The Latest in Authentication Adoption

Subscription Options

When the Internal Revenue Service issued its 2008 list of the 12 most egregious tax schemes and scams in March, topping the list were Internet phishing scams. To date, taxpayers have forwarded more than 33,000 of these scam emails, reflecting more than 1,500 different schemes, to the IRS. This year the economic stimulus rebate has made for additional fodder with potential victims being told by email or phone that he or she is eligible for a rebate, but must provide a bank account number (or similar information) to get the payment. If the target is unwilling, the victim is then told that he cannot receive the rebate unless the information is provided.

Why year over year do these same types of exploits succeed? In part it is the medium itself. As consumers and organizations make online the preferred way to shop, communicate and conduct business, the risk continues. In December, over 2,000 marketers participated in a survey about online channels. Conducted by Datran Media, a provider of digital media solutions, the survey (www.datranmediasurvey.com) provides some insights. Namely, that email works for legitimate email senders and big brand names. Overall, 82 percent of the marketers surveyed indicated plans to increase their use of email marketing in 2008, and 55 percent of the respondents cite that they expect ROI from email to be higher than any other channel.

Those responding to the survey noted that email would be used to do the following: send newsletters (80 percent); drive sales, (79 percent); increase upsell or cross sell opportunities (67 percent); send transactional messages (51 percent); reactivate dormant customers (53 percent); enhance customer relationships (71 percent); and/or increase brand awareness and/or lift (65 percent). When asked if email has helped boost sales through other channels, 67 percent said yes. Clearly, the medium is attractive and has a huge impact on business. This can also be said of those who would take advantage for personal gain through fraudulent means.

Protection Tactic: Authentication

With the threat of having others steal what amounts to a corporate identity and reputation, many organizations searching for ways to protect their brands have found a key step in authentication. Adoption of email and domain authentication technology by major fortune 500 brands has reached a tipping point. According to December research from the Authentication and Online Trust Alliance (AOTA), over 50 percent of legitimate email sent worldwide on a daily basis from over 15 million domain holders is authenticated. The AOTA was founded in October 2004 at a time when phishing was a relatively new phenomenon and is a vendor-neutral group that promotes the benefits of Internet safety and represents over one million businesses and 500 million users worldwide. Its current research, State of Email Authentication and the Internet Trust Ecosystem, highlights how top Fortune 500 and Internet retailers have adopted Sender ID (SIDF) and DomainKeys Identified Mail (DKIM)—the leading standards of authentication.

“Email authentication is a necessary component to solidifying the future viability of email, as well as strengthening consumer trust in the online channel,” says David Daniels, vice president and research director at JupiterResearch. Daniels believes that companies that adopt at corporate and marketing levels will have a competitive advantage. The research produced by the AOTA supports Daniels’ belief.

“The IRS scams going on right now are a good example of the trust that is being undermined in both Web and email,” comments Craig Spiezle, chairman of AOTA and director of Internet Security & Privacy at Microsoft Corporation. He notes that today a large percentage of email from leading brands, banks, and ISPs is spoofed, with the intent to mislead recipients into visiting deceptive sites and in some cases installing malicious software.

Verification by either DKIM and or SIDF, when coupled with reputation data, allows ISPs and receiving networks to make enhanced decisions on whether or not to deliver email into the inbox, junk or bulk mail folder, or to quarantine and/or block the email. The AOTA promotes this approach because it has the potential to reduce consumer risk while enhancing deliverability and click through of legitimate email.

When Spiezle is asked: what is the business value for authenticating? His response is that ultimately it is protecting against the threats that impact the brand. “Email authentication is really only the first part, which is about the identity and knowledge of who the sender is,” explains Spiezle. “However, it does not tell what we know about him. The majority of ISPs have not figured out reputation data today.” Spiezle cites this as an area where more needs to be done. “ISPs need to step up to the plate and do more—more on the inbound issue of authentication, and application of reputation, as well as better control of outbound spam from the networks.” Looking from 2005 to today, the threat landscape has changed. “There wasn’t look-a-like domain issues at the magnitude we have today, even just a few years ago,” observes Spiezle.

AOTA Summit 2008

As in past, the AOTA is planning its annual summit to take place June 4th and 5th in the Pacific Northwest at the Westin Seattle. Reaching the Tipping Point: Future of Online Trust will focus on case studies and best practices with the goal of providing attendees actionable advice to protect brand, customers and infrastructure. According to Spiezle, the summit will offer over 25 sessions and is an example of the variety of stakeholders gathering with representation from more than 50 businesses, including government, marketing and technology experts. “We have not diluted the original intent, but this year we build upon authentication as a key solution. If you look at the agenda, there are as many sessions on email authentication as before. One of the important things to remember is that while many of us may feel like we have done this many times, we are still preaching to the choir. A majority of businesses do not know about this. The Summit offers the opportunity to share not only best practices, but also the business value for all business sizes and types.”

The research from December will be updated in June, in time to share with Summit attendees. Spiezle notes that as evidenced by the research the numbers of organizations authenticating is growing, but he is realistic, stating that it will take time. He also points out that AOTA evaluates the corporate domain when determining adoption. AOTA recognizes a higher percentage of the Fortune 500 has authenticated their marketing domains. For example, if a corporation authenticated http://www.email.corporation.com, but not http://www.corporation.com, AOTA does not classify that corporation as an adopter. AOTA utilizes this definition because the majority of phishing attacks are perpetrated against corporate domains, which are most recognizable to consumers.

Staying Focused

The State of Email Authentication and the Internet Trust Ecosystem report is a good example of a deliverable that AOTA is in a unique position to offer. “The last thing you want to do is duplicate efforts or create confusion,” says Spiezle of AOTA’s mission. “A testament to AOTA leadership is that we have been able to recruit not just companies, but key organizations as members.” Leading non-profit members include the Anti-Phishing Working Group (APWG), DMA’s Email Experience Council (EEC), Anti-Spyware Coalition (ASC), Merchant Risk Council (MRC), and TRUSTe, among others. Even more telling says Spiezle is the number of organizations who have issued membership call-to-actions for authentication including BITs Financial Services Round Table, Email Sender and Provider Coalition (ESPC), Direct Marketing Association (DMA), and Interactive Advertising Bureau (IAB). “This type of broadening expands our knowledge-base and our footprint. Being able to see how we can compliment other organizations, while avoiding any overlap allows us to continue to evolve.”