How Google and Microsoft Can Stop Phishing Scams

Trevor highlighted in his recent post Bad Guys Want Your Payroll how attackers are using malicious software to access business banking accounts. To get the malicious software (malware) onto business systems, attackers are frequently using phishing scams that encourage users to download the software through deceit and misrepresentation. Brian Krebs and his online community have also been discussing the issue to great depth over recent weeks, including in his recent post
Warning About ZeuS Attack Used as Lure.

These attacks are largely successful due to the poor design of modern email systems. As a commodity that has been around for far longer than the browser, email systems have had a remarkably poor rate of evolution by comparison. However, Google and Microsoft have the ability to protect us from phishing scams. But, will they?

A key failure is the general inability for users to verify that the email they have received has come from a trusted source. For example, if you receive an email from your bank, then you should have the ability to quickly verify that the message did indeed come from your bank. Unfortunately, with no method of assessing email authenticity, you can't trust that the email was legitimate, nor can you trust anything that comes into your inbox. When faced with the option of either trusting nothing or trusting everything, users simply must choose to trust everything or sacrifice a critical business resource. It’s a shame, but what choice do they truly have?

Vendors have tried in the past to address this problem through various technologies (PKI, PGP, etc.), but each method is dependent on either complex public infrastructure or widespread user adoption to succeed in being usable. Various historical reports of failures across business sectors demonstrate that the cost and effort curves are far too great for all but the largest organizations to tackle.

Both Google and Microsoft have all of the tools to deploy a method for verifying an email source, with benefits extending to business and personal users. Either organization could initiate this innovation by deploying a publicly-available authority for issuing and managing common email server-based credentials, but I would look to Google for this given its history of maverick actions that completely change industry domains. What's more, Google could deploy this system for free with little loss to itself but with the potential to gain access to anonymous email traffic data that it would likely view as a gold mine. Such a system will provide the foundation for email verifiability by enabling the ability for an email system to "sign" each email message originating from it.

The next step would be for email servers to gain the ability to both leverage the server credential for signing messages and for receiving signed messages. This may take some changes to email transfer protocols, but its a change that Microsoft and Google are in a good position to force. For business users, Microsoft could provide the most benefit by integrating the functionality into the Exchange Server used by the vast majority of email-enabled businesses. For personal and small business users, both Microsoft and Google could provide the benefit by leveraging the system in their public email systems.

Finally, they could provide interface elements that notify users of the authenticity status of each individual email. Imagine if you will, Google, having a flag next to each such message in Gmail that says "Verified by Google." Microsoft could enable similar features in Outlook that simply separate source verified messages from source unverified messages. From there, the public will do the rest.

Why should we look to Microsoft and Google? First, businesses cannot (and will not) do it alone. It's too cost prohibitive and too overwhelming a problem for most businesses to address. Second, Microsoft and Google are the dominant forces in the email market. When they do it, the industry will follow. Third, businesses and personal users simply trust them like they trust almost no other vendors/service providers on the planet. They're reputations are too important for either of them to do this badly.

Why should Google and Microsoft do it? Their benefits vary, but they are tangible. For Google, it already has an infrastructure capable of handling large-scale public transactions (i.e. Google DNS) that it seems to enjoy throwing around to collect more Internet traffic data. Email transactions would definitely add to its already substantial Internet repository. For Microsoft, encouraging a trusted verification system would likely result in a substantial reduction in malware infections and the potential to largely eliminate a primary vector in propagating zero-day exploits, allowing for more time to fix issues.

While I will accept that vulnerabilities will still exist, developing this capability would likely be the most valuable information security innovation so far this century.

Originally posted at InfusionPoints Blogs.