About Us Membership Resources OTA Members Login

PRESS RELEASE

Online Trust Alliance Issues Poor Grades to Fortune 500 for Failing to Protect Consumers From Online Fraud  Despite report, OTA sees silver lining with leading Fortune 500 companies' actions

SEATTLE WA and SAN FRANCISCO, CA – April 23, 2009 – Today the Online Trust Alliance (OTA) expanded its research findings by issuing a poor grade to Fortune 500 companies for failing to appropriately protect consumers from online fraud. The OTA found only 37 percent of these companies authenticate their email and/or implement Extended Validation Security Socket Layer (EV SSL) certificates – techniques which offer increased protection from online fraud and deceptive email. This most recent research follows an OTA study with similar results on the 300 leading Internet retailers and government agencies.  

“Although there is no silver bullet to stop online fraud, adoption of open standards like email authentication and EV SSL certificates are best practices, and essential to restoring the consumer’s sense of security and privacy,” said OTA Chairman and Founder, Craig Spiezle. “OTA and its members are committed to providing the resources businesses need to enhance online trust.”  

The OTA found Fortune 100 companies have a somewhat higher adoption rate for email authentication and/or EV SSL certificates (45 percent) compared with the Fortune 500 as a whole, indicating top companies recognize and proactively capture opportunities to safeguard their brands and customers. While these results show year-to-year growth, the results are still disappointing considering that over 50 percent have yet to adopt these security measures.  

This data is somewhat mitigated by OTA research revealing an estimated 85 percent of all commercial and transactional email is now being authenticated.  This has been achieved with the support of the Anti-Phishing Working Group (APWG), the Interactive Advertising Bureau (IAB), Direct Marketing Association, (DMA), and the Email Sender and Provider Coalition (ESPC). The OTA is encouraged by this progress, but notes that marketers must leverage their expertise and aid in the protection of the domains most recognizable by the consumer, not just the ones that send email. Furthermore, marketers need to commit to ongoing maintenance to assure the highest level of accuracy in the email they authenticate.   

“The data for the largest companies and email marketers is encouraging, yet represents a disconnect between IT professionals, marketers and the stewards of the corporate brand,” said Spiezle. “It is incumbent these groups join forces and adopt authentication principles before their brands and stockholders are harmed.”  

Email authentication helps Internet Service Providers (ISPs), hosters and business networks validate that the sender of a message is authorized by the domain holder to send email. By taking this step, consumers and brands realize added protection in detecting forged email.  

OTA is also reporting a more than 100 percent increase in the adoption of EV SSL certificates over the past year. EV SSL certificates clearly identify a legitimate web site usually with a green identifier in a browser’s address bar and were created to address the rise in Internet fraud that was eroding consumer confidence in online transactions.  

In January of 2008, OTA called on the world’s top financial institutions and eCommerce sites to adopt EV SSL. As of today, four of the five largest organizations worldwide have done so – Bank of America, General Electric, HSBC and JP Morgan Chase – and 25 percent of the top 1000 eCommerce sites that had used SSL certificates have now migrated to EV SSL. Furthermore, through efforts of OTA, the Merchant Risk Council and the CA/Browser Forum, today all of the mainstream web browsers including Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Opera support EV SSL – up from only Microsoft Internet Explorer 7 just a year ago.  

OTA is calling on all eCommerce, banking and leading governmental sites to adopt both email authentication and EV SSL certificates within the next six months.  Those brands that adopt will be taking a step forward in protecting their consumers and enhancing online trust. In addition, OTA is calling on all to ISPs to integrate inbound email authentication verification as a best practice.  Despite progress by a handful of leading ISPs, others have not embraced this opportunity to better protect consumers with email authentication.  OTA and its members are providing resources to aid business in their adoption of both email authentication and EV SSL certificates for ecommerce sites. 

A working group of OTA members and industry leaders are meeting today in San Francisco, and will be publishing guidelines and recommendations within the next month.  Information will be posted at https://otalliance.org/resources/index.html.

Fortune 500 Update

Top 25 Government Domains Report Card (317KB PDF)

Internet Retailer 300 Report Card (458KB PDF)

OTA email authentication resources

Methodology – Analysis was completed during the period of April 3 and April 13, 2009, based on examining the public DNS records of the brands and governmental agencies, as well as examining over 20 million emails sent to consumers purporting to come from the legitimate brand and domain. Data was provided in part by Microsoft Corporation, IronPort Systems, MX Logic and Return Path Inc.  Ranking of ecommerce brands is based on data published by the Internet Retailer. Criteria for top U.S. government sites includes one or more of the following; past incidence of spoofing and phishing, site traffic, and risk of potential exploit for financial data and/or disseminating misleading consumer information.

Note: The focus of this research is on the domains most recognized by the consumer and on SPF/SenderID and DKIM, open standards that are broadly deployed by ISPs, mail hosts and business MTAs.  While not included in this research, third party solutions such as Goodmail CertifiedEmail, Iconix, PGP, S/MIME, IronPort PXE Encryption merit consideration based on the value offered and/or regulatory requirements.  

Extended Validation SSL certificate growth data was provided by VeriSign, DigiCert, Go Daddy and the Netcraft SSL survey.  Browser testing was completed by OTA using Internet Explorer 8, Firefox 3, Opera 9.x, Safari 4 and Google Chrome.

 

About The Online Trust Alliance (OTA) https://otalliance.org/
The mission of OTA is to create a trusted global online ecosystem and foster the elimination of email and Internet fraud, abuse and cybercrime; thereby enhancing trust, confidence and the protection of businesses and consumers.  Through its member companies and organization affiliates, OTA represents over one million businesses and 500 million users worldwide with regional chapters in Asia Pacific, Canada and Europe. OTA is a 501c6 IRS-approved non-profit, governed by a Board and Steering Committee including Bank of America, BoxSentry, Datran Media, Epsilon, Goodmail Systems, Iconix, Internet Identity, IronPort (a division of Cisco Systems), MarkMonitor, Message Systems, Microsoft Corporation, MX Logic, Return Path, Symantec Corporation and VeriSign.