Destructuring.Net: September 2006 Archives

« June 2006 | Main | October 2006 »

September 24, 2006

how to drastically reduce identity theft

Phishing scams piss me off- not because they're so prevalent, but because 90% of the messages I get should never have been accepted by the MTA.

It's 2006, and we have so many options for email authentication

Sender Policy Framework
Sender ID
Domain Keys / DKIM
Certified Server Validation
+ more?!

Some of them are fully in the public domain, others aren't-- but all can co-exist on the same domains -- so it really doesn't matter.

Which gets to my point- the banks aren't using these. The credit card companies aren't using these. The autction and pay-your-way sites aren't using these. They're all using bullshit proprietary 'emerging technoligies' that are built and funded by MBA grads with a half assed idea. Sure they work, but they're overly complex , necessitate a ton of opt-ins, and don't have large adoption.

Meanwhile, there are open protocols that cost nothing to install, and almost no time to run, and would DRASTICALLY cut down on the amount of spam. And they're just sitting on the shelf.

So that's why I'm pissed off. It takes 5 minutes to install the wholly open standard SPF onto a domain. That's it. 5 minutes. Once you do that, you effectively protect the banks/credit companies from having anything to do with the spam. You make it the requirement of the MTA who accepts the email to authenticate the sender. Once it becomes the MTA's requirement to validate the sender, you get the free market pushing the open standards forward-- would you rather use an email service from X which doesn't protect against phishing or Y which does.

There's no way to make every company in the world adopt this-- and it wouldn't be 'fair' to do that. But it would easy and well within reason to make the bulk of firms spoofed by phishing-- US based financial institutions and services -- adopt this , overnight.

US Financial Institutions and firms don't play by the normal rules of commerice. They have special licensing and regulating bodies. There's the Federal Reserve Board and Securities Exchange Commission. Even a Department of Commerce full of dozens of interior departments. Want to take a big bite out of phishing? Make it a requirement for these companies and US agencies like the IRS to use SPF and other open standards-- and don't advocate any one standard, but support many for maximum compatability. They cost almost nothing to implement - 5 minutes of labor with no software cost.

Posted by Jonathan at 6:39 PM