Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/17/2011
12:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Majority Of Websites Fail To Deploy Online Trust Measures

Social media, e-commerce, financial services ahead of federal agencies in protecting consumers online, Online Trust Alliance report says

Three-fourths of all organizations failed to make the grade for protecting users from malicious email and rogue websites in the Online Trust Alliance's (OTA) newly released 2011 Online Safety Honor Role.

Only 26 percent of government, social media, e-commerce, and financial services firms surveyed by the OTA made the honor roll for using technologies to prevent abuse, including email authentication, Extended Validation SSL Certificates (EV SSL), and malware and vulnerability testing on their websites. But that's still an improvement over last year, when only 8 percent did. The OTA surveyed 1,112 domains, their DNSes, and more than 500 million email messages that claimed to originate from those organizations.

Craig Spiezle, executive director and president of the OTA, says there's some good news in that there are higher levels of adoption of email authentication and EV SSL certificates, as well as a decreased level of malware and known vulnerabilities on some websites. "This reflects how website administrators are locking down their sites better," he says. "But the bad news is that cybercrime is moving upstream: [Spoofing and phishing] email authentication is at the forefront of attacks today, and there are still not enough gains here. The glass is still half empty."

According to the report, social media, e-commerce, and financial services ranked higher in securing their sites than government agencies. Around 27 percent of the top 100 FDIC banks made the honor roll, while 24 percent of the Fortune 500 did, and 22 percent of the top 500 Internet retailers. Just 12 percent of federal government websites made the honor roll.

More than 56 percent of all of those surveyed are now using either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) for detecting and blocking phony email. More than 90 percent of the top social media sites have adopted email authentication; 84 percent of the top online retailers; 59 percent of the largest FDIC banks; and 38 percent of the top government sites. The good news is that the feds have increased their adoption of email authentication by nearly 19 percent since 2010's report.

"We applaud OTA's efforts to drive adoption of standards-based security best practices and we are honored to be recognized for our leadership in customer protection," said Michael Barrett, CISO and vice president of information risk management at PayPal, in a statement. "We encourage other industry stakeholders to join us in deploying these solutions for the sake of our mutual customers’ safety, and the vitality of our ecosystem. The time is now."

The OTA lists the Internal Revenue Service, the Social Security Administration, Apple, Citibank, Bank of America, PayPal, Publishers Clearing House, Microsoft, and the White House (whitehouse.gov) for implementing the proper best practices to ensure online consumer safety and privacy.

Spiezle says organizations must consider adopting the proper technologies to protect against phishing, email fraud, and breaches. "Look at Comodo: That's a good example of spear-phishing. The data you collect [online] has personal and sensitive information," he says. "You will have an incident. You will be targeted ... The challenge today is a lot of people are in denial."

The OTA report and scorecard is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13777
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.