Industry Group BITS's New President Focusing on Email Security

Many people have received that email that purports to be from the IRS or their bank and that requests personal information, but turns out to be a phishing lure used by crooks to dupe people into opening fake emails for the purpose of fraud, ID theft or other web-related crime.

Paul Smocer, who was just named president of BITS, the technology wing of the Financial Services Roundtable, is among those on the front lines of the battle to help banks fight phishing and other criminal activities.

A former manager of technology risk support at Bank of New York and CISO at Mellon Financial who first joined BITS in 2008, Smocer succeeds Leigh Williams, who departed the Roundtable to serve as Director of the Office of Critical Infrastructure Protection and Compliance Policy at the U.S. Department of the Treasury.

One of Smocer's first moves will be to release a reporting mechanism that internet service providers (ISPs) can use to present authentication and security measures to BITS' members as part of reporting.

The new mechanism, which will be available in the next month or so, will aggregate email traffic data and domain ownership information from the ISPs to determine how the source of the email is authenticated as part of spam or phishing prevention techniques.

"We can help our members understand where there may be issues… where they may need to strengthen protections," says Smocer, who says the new release is an interim step in a larger project among BITS, ISPs and other email-centric industries (retail and gift card firms among them) that aims to bring more detail to domain authentication and reporting. While that larger initiative will continue into next year, Smocer says the interim standard will aggregate existing email data such as domain registration and traffic as part of ISP reports on email security posture.

The new reporting mechanism, and the broader authentication project, will stand on the shoulders of existing email authentication standards developed with the help of BITS that are designed to validate that the sender of an email is actually the proper sender and not an impostor. "Part of the information that our members will be getting is that the email in their legitimate domain has been authenticated and comes from a legitimate domain that's owned by the organization, as opposed to someone in the background," he says.

Smocer, who was previously an executive vice president at BITS and has led multiple email security initiatives at the group, says most ISPs are doing a good job at this authentication, but there is room for improvement in how the ISPs actually report this information to the financial institutions.

"Email exists in a broad ecosystem that involves multiple players across the Internet," says Smocer. "One challenge is to get everybody in that ecosystem to accept standards [that protect emails]. Most ISPs have reached that point, they are also concerned about email authentication. Right now, we are working with the ISP community and our institutions around new standards that relate to how ISPs and other email providers report back whether email is authenticated and conforms [to protection standards]."

Additionally, some ISPs are providing deeper details on specific phishing and fraud prevention techniques than others.

"Each [ISP] provides different types of information," Smocer says. "There are dozens of ISPs that have email systems …and they are all providing information in a slightly different manner and with slightly different levels of detail."

Smocer says BITS is also working on an online identity protection project that leverages deeper information from government sources such as the IRS and Social Security Administration as part of identity protection.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER