The FS-ISAC and BITS are amping up their fight against phishing, hiring eCert for a pilot program to bring anti-phishing tools to member institutions. The plan is ambitious, but some experts question whether the methods proposed are effective.
In October, eCert will launch the Trusted Email Registry, a program aimed at protecting consumers against spear phishing and e-mail-based malware attacks. The 60-day pilot will start with 25 financial institutions, says Paul Smocer, president of the FSTC. A BITS working group in 2007 recommended that its members adopt TLS (transport layer security), SPF (sender policy framework) and DKIM (domain keys identified mail), which the eCert program will accomplish.
eCert has partnerships with Google and Yahoo that allow it to monitor 40 percent of all e-mail traffic in the U.S., and to see how much of the e-mail traffic is sent purporting to be from a certain bank's domain, for instance, says Kelly Wanser, chief executive of eCert Inc. Currently about 20 percent to 30 percent of all e-mail traffic is phishing traffic, Manser says. The goal is to eventually reduce that to zero, blocking all the bad traffic and authenticating the good e-mail traffic, she says. "Clean the pipes, so to speak; demonstrate that it's clean."
One goal of the program is to make it easier for banks and gatekeepers responsible for setting up authentication protocols to work together, Smocer says. Implementing the anti-phishing protocols are not easy for banks, especially identifying all of the sources of legitimate e-mails sent out on a bank's behalf. It's also difficult for banks to work on their own with Internet service providers to set up the rules that must be honored for e-mail authentication methods.
Steve Eddy, director of product management for Proofpoint in Sunnyvale, Calif., says his company provides all three anti-phishing methods to clients, mainly because they are required by banking regulators. But, Eddy says, they all have significant problems- either they don't control enough e-mail traffic to make a dent in the phishing attempts, or they require an impractical level of cooperation between senders and gatekeeper, so the protocols for rejecting e-mails are rarely followed. "Quite honestly, all three of them have little effect" on phishing, he says.
Content scanning at the e-mail receiving gateway is the most promising method for combating phishing, Eddy says. Not coincidentally, Proofpoint markets a content-scannning product. Wanser says content scanning could actually be helped by having a trust authority in place. But in the current environment, "content scanning has been pushed to its limit," she says. With content filters, phishing e-mails still get through and viruses are not blocked well at all, she says. Avivah Litan, a Gartner security analyst, says that both content filtering and e-mail authentication approaches should be used together, because of the drawbacks for both approaches to combat phishing.
If everyone participated in email authentication, the phishing issue would be solved, Litan says. "The problem with it is that not everyone is implementing it," she says. "Getting everybody to move to a standard is many years away."