Anti-Phishing Service Launched

Industry Groups Pilot Trusted Email Registry to Help Banks Fight Fraud
Anti-Phishing Service Launched
In the battle against online fraud, two industry groups have teamed up to offer banking institutions an email security service to help protect their customers.

BITS, the technology policy division of The Financial Services Roundtable, and the Financial Services-Information Sharing and Analysis Center (FS-ISAC) say the Trusted Email Registry is currently being piloted by 15 institutions.

This new service allows institutions to monitor valuable email traffic, improving the ability to identify and defend against phishing attacks via fraudulent emails, says Paul Smocer, vice president of Security for BITS.

After completion of the pilot, the program will be available to the 98 members of The Financial Services Roundtable, including its affiliates, and 115 FS-ISAC members, Smocer says. Later, the registry may be made available to non-member institutions.

How it Works


The registry's basic service will allow institutions to monitor a limited number of their domains' email traffic, receive reports and have access to a Transport Layer Security (TLS) Key Contact Registry. The Enhanced Service provides:

  • Monitoring of a larger number of domains;
  • Deployment services to establish DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF);
  • Policy enforcement/anti-spoofing tools for DKIM and SPF and ISP intermediation and support.

There are two ways this registry will help the industry, Smocer says. The service model will bring a lot more capability to monitor email traffic across Internet service providers (ISPs). And nstitutions will be able to see how traffic is flowing -- what is getting authenticated and what isn't. With this service, institutions will be able to see domains that are sending mail, and determine if they are supposed to send mail.

This registry is one of several steps that BITS has taken in the past several years to bolster security and industry efforts to adopt new email protections:

  • In 2006, BITS formed an Email Security project group that aimed to increase the security and integrity of email for institutions;
  • In 2007, the project group published an "Email Security Toolkit: Protocols and Recommendations for Reducing the Risks" report that defined best practices and showed technologies financial institutions could adopt to strengthen email security, particularly focusing on three protocols - DKIM, SPF, and TLS;
  • In 2009, BITS and eCert released "Email Sender Authentication Deployment," which covered DKIM and SPF.

After the first paper was released in 2007, Smocer says BITS saw several issues that were standing in the way of broad adoption of the technology. "One was the understanding the protocols; they are not always easy to understand. The other was the broad range of institutions and the varying technology they use."

The final key point that Smocer says was the biggest impediment was the nature of the "one-off" relationships that many institutions have with their ISP. "Imagine you're an ISP, and you have every single institution approaching you to do email authentication. It would be a major headache."

This is why this service is going to be valuable to both institutions and the ISPs, he adds. It will serve as a one-stop shop for the financial institution to connect to all the ISPs.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.