More than half of all government agencies -- and nearly as many online retailers -- have yet to implement email authentication practices that are now considered basic, according to a recent study by the Online Trust Alliance. The study examined public domain name system (DNS) records and over 30 million emails sent to consumers from the top 300 Internet retailers and top 25 United States government agencies between April 3 and April 13.
The methodology of the OTA -- which was formerly the Authentication and Online Trust Alliance, but renamed to signify an expanded focus on overall online trust beyond email -- relied on data provided in part by Microsoft, IronPort Systems, MX Logic, and Return Path for Internet Retailer–ranked e-commerce vendors. Top government agencies were selected for evaluation based on the following criteria:
- past instance of spoofing and phishing in the last 12 months;
- site traffic;
- risk of potential exploit for financial data; and/or
- the risk of disseminating misleading consumer information.
Scores were given based on the OTA's assessment of a site's "ability to validate the use of email authentication standards including SPF/Sender ID, or DomainKeys Identified email (DKIM) at the corporate domain level."
Approximately 44 percent of the government Web sites were found to be compliant, up just two percentage points from last year. E-commerce Web sites improved just one percentage point over the previous year, up from 54 percent to 55 percent. "The good news is that there's some growth," says Craig Spiezle, chairman and founder of the OTA. "But it's not enough."
Of the list of 25 government sites, the only 11 found to be compliant were the following:
- Air Force;
- Census Bureau;
- Central Intelligence Agency (CIA);
- Coast Guard;
- Federal Deposit Insurance Corporation (FDIC);
- Federal Trade Commission (FTC);
- General Services & Administration (GSA);
- Internal Revenue Service (IRS);
- Securities and Exchange Commission;
- Social Security Administration (SSA); and
- Veteran Affairs.
Among Internet retailers, on the other hand, the top 25 were far more likely to be in compliance than the sector's overall rate of 55 percent would indicate. Of the top 25, all but these four were found to be compliant:
- HP Home & Home Office Store (Hewlett-Packard Co.)
- Sears Holdings Corp.;
- Victoria's Secret Direct (Limited Brands Inc.); and
- Gap Inc. Direct
The imperative for email authentication and secured Web sites has only intensified, the OTA says: With more people losing their jobs and their homes, susceptibility to fraudulent offers -- e.g., bank loans, mortgage refinances, credit reports -- has increased. Email authentication helps improve deliverability of emails, Spiezle says, but the real problem is rooted in email spoofing, where an email is deceptively altered to look as if it came from a legitimate sender. Spoofing can ultimately lead to identity theft and various other online exploits, he says.
The essentially nonexistent growth of email authentication within the government and retail sectors isn't merely a marketing failure, Spiezle says, but attributable to the complexity of organizations. It's not often clear who should take the lead on this issue. "You can sit and wait for the perfect solution," Spiezle says, "but indecision only plays into the hands of criminals."
New technology is coming on the market to make it easier for companies to establish trust, according to the OTA. Sites secured with a Certificate Authority–approved Extended Validation (EV) SSL Certificate, a third-party form of validation and accreditation, triggers the browser's address bar to turn green, signaling to the consumer the legitimacy of a site. Just a little more than a year ago, this was only available on Internet Explorer 7. Now all major Web browsers support this function.
"We need to be willing to accept nothing less than 100 percent to help...protect consumers worldwide," Spiezle says. As an organization, the OTA is working to provide organizations with guidance, resources, and direction in protecting consumers and increasing online trust.
Spiezle offers some relatively easy tips for any organization looking to get started:
- Your domain is an asset: If you're not using your domain name to send emails (e.g., example@destinationCRM.com), publish a DNS to tell your Internet service provider that no emails ever come from this domain.
- Educate your consumers: Warn them of potential spoofs and tell them to look for positive signs (such as the green tool bars).
- Authenticate your legitimate mail: Spiezle recommends using a combination of DKIM and Sender ID, especially if you're using a subdomain (e.g., mail.whitehouse.gov).
- Monitor traffic: Keep tabs on emails coming from your own domains, and proactively monitor domains that look like your domain (e.g., irs.gov and irs.com).
"It's our hope that we can be a catalyst to help guide [organizations]," Spiezle says, adding that the OTA has set the bar dramatically low for a measure of its own success: Even if only one additional organization adopts security measures, he says, the OTA's effort will have been worth it.
"Is that a good success metric?" Spiezle asks. "No, but it's about moving the needle and that's our goal right now."
News relevant to the customer relationship management industry is posted several times a day on destinationCRM.com, in addition to the news section Insight that appears every month in the pages of CRM magazine. You may leave a public comment regarding this article by clicking on "Comments" at the top; to contact the editors, please email editor@destinationCRM.com.