Security Experts:

Most Federal Credit Unions Lack Strong Email Security Set Ups

Financial institutions have always been at the forefront of battling cybercrime. As one of the most targeted industries, they face multiple threats, such as phishing, spear phishing and banking malware. Even less sophisticated scams, such as 419 scams, often abuse their brands in order to add credibility to the scammers behind them.

As these aforementioned incidents all use email as the primary method of reaching out to potential victims, email security is an incredibly important aspect in the banks’ efforts of protecting their customers. Specifically, preventing scammers from masquerading as the bank by sending emails that appear as if they were sent from its official domain. When email security is properly enabled, only a bank’s approved mail servers can send email messages from their official domains. In such a case, if criminals wish to convince victims that their scam messages came from the bank, they will have to resort to sending the emails from a similar domain, which they can register. These similar-but-not-exact domains naturally have a lower success rate than an email that appears coming from the official domain, as many recipients can tell the difference. They can also be detected through various intelligence services and taken down. 

Unfortunately, while the larger financial institutions have been able to implement these important email security measures to protect their customers, there is a part of the financial services industry that has not – Federal Credit Unions. These cooperatives offer their members traditional banking services such as checking accounts, loans and credit cards, and therefore are also a major target for cybercriminals. However, a research that was recently conducted by IntelFinder has shown that only 8% percent of a sample of 300 FCUs had strong email security enabled.

Email Security

As part of the research, we analyzed the SPF and DMARC records of the sampled FCUs, by looking for the specific records in their DNS records, information that is publicly accessible to anyone. We’ve specifically checked whether their SPF and DMARC records exist and whether their DMARC settings were restrictive or permissive. 

What are SPF and DMARC?

SPF and DMARC are two out of three email security methods that work together to prevent unauthorized third parties from sending emails on behalf of a domain, as well as provide visibility and insights towards the overall health of the mail relay infrastructure. The third security method, DKIM, is an important component, but cannot be easily analyzed as unlike SPF and DMARC it does not have a standard DNS record format. Therefore, it wasn’t part of the research.

SPF, short for “Sender Policy Framework”, defines a list of authorized mail relay servers that are allowed to send emails on behalf of a domain. A receiving mail server can verify that the origin of an email message is from one of the authorized servers and raise a flag in case it is not. As only the domain owner should have access to the authorized mail relay servers, it can detect whenever third parties attempt to spoof the domain in an email campaign

ReadThe Race to Find Profits in Securing Email ] 

DKIM, or DomainKeys Identified Mail, is a standard used to make sure that messages aren’t altered while in transit between the sender and recipient. It uses a digital signature to each outgoing email message, enabling the recipient to verify the signature using a public key published on a DNS record.

DMARC - Domain-based Message Authentication, Reporting and Conformance – makes use of SPF and DKIM to determine what would happen if an email message fails an SPF or DKIM test. There are three options that can be defined by the domain owner – “quarantine”, which sends such messages to the spam mailbox, “reject” which makes sure the recipient mail server completely blocks the email from reaching the intended recipient, as well as “none”. When the permissive “none” setting is used, the message would still end up in the recipient’s mailbox, despite failing authentications. It is designed to be used temporarily, to let organizations be sure that their email security measures are properly set up and that legitimate emails are not failing SPF and DKIM tests. As part of the standard, DMARC also enables organizations to receive reports from mail servers that received email messages from the domain, giving them visibility to potential spam campaigns as well as any issues with legitimate email messages. Finally, DMARC also plugs some holes in the SPF format when determining the legitimacy of an email message, providing an improved screening mechanism and enhanced security.

Research Results

The results of our research on a sample size of 300 FCUs are as follows:

• 16 credit unions did not have SPF records defined, indicating that any third party can spoof their emails. Not only does the lack of SPF leaves the customers of these FCUs vulnerable, but also the FCUs themselves, as spoofed messages would even arrive to the mailbox of those FCUs’ employees. Such messages can include spear phishing attacks and BEC fraud. Of these FCUs, all except one did not have DMARC records defined as well, suggesting that this is not the result of a misconfiguration, but instead that E-mail security simply has not been implemented. The one credit union that had a DMARC record defined has set it up to send DMARC reports to a cyber security vendor, but as SPF and most likely DKIM have not been implemented it would not block any email spoofing campaigns.

• 74 credit unions had SPF and DMARC records defined, but the DMARC record was set to “Permissive”. As noted, when the DMARC record defines its policy as “none”, a message which fails the SPF/DKIM check would still end up in the recipient’s mailbox. Therefore, such settings impact the effectiveness of SPF in stopping spoofed email campaigns. The amount of FCUs that have the permissive setting defined suggests that in most cases this is not just a temporary measure. As a more restrictive DMARC policy may have an impact on the ability to send legitimate E-mail messages as well (as issues between mail servers can still exist), it seems that many FCUs prefer a less secure configuration to ensure they have no issues with mail relay.

• 184 credit unions had SPF records defined, but no DMARC records. Even when DMARC is not enabled, SPF and DKIM alone provide a level of protection against email spoofing. However, as without DMARC there is no official policy on what to do when an email message fails and SPF/DKIM check (as is the case in an E-mail spoofing campaign), messages may still end up in the recipient’s inbox. In addition, as DMARC has several additional features which cover cases that are not supported by SPF, a domain with a defined DMARC record is more secure. Therefore, having a properly defined DMARC record in the domain DNS is important, especially in organizations that their customers are heavily targeted such as financial institutions.

• Only 26 credit unions had SPF and DMARC defined with a restrictive policy in place in case a message fails the SPF/DKIM check.

Conclusions

One of the greatest challenges in cyber security is the ever-changing variety of threats and vectors from which they could materialize. As we rapidly move forward in order to keep up with the landscape, it is important to make sure that we don’t overlook existing technologies and methods in order to secure the organization, its employees and customers. As email continues to be a prevalent communication method but also a major vector of attack for many types of threats, securing it should be a high priority for every organization, especially ones in high-risk industries.

The fact that many organizations have opted not to implement DMARC or implement it at a permissive level is somewhat understandable, as tighter security controls also impact the ability for legitimate email messages to reach their destinations. However, issues between mail servers that may cause legitimate messages to fail the SPF/DKIM can be resolved with some work and the security benefits are great. 

Whether the decision to implement these technologies was accidental or deliberate, organizations should be encouraged to adopt them as soon as possible.

RelatedDHS Orders Federal Agencies to Use DMARC, HTTPS

view counter
Idan Aharoni is the Co-Founder & CEO of threat intelligence provider IntelFinder. He is a cyber security and intelligence veteran, with over 15 years of experience developing and managing cyber intelligence operations. In 2019, Idan received a “Legends of Fraud” award for his role in creating one of the world’s first fraud intelligence services, which monitored the Dark Web on behalf of financial institutions worldwide, as part of his work as Head of Cyber Intelligence at RSA, The Security Division of EMC.