Email/phone spoofing - how can they be stopped?
December 11, 2019 2:06 AM Subscribe
What would it take to prevent email/phone spoofing, joejobbing etc?
There are numerous questions on MF and elsewhere about people having their email address or phone number spoofed by hackers/spammers, joejobbing, etc.
Why is it apparently so easy for hackers/spammers to spoof people's email address/phone numbers? More importantly, what would it take, technically, to totally prevent this? Is it something the phone companies or the email providers have to do or would it require completely changing the Internet/international phone system? And why isn't it done?
There are numerous questions on MF and elsewhere about people having their email address or phone number spoofed by hackers/spammers, joejobbing, etc.
Why is it apparently so easy for hackers/spammers to spoof people's email address/phone numbers? More importantly, what would it take, technically, to totally prevent this? Is it something the phone companies or the email providers have to do or would it require completely changing the Internet/international phone system? And why isn't it done?
In the US, the FCC could be much more aggressive about this, and instead . . . isn't. John Oliver did an episode about it a while back.
posted by aspersioncast at 4:50 AM on December 11, 2019 [1 favorite]
posted by aspersioncast at 4:50 AM on December 11, 2019 [1 favorite]
So in the email space, there are a slew of technologies (Sender Policy Framework (SPF) for determining who is allowed to send mail for a domain, DomainKeys Identified Mail (DKIM) for determining which system actually sent the mail messages, and Domain-based Message Authentication, Reporting and Conformance (DMARC) which applies a policy and reporting solution to the problem.
The trouble is to be maximally effective you have to conform and have good habits. The first 20-30 years of email built up a lot of bad practices that everyone is slowly unwinding to get their houses in order. Secondarily, there has been an explosion of 3rd party platforms that want to send as a company's domain (CRM software, surveys, order fulfillment, etc.) which if isn't done properly can lead people to do dumb things like turn off protection mechanisms to "just make it work".
Just last month, an automated system from one of our partners (a giant Fortune 100 company) was sending us mail that we were rejecting because we were enforcing the policy that the other company themselves set. They insisted we just whitelist them to turn off the rules that they themselves created.
posted by mmascolino at 5:11 AM on December 11, 2019 [5 favorites]
The trouble is to be maximally effective you have to conform and have good habits. The first 20-30 years of email built up a lot of bad practices that everyone is slowly unwinding to get their houses in order. Secondarily, there has been an explosion of 3rd party platforms that want to send as a company's domain (CRM software, surveys, order fulfillment, etc.) which if isn't done properly can lead people to do dumb things like turn off protection mechanisms to "just make it work".
Just last month, an automated system from one of our partners (a giant Fortune 100 company) was sending us mail that we were rejecting because we were enforcing the policy that the other company themselves set. They insisted we just whitelist them to turn off the rules that they themselves created.
posted by mmascolino at 5:11 AM on December 11, 2019 [5 favorites]
The Telecommunications Industry would have to make it a priority.
posted by theora55 at 7:55 AM on December 11, 2019 [1 favorite]
posted by theora55 at 7:55 AM on December 11, 2019 [1 favorite]
The fundamental problem is that of tying a technological identity to a personal identity, provably and reliably and in a standard fashion. This is hard and legacy systems like phone and email have largely reacted to that difficulty by ignoring it.
It's easy to pretend to be somebody else online because it's easy to acquire multiple online identities.
However, as more and more of our interpersonal activity moves toward being conducted online, the value in having one of those identities provably and reliably tied to you is becoming more apparent. This is not to say that multiple online identities are a bad thing in some absolute sense; there are good and sufficient safety reasons for maintaining them, and any proposal for making this harder ought to be vigorously resisted.
But having a digital identity that is provably yours to people you choose to share it with is an absolute requirement if your aim is to avoid the possibility that other people can generate spoofed communications that purport to come from you.
So the technological fix is to move off legacy messaging systems toward newer designs that make providing a provable identity central to their operation. There's good early work being done in this space by Keybase (on which, for what it's worth, I am provably flabdablet).
posted by flabdablet at 9:58 AM on December 11, 2019 [3 favorites]
It's easy to pretend to be somebody else online because it's easy to acquire multiple online identities.
However, as more and more of our interpersonal activity moves toward being conducted online, the value in having one of those identities provably and reliably tied to you is becoming more apparent. This is not to say that multiple online identities are a bad thing in some absolute sense; there are good and sufficient safety reasons for maintaining them, and any proposal for making this harder ought to be vigorously resisted.
But having a digital identity that is provably yours to people you choose to share it with is an absolute requirement if your aim is to avoid the possibility that other people can generate spoofed communications that purport to come from you.
So the technological fix is to move off legacy messaging systems toward newer designs that make providing a provable identity central to their operation. There's good early work being done in this space by Keybase (on which, for what it's worth, I am provably flabdablet).
posted by flabdablet at 9:58 AM on December 11, 2019 [3 favorites]
Most of those systems today work on a self-declaration basis. Spoofing an email address or phone number is as easy as giving a fake name, which I find a useful analogy. How do you deal with fake names? Well, you can require photo IDs or do verification, or you can prosecute people who are found to be impersonating others fraudulently.
Verification could be done just by calling or emailing the claimed address (since spoofing an outgoing phone or email address doesn't mean you *receive* calls or email to that address). But the person has to do this, just like the bouncer needs to look at your ID for it to do any good. There are also ways for the technology owners (telecoms, email servers) to do additional verification based on point of origin of the transmission or other information, but that requires some sustained effort to implement consistently and accurately. And prosecution for fraud is where the government comes in, but it's hard because of how global the internet is. The person who's impersonating a Minnesotan may not be anywhere that Minnesota police or even federal police can easily identify and prosecute them.
posted by Lady Li at 10:00 AM on December 13, 2019
Verification could be done just by calling or emailing the claimed address (since spoofing an outgoing phone or email address doesn't mean you *receive* calls or email to that address). But the person has to do this, just like the bouncer needs to look at your ID for it to do any good. There are also ways for the technology owners (telecoms, email servers) to do additional verification based on point of origin of the transmission or other information, but that requires some sustained effort to implement consistently and accurately. And prosecution for fraud is where the government comes in, but it's hard because of how global the internet is. The person who's impersonating a Minnesotan may not be anywhere that Minnesota police or even federal police can easily identify and prosecute them.
posted by Lady Li at 10:00 AM on December 13, 2019
This thread is closed to new comments.
posted by jacquilynne at 3:55 AM on December 11, 2019 [1 favorite]