Facebook, Microsoft, Google, Yahoo team up for anti-phishing standards
Fifteen tech giants and email service providers have put their heads together to combat phishing, the practice of sending a deceptive email that spoofs a legitimate entity.
The Domain-based Message Authentication, Reporting and Conformance (www.dmarc.org) has developed standards to combat the threat from phishing as well as spam.
DMARC.org said it "draws upon a history of private industry collaboration with 18 months of dedicated work, to outline an enhanced vision for email authentication that can scale up to today's Internet needs."
DMARC.org is an unincorporated working group made up of 15 of the world's leading email providers, financial institutions and service providers, including:
- AOL, Gmail, Hotmail, Yahoo! Mail (email)
- Bank of America, Fidelity Investments, PayPal (financial institutions)
- American Greetings, Facebook, LinkedIn (social media properties)
- Agari, Cloudmark, eCert, Return Path, Trusted Domain Project (email security solutions providers)
The group aims to develop Internet standards to reduce the threat of email phishing and to improve coordination between email providers and mail sender domain owners.
"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said Brett McDowell, Chair of DMARC.org and Senior Manager of Customer Security Initiatives at PayPal.
"Industry cooperation - combined with technology and consumer education - is crucial to fight phishing," he added.
The DMARC specification addresses concerns that have hindered widespread deployment of an authenticated, trusted email ecosystem.
Presently, email receivers lack a reliable way to know the extent to which an email sender uses standards like SPF and DKIM for authenticating their messages.
Providers must thus rely on complex and imperfect measurements to separate legitimate unauthenticated messages sent by the domain owner from fraudulent phishing messages sent by a scammer.
"By introducing a standards-based framework, DMARC has defined a more comprehensive and integrated way for email senders to introduce email authentication technologies into their infrastructure. For example, a sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks," DMARC said.
It added the specification also creates a mechanism for email providers to send detailed reports back to email senders to help catch any gaps in the authentication system.
This feedback loop raises the trust level within the email ecosystem and makes it easier to detect and stop phishing attempts.
"BITS has been committed to defining and improving email authentication standards and practices to meet the financial services industry's needs. DMARC's evolutionary approach is critical in assuring these needs are met for years to come," said Paul Smocer, President of BITS, the technology policy division of The Financial Services Roundtable.
After gathering data and input from field usage of the technology, DMARC.org intends to submit its DMARC specification for standardization.
Authentication and coordination
A separate article on tech site CNET said Google, Microsoft, Yahoo, AOL, and Agari announced last November they were doing this authentication coordination for Facebook, YouSendIt, and other e-commerce companies and social networks.
CNET said that the effort is now being expanded to include more participants. The antiphishing collaboration has been going on for 18 months between various partners.
"About 15 percent of all e-mail in the Gmail in-boxes comes from these organizations that have published these DMARC records. That means that these records can not be domain spoofed," said Adam Dawes, a Gmail product manager.
Another blow vs phishing
Gmail product manager Adam Dawes said this was another blow against email phishing, noting the practice of tricking a user into revealing personal information by sending fake emails that look legitimate, “remains one of the biggest online threats.”
“Building upon the work of previous mail authentication standards like SPF and DKIM, DMARC is responding to domain spoofing and other phishing methods by creating a standard protocol by which we’ll be able to measure and enforce the authenticity of emails. With DMARC, large email senders can ensure that the email they send is being recognized by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders’ addresses,” he said in a blog post.
Dawes said Google had been active in the leadership of the DMARC group for almost two years.
“(N)ow that Gmail and several other large mail senders and providers — namely Facebook, LinkedIn, and PayPal — are actively using the DMARC specification, the road is paved for more members of the email ecosystem to start getting a handle on phishing,” he said. — TJD, GMA News