Financial institutions and ISPs have been trying for decades to stop phishing and other techniques that compromise their customers' bank information. Despite big campaigns to educate customers not to access bank Websites via emails, and complex filtering systems to block suspicious messages, many people still get caught and give their login details to those thieves.
Banks have increased security measures, including one-time security codes and access cards with coordinates to stop hackers from initiating transactions on customer accounts. But phishing still goes on, costing financial institutions and their customers millions of dollars.
Now, an alliance between major leading financial institutions, such as Bank of America, PayPal, and Fidelity, and email providers AOL, Google, Microsoft, and Yahoo will try to put an end to phishing by email. The new organization is called DMARC: Domain-Based Message Authentication, Reporting, and Conformance.
Its goal is to establish a standard-based framework for mail senders -- the good guys -- to use email authentication in their infrastructure. Basically, the email providers won't deliver a message that is supposed to be sent from one of the financial institutions unless it is authenticated within the provisions of the framework.
Today, email providers rely on databases and complex unreliable methods to discern legitimate messages from fake ones. DMARC framework will provide a simple solution to avoid filtering real emails from financial institutions while blocking other messages that don't have proper authentication.
At this point, the DMARC task team is gathering information from the field and will submit its specifications to the IETF for standardization.
"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said Brett McDowell, Chair of DMARC.org and Senior Manager of Customer Security Initiatives at PayPal. "Industry cooperation -- combined with technology and consumer education -- is crucial to fight phishing."
As stated in the organization's Website: "DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation."
But hackers are not sleeping; as reported by the BBC, online criminals have found the way to circumvent the latest generation of security directly, without emails, when customers access their bank Websites.
In "Man in the Browser" attacks, the malware lives in the browser dormant until the user logs into a financial institution Website. It then gets between the user and the bank's Website and alters its contents, and the customer is unaware of anything being wrong.
So phishing can be stopped or reduced by initiatives such as DMARC, but security is always an issue when accessing financial institutions' Websites. It is important to watch for any suspicious changes in the Web and check directly by phone with the bank if something appears to be wrong.