FTC plans e-mail authentication standards
The Federal Trade Commission this fall will host an anti-phishing expedition, a summit at which industry experts will offer advice on developing requirements for an e-mail authentication standard.
Identifying the origin of e-mail messages is essential to enforcing laws against deceptive spam and online fraud, said Sana Coleman, counsel for the FTC's Bureau of Consumer Protection. The commission will announce the date and other details of the summit in several weeks.
'FTC will not endorse any particular technology,' Coleman said last week during a Capitol Hill panel discussion on phishing'an automated form of social engineering that uses phony e-mails appearing to come from legitimate businesses to trick consumers into revealing personal and financial information. 'Perhaps it will be multiple standards.'
FTC is not a standards-setting body, but because online consumer fraud falls under the jurisdiction of the FTC Act, the commission is eager to put an authentication scheme in place.
Some phishing e-mail contains official-looking forms to be filled out. Some of it links to official-looking Web sites where the information is submitted.
According to a study by the Anti-Phishing Working Group, 1,125 new phishing schemes were identified in April, a 180 percent increase over the previous month. According to a study by Gartner Inc. of Stamford, Conn., an estimated 1.8 million people have been fooled into revealing information to fraudulent sites.
Congress is considering a number of anti-phishing bills, and Jesse Wadhams, technology policy counsel to the Senate Republican High Tech Task Force, said the issue definitely has Congress' attention.
'I think you will see this become a bigger issue in the coming months, certainly in the next Congress,' Wadhams said.
But effective enforcement requires authentication technology.
A number of standards are in the works for authenticating the origins of e-mail. Microsoft Corp. recently announced it would combine its proposed Caller ID for E-mail protocol with the Sender Policy Framework into a single technical specification.
Yahoo.com is working on Domain Keys, a public-key infrastructure scheme, and the Internet Engineering Task Force has established a working group that expects to propose an authentication standard this year.