2011 SCORECARD & HONOR ROLL
2011 Scorecard & Honor Roll Report (registration
Summary & Honorees PDF l
EV SSL Certificates
OTA Releases 2011 Online Safety Honor Roll and
74% of Organizations Fail to Protect Consumers from Malicious
Email and Rogue Web Sites.
Government Lags Behind Social Media,
Ecommerce, and Financial Services Sectors
Seattle, Washington – May 10, 2011 – The Online Trust
2011 Online Safety Honor Roll released
today recognized 26% of the top public and private websites and government
agencies for their adoption of key technologies to help protect users’
privacy and identity from abuse.
OTA Honor Roll criteria include implementation of email
authentication, Extended Validation SSL Certificates (EV SSL), and testing
for malware and known site vulnerabilities. In addition, federal government
sites were evaluated for their support of DNSSEC. While the number honored
in 2011 represents a promising 3-fold increase from this time last year, 74%
of the top websites analyzed did not qualify and remain vulnerable to the
increased levels of cybercrime and online fraud.
The OTA’s third annual survey examined 1,112 domains,
their published DNS records, and over 500 million email messages purporting
to come from them. The survey, which includes evaluation of best practices
to help protect consumers from forged email, phishing sites, and malware,
found that of the companies analyzed, only 26% (289) qualified to be named
to the 2011 OTA Online Safety Honor Roll. This compares favorably to 8%
which qualified in 2010.
The FDIC 100 led all surveyed
sectors with nearly 27% making the Honor Roll, followed by 24% of the
Fortune 500 and 22% of the Internet Retail 500. Unfortunately, only 12% of
the measured federal government sites made the grade.
OTA’s criteria are acknowledged as
industry best practices and effectively support President Obama’s National
Strategy for Trusted Identities in Cyberspace (NSTIC). Combined, they serve
as the foundation for several related cyber-security, interactive marketing,
and identity protection initiatives.
A key principle in the report, email
authentication, is recognized as a best practice by the Federal Trade
Commission, Federal Communications Commission, Department of Homeland
Security, U.S. Postal Inspection Service, U.S. Senate, and leading industry
trade organizations including the Email Sender & Provider Coalition
(ESPC), Direct Marketing Association, Anti-Phishing Working Group (APWG),
BITS (a division of the Financial Services Roundtable), and the Messaging
Anti-Abuse Working Group (MAAWG).
“Domain level email authentication
is a potent weapon in the fight against spam and phishing attacks.
But, for it to work, legitimate emailers must authenticate the messages they
send and receiving domains must refuse delivery of unauthenticated
messages,” according to David Vladeck, Director of the
FTC’s Bureau of Consumer Protection.
Across all surveyed sectors, more
than 56% have adopted either Sender Policy Framework (SPF) or DomainKeys
Identified Mail (DKIM), two proven standards to help identify and block
deceptive email. Recognizing the business value of email authentication,
adoption has been led by 92% of the top social media sites, followed by 84%
of the Internet Retail 100, and nearly 59% of the largest FDIC banks.
Comparatively, only 38% of leading government sites have adopted email
authentication, reflecting an 18.8% increase over 2010.
“We applaud OTA’s efforts to drive
adoption of standards-based security best practices and we are honored to be
recognized for our leadership in customer protection,” said Michael Barrett,
CISO and VP Information Risk Management at PayPal. “We encourage other
industry stakeholders to join us in deploying these solutions for the sake
of our mutual customers’ safety, and the vitality of our ecosystem. The time
“While the level of adoption is
failing to adequately protect consumers, the commitment and growth within
the public and private sectors is encouraging,” said Craig Spiezle,
Executive Director of the Online Trust Alliance. “Government and business
leaders need to commit to these guidelines to help prevent a consumer trust
meltdown and protect the vitality of the U.S. economy.”
Almost 26% (289 companies)
earned entry into the OTA 2011 Online Safety Honor Roll, for their
adoption of EV SSL Certificates, and one or more forms of email
The Honor Roll achievement was
as high as 26.7% of the FDIC 100 and 24.6% of the Fortune 500. Only 12%
of top federal government sites qualified.
Email authentication adoption
has passed the tipping point, with more than 56% adopting either SPF or
DKIM on one or more of their domains or subdomains.
EV SSL is nearing 45% adoption
across top retail and banking sites, reflecting a year-to-year increase
of over 78%. Across all segments, adoption increased 68%.
For their demonstrated commitment to
best practices, industry collaboration and consumer education, OTA has
recognized several “North Stars” – including the Internal Revenue Service,
the Social Security Administration, Apple Computer, Citibank, Bank of
America, PayPal, Publishers Clearing House, Microsoft, and the White House
(whitehouse.gov). The complete report (registration required) and the list
of 2011 Honorees are posted at
OTA is pleased with increased adoption levels and is
urging consumer financial institutions, commerce sites and consumer-facing
government agencies as well as Internet Service Providers and Mail Box
Providers to implement the following as of October 1, 2011:
Implement both SPF and DKIM
email authentication across all domains and subdomains.
Add or upgrade to EV SSL
Certificates on all sites which require consumer login or registrations
and either provide access to or collect personal and financial data.
Initiate planning and deployment
About The Online Trust Alliance
Formed in 2004,
the Online Trust Alliance (OTA) is a global non-profit organization
representing the Internet ecosystem, supporting user choice and controls,
protection of critical infrastructure, privacy and data governance,
promoting marketing best practices and self-regulation. The OTA’s mission is
to develop and advocate best practices and public policy which mitigate
emerging privacy, identity and security threats to businesses, online
services, brands, government agencies, organizations and consumers, thereby
enhancing online trust and confidence.
For media inquiries contact:
Revised May 10, 2011