BOSTON–The country’s credit unions have largely failed to put in place email security measures to protect member data, according to one new analysis.
The analysis, conducted by IntelFinder and SecurityWeek, found just 8% of a sample of 300 federal credit unions had strong email security enabled.
According to SecurityWeek, as part of its research it analyzed the SPF and DMARC records of the sampled FCUs by looking for the specific records in their DNS records, information that is publicly accessible. The researchers said they specifically checked whether the SPF and DMARC records exist and whether their DMARC settings were restrictive or permissive.
SPF and DMARC are two out of three email security methods that work together to prevent unauthorized third parties from sending emails on behalf of a domain, as well as provide visibility and insights towards the overall health of the mail relay infrastructure, the report noted.
It added the third security method, DKIM, is also an important component, but cannot be easily analyzed as unlike SPF and DMARC it does not have a standard DNS record format. Therefore, it wasn’t part of the research, SecurityWeek reported.
What Was Found
SecurityWeek, a unit of Wired Business Media, explained that SPF, short for “Sender Policy Framework,” defines a list of authorized mail relay servers that are allowed to send emails on behalf of a domain.
“A receiving mail server can verify that the origin of an email message is from one of the authorized servers and raise a flag in case it is not,” the report stated. “As only the domain owner should have access to the authorized mail relay servers, it can detect whenever third parties attempt to spoof the domain in an email campaign.”
In short, the report noted DKIM, or DomainKeys Identified Mail, is a standard used to make sure that messages aren’t altered while in transit between the sender and recipient, while DMARC - Domain-based Message Authentication, Reporting and Conformance – makes use of SPF and DKIM to determine what would happen if an email message fails an SPF or DKIM test.
Research Results
According to SecurityWeek, its review of the 300 FCUs found:
- 16 did not have SPF records defined, indicating that any third party can spoof their emails. “Not only does the lack of SPF leaves the (members) of these FCUs vulnerable, but also the FCUs themselves, as spoofed messages would even arrive to the mailbox of those FCUs’ employees. Such messages can include spear phishing attacks and BEC fraud.”
- Of these FCUs, all except one did not have DMARC records defined as well, “suggesting that this is not the result of a misconfiguration, but instead that E-mail security simply has not been implemented. The one credit union that had a DMARC record defined has set it up to send DMARC reports to a cyber security vendor, but as SPF and most likely DKIM have not been implemented it would not block any email spoofing campaigns.”
-
74 credit unions had SPF and DMARC records defined, but the DMARC record was set to “Permissive.”
“As noted, when the DMARC record defines its policy as ‘none,’ a message which fails the SPF/DKIM check would still end up in the recipient’s mailbox. Therefore, such settings impact the effectiveness of SPF in stopping spoofed email campaigns,” SecurityWeek stated. “The amount of FCUs that have the permissive setting defined suggests that in most cases this is not just a temporary measure. As a more restrictive DMARC policy may have an impact on the ability to send legitimate E-mail messages as well (as issues between mail servers can still exist), it seems that many FCUs prefer a less secure configuration to ensure they have no issues with mail relay.” - 184 credit unions had SPF records defined, but no DMARC records. “Even when DMARC is not enabled, SPF and DKIM alone provide a level of protection against email spoofing. However, as without DMARC there is no official policy on what to do when an email message fails and SPF/DKIM check (as is the case in an E-mail spoofing campaign), messages may still end up in the recipient’s inbox.”
- Only 26 credit unions had SPF and DMARC defined with a restrictive policy in place in case a message fails the SPF/DKIM check.
Conclusion
“As email continues to be a prevalent communication method but also a major vector of attack for many types of threats, securing it should be a high priority for every organization, especially ones in high-risk industries,” SecurityWeek reported.
The full report and additional details can be found here.