Aussie banks fail on mail
Australian financial institutions and public companies are failing to use basic email security standards that could eliminate many of the phishing problems plaguing them.
(Mailbox image by Allen, CC BY-ND 2.0)
The open standards help verify the sender and contents of emails, which can prevent scammers from tricking users into sending financial details to criminals via emails or websites that appear to originate from legitimate sources.
Unfortunately, a US-based security body has reported that few Australian financial institutions are using the standards.
According to the Online Trust Alliance, only 28 per cent of Australian institutions use the Sender Policy Framework (SPF), which could stop scammers from using a bank's email address as their own.
"That's quite low because financial institutions suffer from phishing more than anyone else," alliance chair Manish Goel said. "This and DKIM (DomainKeys Identified Mail) can make a real difference to stopping phishing."
The numbers were the same for the Australian Stock Exchange (ASX) top 50 companies.
However, about 20 of the top 50 government agencies were using the SPF standard, which was "pretty good" and ahead of global trends, Goel said.
SPF is recommended by the Australian and US defence departments, along with DKIM and Transport Layer Security, which is the predecessor of extension of Secure Sockets Layer.
Another security measure called EVSSL (extended validation secure sockets layer) was also receiving little take-up. Only 14 per cent of Australian government agencies used it. About 16 per cent of the top 50 ASX companies used the protocol.
Goel said that the statistics were bad, given that companies had a duty to their customers to protect them.
"It is an obligation for security professionals to protect consumers. We rely on e-commerce," Goel said.
"If we don't step up to the mark, we miss the chance to self-regulate — and government regulation is at times much more expensive to comply with."
In further research, the association recorded more than 5000 instances of malware-infected advertising hosted over 1000 "trusted brand" websites.
Goel said blame lay with the 200-plus advertising networks that had accepted the malicious ads from a client and posted them on the publishers' websites.
About half of these malware ads had infected visitors to the websites with drive-by downloads.