Businesses Fail to Protect Consumers from Malicious Email: Report

A survey finds that of the companies analyzed, only 26 percent qualified for the 2011 OTA Online Safety Honor Roll.

The Online Trust Alliance's 2011 Online Safety Honor Roll released today recognized 26 percent of the top public and private Websites and government agencies for their adoption of key technologies to help protect users' privacy and identity from abuse. While the number honored in 2011 represents a threefold increase from this time last year, 74 percent of the top Websites analyzed did not qualify and remain vulnerable to the increased levels of cybercrime and online fraud.

OTA Honor Roll criteria include implementation of email authentication, Extended Validation SSL Certificates (EV SSL), and testing for malware and known site vulnerabilities. In addition, federal government sites were evaluated for their support of Domain Name System Security Extensions (DNSSEC).

The OTA's third annual survey examined 1,112 domains, their published DNS records and more than 500 million email messages purporting to come from them. The survey, which includes evaluation of best practices to help protect consumers from forged email, phishing sites and malware, found that of the companies analyzed, only 26 percent (289) qualified to be named to the 2011 OTA Online Safety Honor Roll.

However, the organization noted that this compares favorably to 8 percent that qualified in 2010. The FDIC 100 led all surveyed sectors with nearly 27 percent making the Honor Roll, followed by 24 percent of the Fortune 500 and 22 percent of the Internet Retail 500. Only 12 percent of the measured federal government sites made the grade. OTA's criteria support President Obama's National Strategy for Trusted Identities in Cyberspace (NSTIC). Combined, they serve as the foundation for several related cyber-security, interactive marketing and identity protection initiatives.

"Domain-level email authentication is a potent weapon in the fight against spam and phishing attacks. But, for it to work, legitimate emailers must authenticate the messages they send and receiving domains must refuse delivery of unauthenticated messages," said David Vladeck, director of the FTC's Bureau of Consumer Protection.

Recognizing the business value of email authentication, adoption has been led by the top social media sites (92 percent), followed by 84 percent of the Internet Retail 100 and nearly 59 percent of the largest FDIC banks. Comparatively, only 38 percent of leading government sites have adopted email authentication, reflecting an 18.8 percent increase over 2010.

"We applaud OTA's efforts to drive adoption of standards-based security best practices, and we are honored to be recognized for our leadership in customer protection," said Michael Barrett, CISO and vice president of Information Risk Management at PayPal. "We encourage other industry stakeholders to join us in deploying these solutions for the sake of our mutual customers' safety and the vitality of our ecosystem. The time is now."

The report also noted email authentication adoption has passed the tipping point, with more than 56 percent adopting either SPF or DKIM on one or more of their domains or subdomains. In addition, EV SSL is nearing 45 percent adoption across top retail and banking sites, reflecting a year-to-year increase of over 78 percent. Across all segments, adoption increased 68 percent, the report found.

"While the level of adoption is failing to adequately protect consumers, the commitment and growth within the public and private sectors is encouraging," said Craig Spiezle, executive director of the Online Trust Alliance. "Government and business leaders need to commit to these guidelines to help prevent a consumer trust meltdown and protect the vitality of the U.S. economy."