OTA Scorecard: 74% Fail to Protect Consumers Online

Wednesday, May 18, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

The Online Trust Alliance’s (OTA) 2011 Online Safety Honor Roll released today recognized 26% of the top public and private websites and government agencies for their adoption of key technologies to help protect users’ privacy and identity from abuse.

OTA Honor Roll criteria include implementation of email authentication, Extended Validation SSL Certificates (EV SSL), and testing for malware and known site vulnerabilities.

In addition, federal government sites were evaluated for their support of DNSSEC. While the number honored in 2011 represents a promising 3-fold increase from this time last year, 74% of the top websites analyzed did not qualify and remain vulnerable to the increased levels of cybercrime and online fraud.

The OTA’s third annual survey examined 1,112 domains, their published DNS records, and over 500 million email messages purporting to come from them. The survey, which includes evaluation of best practices to help protect consumers from forged email, phishing sites, and malware, found that of the companies analyzed, only 26% (289) qualified to be named to the 2011 OTA Online Safety Honor Roll. This compares favorably to 8% which qualified in 2010.

The FDIC 100 led all surveyed sectors with nearly 27% making the Honor Roll, followed by 24% of the Fortune 500 and 22% of the Internet Retail 500. Unfortunately, only 12% of the measured federal government sites made the grade.

OTA’s criteria are acknowledged as industry best practices and effectively support President Obama’s National Strategy for Trusted Identities in Cyberspace (NSTIC). Combined, they serve as the foundation for several related cyber-security, interactive marketing, and identity protection initiatives.

A key principle in the report, email authentication, is recognized as a best practice by the Federal Trade Commission, Federal Communications Commission, Department of Homeland Security, U.S. Postal Inspection Service, U.S. Senate, and leading industry trade organizations including the Email Sender &  Provider Coalition (ESPC), Direct Marketing Association, Anti-Phishing Working Group (APWG), BITS (a division of the Financial Services Roundtable), and the Messaging Anti-Abuse Working Group (MAAWG).

“Domain level email authentication is a potent weapon in the fight against spam and phishing attacks.  But, for it to work, legitimate emailers must authenticate the messages they send and receiving domains must refuse delivery of unauthenticated messages,” according to David Vladeck, Director of the FTC’s Bureau of Consumer Protection.

Across all surveyed sectors, more than 56% have adopted either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM), two proven standards to help identify and block deceptive email. Recognizing the business value of email authentication, adoption has been led by 92% of the top social media sites, followed by 84% of the Internet Retail 100, and nearly 59% of the largest FDIC banks. Comparatively, only 38% of leading government sites have adopted email authentication, reflecting an 18.8% increase over 2010.

“We applaud OTA’s efforts to drive adoption of standards-based security best practices and we are honored to be recognized for our leadership in customer protection,” said Michael Barrett, CISO and VP Information Risk Management at PayPal. “We encourage other industry stakeholders to join us in deploying these solutions for the sake of our mutual customers’ safety, and the vitality of our ecosystem. The time is now.”

“While the level of adoption is failing to adequately protect consumers, the commitment and growth within the public and private sectors is encouraging,” said Craig Spiezle, Executive Director of the Online Trust Alliance. “Government and business leaders need to commit to these guidelines to help prevent a consumer trust meltdown and protect the vitality of the U.S. economy.”

Highlights:

  • Almost 26% (289 companies) earned entry into the OTA 2011 Online Safety Honor Roll, for their adoption of EV SSL Certificates, and one or more forms of email authentication.
  • The Honor Roll achievement was as high as 26.7% of the FDIC 100 and 24.6% of the Fortune 500. Only 12% of top federal government sites qualified.
  • Email authentication adoption has passed the tipping point, with more than 56% adopting either SPF or DKIM on one or more of their domains or subdomains.
  • EV SSL is nearing 45% adoption across top retail and banking sites, reflecting a year-to-year increase of over 78%. Across all segments, adoption increased 68%.

For their demonstrated commitment to best practices, industry collaboration and consumer education, OTA has recognized several “North Stars” – including the Internal Revenue Service, the Social Security Administration, Apple Computer, Citibank, Bank of America, PayPal, Publishers Clearing House, Microsoft, and the White House (whitehouse.gov). The complete report (registration required) and the list of 2011 Honorees are posted at https://otalliance.org/2011scorecard.html

OTA is pleased with increased adoption levels and is urging consumer financial institutions, commerce sites and consumer-facing government agencies as well as Internet Service Providers and Mail Box Providers to implement the following as of October 1, 2011:

  • Implement both SPF and DKIM email authentication across all domains and subdomains.
  • Add or upgrade to EV SSL Certificates on all sites which require consumer login or registrations and either provide access to or collect personal and financial data.
  • Initiate planning and deployment of DNSSEC.

Watch the Infosec Island interview with Online Trust Alliance President Craig Spiezle HERE

Source:  https://otalliance.org/news/releases/2011scorecard.html

Possibly Related Articles:
4156
Webappsec->General
SSL Authentication Cyber Crime Headlines report Website Security OTA Online Trust Alliance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.