Can DMARC Hook Online Phishers?

Experts Debate Merits of E-Mail Authentication Initiative
Can DMARC Hook Online Phishers?

How effective will the DMARC, or Domain-based Message Authentication, Reporting & Conformance, be at curbing phishing attacks? Industry experts gathered in San Francisco this week for RSA Conference 2012 say it's the best effort the online industry has put forth to date.

See Also: How to Mitigate Credential Theft by Securing Active Directory

During a Feb. 28 panel session, online security experts from Hotmail, American Greetings and PayPal said DMARC's call for a thorough and strong e-mail authentication process is the only viable way to conquer increasing e-mail threats organizations and businesses face in the wake of increased social media and engineering risks.

"The biggest problem facing all of us is malware," says John Scarrow of Hotmail.

An employee or other user connected to an organization's database unknowingly clicks and opens a malicious link in an e-mail, inadvertently launching a phishing attack that has the potential to severely cripple or, worse, take an organization down.

"Well over 90 percent of any organization's vulnerability is sitting behind the keyboard," he says. "It's the socially engineered schemes that pose the greatest risk, not outside intrusions or other types of network vulnerabilities."

DMARC and Addressing Social Risks?

DMARC standardizes how e-mail receivers perform e-mail authentication by providing a uniform reporting mechanism, says Andy Steingruebl of PayPal. "DMARC offers a way for senders to be verified, and it creates a system that's built on reputation."

E-mail senders will experience consistent authentication results for messages at AOL, Gmail, Hotmail, Yahoo!, as well as other e-mail receivers that implement DMARC. "We hope this will encourage senders to more broadly authenticate their outbound e-mail, which can make e-mail a more reliable way to communicate," DMARC says.

In December, BITS, the Technology Division of the Financial Services Roundtable, announced its support of DMARC, as a way to curb financial losses linked to socially engineered schemes that compromise users' online banking credentials. [See BITS: Focus on Emerging Technology.]

Increased use of social media, coupled with the ubiquity of e-commerce, has fueled growth in socially engineered schemes waged for financial gain. E-mail is easy to spoof, and cybercriminals are increasingly improving their techniques.

Critics say DMARC fails to address the core problem - the user, who is too easily fooled. Joseph Steinberg, CEO of online security and authentication provider Green Armor Solutions, says until the human is taken out of the equation, online fraud will grow.

"We don't want to require what I call 'active thinking,'" Steinberg says. "Phishing can't be addressed by technology. It's a social problem."

Anytime a consumer is asked to make a voluntary decision, phishing schemes will work, because humans are easy to manipulate. It's the nature of being social creatures - we want to trust, Steinberg says.

"These spear-phishing attacks rely on the same methods that we have seen since the dawn of time, or the human race, anyway," he says. "It's a social problem, not a technical problem, at its core. Initiatives like DMARC won't work, because they fail to address the real problem, and that is the need for more education."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network