the system sometime in 2004. It’s too early to tell whether the broad industry support required to make it work will materialize.                       


The Process of Verifying the Sender
(Outlook in IE 6)



Most Recent Posts:


TrackBack URL for this entry:

Upcoming Events



RSS Subscribe via RSS
RSS Subscribe to Comments


@NetBanker Twitter Feed

See all @NetBanker tweets