Security

Twitter joins Facebook, LinkedIn in using DMARC email authentication (too late for Jeep and Burger King)

Just days after two prominent Twitter accounts were somewhat hilariously hacked, Twitter announced it has adopted a new technology for making emails from the newsy social network harder to fake. It’s the same technology that Facebook, LinkedIn, Google, and PayPal use to limit email fraud.

Why now?

Jeep’s Twitter account recently told the world that the iconic brand had been “sold to Cadillac.” And Burger King’s account started mysteriously promoting McDonalds. Two high-profile hacks in less than a week means, apparently, that Twitter had to take some action.

The hacks were due to phishing attacks, or sending out emails that look legitimate but, sadly, are not.

“There’s no shortage of bad actors sending emails that appear to come from a Twitter.com address in order to trick you into giving away key details about your Twitter account, or other personal information,” Twitter’s “postmaster” Josh Aberant posted this morning on the company’s blog.

Twitter sends out a lot of emails. If you opt into email notifications for new follows, mentions, and direct messages (little hint: don’t), you potentially get hundreds of emails a week. The problem is: how do you know the email in your inbox is from Twitter?

To make that determination easier, Twitter has adopted DMARC technology, an email authentication protocol initially developed by PayPal in 2007. Essentially, it helps receiving mailservers know, with a reasonable level of assurance, that an email’s reported sender is accurate, not spoofed, and not forged. Which then allows the mailserver to delete forged email before it ever reaches your inbox.

Facebook already uses DMARC and is listed as one of the founding contributors to the open specification, as is LinkedIn. Other organizations that use DMARC include Google (Gmail), Microsoft (Hotmail/Outlook), Yahoo (Yahoo Mail), AOL, and Comcast.

A note for emailers:

If you don’t use Gmail or one of the other email providers listed above, you may not be protected. It might be a good time to ask your mail service provider if they support DMARC.

photo credit: Stian Eikeland via photopin cc

blog comments powered by Disqus