FTC wants to encourage e-mail authentication standards
- By William Jackson
- Jul 21, 2004
The Federal Trade Commission is responsible for policing the Internet for online fraud such as phishing, but keeping up with the onslaught of new schemes is a major challenge.
'We've had three phishing cases,' Sana Coleman, counsel to FTC's Bureau of Consumer Protection, said during a panel discussion about phishing on Capitol Hill today. 'All of the cases were settled.' Settlements included forfeiture of $125,000 in illegal profits.
But that is hardly a drop in the bucket. According to a study by the Anti-Phishing Working Group, 1,125 new phishing schemes were identified in April, a 180 percent increase over the month before. And a Gartner Inc. study estimated 1.8 million people have submitted information to fraudulent sites.
Being able to identify the origin of e-mail is key to enforcing laws against deceptive spam and other online fraud, so FTC will host a summit for industry experts this fall to help develop requirements for an e-mail authentication standard.
Phishing is an automated form of social engineering, using phony e-mail apparently from legitimate businesses or government agencies to trick consumers into revealing personal and financial information.
Some e-mails contain official-looking forms, and others contain links to official-looking Web sites where personal information can be submitted.
A number of anti-phishing bills have been introduced in Congress, and Jesse Wadhams, technology policy counsel to the Senate Republican High Tech Task Force, said the issue has Congress' attention.
'I think you will see this become a bigger issue in the coming months, and certainly in the next Congress,' Wadhams said.
But effective enforcement requires authentication technology.
A number of standards are in the works for authenticating the origin of e-mail.
Microsoft Corp. recently announced it would combine its proposed Caller ID for E-Mail protocol with the Sender Policy Framework into a single technical specification.
Yahoo is working on Domain Keys, a public-key infrastructure scheme, and the Internet Engineering Task Force has established a working group that expects to propose an authentication standard this year.
FTC is not a standards-setting body, but it is eager to see an authentication standard in place and in use.
'FTC will not endorse any particular technology,' Coleman said. 'Perhaps it will be multiple standards.'
Coleman said FTC would announce the date and other details of the summit in the Federal Register in several weeks.
William Jackson is a Maryland-based freelance writer.