Tech companies team up to fight phishing

2012-01-30 22:52

New York - Google, Facebook and other big tech companies are jointly designing a system for combating e-mail scams known as phishing.

Such scams try to trick people into giving away passwords and other personal information by sending e-mails that look as if they come from a legitimate bank, retailer or other business.

When Bank of America customers see e-mails that appear to come from the bank, they might click on a link that takes them to a fake site mimicking the real Bank of America's. There, they might enter personal details, which scam artists can capture and use for fraud.

To combat that, 15 major technology and financial companies have formed an organisation to design a system for authenticating e-mails from legitimate senders and weeding out fakes.

The new system is called DMARC - short for Domain-based Message Authentication, Reporting and Conformance.

DMARC builds upon existing techniques used to combat spam. Those techniques are designed to verify that an e-mail actually came from the sender in question.

The problem is there are multiple approaches for doing that and no standard way of dealing with e-mails believed to be fake.

The new system addresses that by asking e-mail senders and the companies that provide e-mail services to share information about the e-mail messages they send and receive.

In addition to authenticating their legitimate e-mails using the existing systems, companies can receive alerts from e-mail providers every time their domain name is used in a fake message. They can then ask the e-mail providers to move such messages to spam folder or block them outright.

Recognise as legitimate

According to Google, about 15% of non-spam messages in Gmail come from domains that are protected by DMARC. This means Gmail users "don't need to worry about spoofed messages from these senders," Adam Dawes, a product manager at Google, said in a blog post.

"With DMARC, large e-mail senders can ensure that the e-mail they send is being recognised by mail providers like Gmail as legitimate, as well as set policies so that mail providers can reject messages that try to spoof the senders' addresses," Dawes wrote.

Work on DMARC started about 18 months ago. Beginning on Monday, other companies can sign up with the organisation, whether they send e-mails or provide e-mail services.

For e-mail users, the group hopes DMARC will mean fewer fraudulent messages and scams reaching their inbox.

The group's founders are email providers Microsoft, Yahoo, AOL and Google; financial service providers Bank of America, Fidelity Investments and eBay's PayPal; online service companies Facebook, LinkedIn and American Greetings and security companies Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project.

Google uses it already, both in its e-mail sender and e-mail provider capacities. The heft of the companies that have already signed on to the project certainly helps, and its founders are hoping it will be more broadly adopted to become an industry standard.

  • Blackpoison - 2012-01-31 06:52

    The best anti phishing practice is still common sense.

  • pages:
  • 1