Green Armor C.E.O. Discusses Weaknesses of New DMARC Anti-Phishing Initiative
Joseph Steinberg, C.E.O. of Green Armor Solutions, describes severe flaws in DMARC, the latest infrastructure-based attempt at combating phishing.
Hackensack, NJ, February 16, 2012 --(PR.com)-- Joseph Steinberg, C.E.O. of Green Armor Solutions, a leading provider of online security technology, today discussed the need for site authentication and the weaknesses inherent in the new DMARC anti-phishing initiative.
DMARC, an effort supported by several large firms including AOL, Bank of America, Facebook, Fidelity Investments, and LinkedIn, was announced to great fanfare late last month, and attempts to curtail phishing by helping email receivers determine if a message aligns with what the receiver knows about the sender.
In an interview, Steinberg noted that “DMARC is not the first, and will likely not be the last, attempt to curtail phishing by implementing complicated technical infrastructure that completely ignores the source of the phishing problem. Phishing exploits a human weakness, not a technological vulnerability, and attempts to curb phishing that do not address the core problem will never successfully eliminate the problem.
"By attempting to block the delivery of phishing emails, rather than by addressing phishing directly, DMARC and other email-infrastructure attempts to fight phishing leave users seriously vulnerable. Criminals can still send phony "forwarded" emails, use rogue WiFi access points to route unsuspecting users to phishing sites, phish users using any phishing technique that does not rely on email as a delivery mechanism, and phish users via email to any email system, or impersonating any email system, that does not support DMARC.
"Furthermore, a security breach at even a single organization using DMARC may undermine the validity of DMARC checks at other organizations, creating security vulnerabilities. This means that DMARC may be unable to scale adequately without compromising its effectiveness.
"DMARC may reduce the number of phishing emails that people receive, but it will never come close to eliminating phishing. It may even exacerbate problems by creating a false sense of security among users on DMARC-enabled email systems, such that when a problem does occur more people may fall prey to it that would have otherwise. Emails sent from 'similar-looking domain names' -- for example from fideltiy.com instead of fidelity.com -- would reach users who may have been conditioned to the fact that emails from Fidelity are secure, and who may not notice the improper sender domain.
"The best way to protect people against phishing is to enable humans to distinguish legitimate entities from fraudulent ones, regardless of how the phishing solicitation reaches them. This can be achieved by leveraging real, psychologically-sound site authentication and the human response mechanism behind it, but not by implementing complicated technologies that can, at best, only deliver partial success, and, which, at worst, may condition users to fall prey to even more scams that they would have without the technology in place," said Steinberg.
For more information about Green Armor Solutions and its authentication offerings please visit:
http://www.GreenArmor.com
About Green Armor Solutions Inc.
Green Armor Solutions offers innovative solutions to information-security challenges facing today’s businesses. Its Identity Cues series of products leverage a unique blend of psychology and technology to help deliver maximum security with maximum user convenience. They provide strong two-factor authentication and site authentication thereby helping to protect against phishing, pharming, and online fraud, while allowing users to continue to enjoy the simple, comfortable user experience with which they are already familiar. Identity Cues authentication products can help companies address security and privacy requirements as part of compliance initiatives for FFIEC/NCUA Authentication, HIPAA, and GLBA. Green Armor’s systems help secure numerous financial environments including those at First Bank, EPIC Advisors, dozens of hospitals, and hundreds of credit unions. For more information please visit:
www.GreenArmor.com
###
DMARC, an effort supported by several large firms including AOL, Bank of America, Facebook, Fidelity Investments, and LinkedIn, was announced to great fanfare late last month, and attempts to curtail phishing by helping email receivers determine if a message aligns with what the receiver knows about the sender.
In an interview, Steinberg noted that “DMARC is not the first, and will likely not be the last, attempt to curtail phishing by implementing complicated technical infrastructure that completely ignores the source of the phishing problem. Phishing exploits a human weakness, not a technological vulnerability, and attempts to curb phishing that do not address the core problem will never successfully eliminate the problem.
"By attempting to block the delivery of phishing emails, rather than by addressing phishing directly, DMARC and other email-infrastructure attempts to fight phishing leave users seriously vulnerable. Criminals can still send phony "forwarded" emails, use rogue WiFi access points to route unsuspecting users to phishing sites, phish users using any phishing technique that does not rely on email as a delivery mechanism, and phish users via email to any email system, or impersonating any email system, that does not support DMARC.
"Furthermore, a security breach at even a single organization using DMARC may undermine the validity of DMARC checks at other organizations, creating security vulnerabilities. This means that DMARC may be unable to scale adequately without compromising its effectiveness.
"DMARC may reduce the number of phishing emails that people receive, but it will never come close to eliminating phishing. It may even exacerbate problems by creating a false sense of security among users on DMARC-enabled email systems, such that when a problem does occur more people may fall prey to it that would have otherwise. Emails sent from 'similar-looking domain names' -- for example from fideltiy.com instead of fidelity.com -- would reach users who may have been conditioned to the fact that emails from Fidelity are secure, and who may not notice the improper sender domain.
"The best way to protect people against phishing is to enable humans to distinguish legitimate entities from fraudulent ones, regardless of how the phishing solicitation reaches them. This can be achieved by leveraging real, psychologically-sound site authentication and the human response mechanism behind it, but not by implementing complicated technologies that can, at best, only deliver partial success, and, which, at worst, may condition users to fall prey to even more scams that they would have without the technology in place," said Steinberg.
For more information about Green Armor Solutions and its authentication offerings please visit:
http://www.GreenArmor.com
About Green Armor Solutions Inc.
Green Armor Solutions offers innovative solutions to information-security challenges facing today’s businesses. Its Identity Cues series of products leverage a unique blend of psychology and technology to help deliver maximum security with maximum user convenience. They provide strong two-factor authentication and site authentication thereby helping to protect against phishing, pharming, and online fraud, while allowing users to continue to enjoy the simple, comfortable user experience with which they are already familiar. Identity Cues authentication products can help companies address security and privacy requirements as part of compliance initiatives for FFIEC/NCUA Authentication, HIPAA, and GLBA. Green Armor’s systems help secure numerous financial environments including those at First Bank, EPIC Advisors, dozens of hospitals, and hundreds of credit unions. For more information please visit:
www.GreenArmor.com
###
Contact
Green Armor Solutions, Inc.
Joseph Steinberg
201-801-0383
www.greenarmor.com
Joseph Steinberg
201-801-0383
www.greenarmor.com
Contact
Categories