Banks are leaving their customers exposed to phishing attacks by not implementing simple email authentication methods, an investigation by SC has revealed.
Sender Policy Framework (SPF), and other similar email authentication protocols, have been shunned by banks despite the huge rise in phishing attacks over the last year.
Emails received from Citibank, Morgan Stanley and Barclays contain no form of authentication, leaving customers clueless as to their exact origin.
SPF, Microsoft's SenderID and Yahoo!'s DomainKeys, all offer methods of authentication that can be implemented with relative ease. And once the system has been deployed, it requires no further input. From then on, all emails that customers receive can be verified, and any phishing messages rejected.
But most banks continue to use traditional methods to combat phishing. "We haven't issued any emails for 18 months," said a Barclays spokesman. Other banks refused to comment.
A report from email security company Messagelabs released in December highlighted the increase of phishing attacks. Matt Sargeant, senior anti-spam technologist at Messagelabs, said that banks were failing to tackle the problem. "Banks should be driving this and stop dragging their feet," he said. "They've formed working groups but have not yet taken any action. I think it is on the radar, though, but banks are generally being cautious and we need more definite action."
But Peter Cassidy, secretary general of the Anti-Phishing Working Group, insisted that the banks were looking closely at a wide range of solutions. He added that the lack of a single authentication solution was still holding back progress, and he pointed out that setting up any of the frameworks still requires work.
"These guys already have too much work to do, and the losses from phishing are marginal," he said. "It's small compared to things like creditcard fraud. Relatively speaking, it's like flea-bites on a pachyderm."