[BreachExchange] FTC Report Finds Some Small Business Web Hosting Services Could Leave Small Businesses at Risk of Facilitating Phishing Scams

[Inga Goddijn]

https://www.ftc.gov/news-events/press-releases/2018/02/ftc-report-finds-some-small-business-web-hosting-services-could

The Federal Trade Commission today released a staff report that examines 11
web-hosting services that market themselves to small businesses and finds
that many do not provide by default certain email authentication and
anti-phishing technologies, potentially leaving many small firms at risk of
facilitating phishing scams
<https://www.consumer.ftc.gov/articles/0003-phishing>.

In a Staff Perspective, “Do Web Hosts Protect Their Small Business
Customers with Secure Hosting and Anti-Phishing Technologies?
<https://www.ftc.gov/reports/do-web-hosts-protect-their-small-business-customers-secure-hosting-anti-phishing>”,
the FTC’s Office of Technology Research and Investigation examined the
security features offered by certain web hosting services that cater to
small businesses. The research was prompted by a series of roundtable
<https://www.ftc.gov/news-events/press-releases/2017/07/ftc-host-cybersecurity-roundtables-small-businesses>
 discussions around the country that the FTC held in 2017, in which many
small business owners said that choosing web hosting and email providers
was one of the key challenges they face.

The research found that many of the examined web hosts are helping small
businesses implement SSL/TLS, with the majority of hosts integrating the
process into their basic hosting plans or offering them as straightforward
options for an additional fee. SSL/TLS technology ensures users are
visiting a legitimate website and not an imposter. It also provides
encrypted communications to protect personal information sent between the
website and a user’s computer, as well as other website security safeguards.

The Staff Perspective notes, however, that of the 11 web hosting companies
examined by FTC staff, few offer straightforward access to email
authentication and anti-phishing technologies. These include domain-level
authentication systems that verify the identity of the domain that email
claims to be from (SPF and DKIM) and a related technology that can be used
to instruct receiving email services to reject the delivery of messages
that wrongly claim to be from an address at the sender’s domain  (DMARC).

In fact, FTC staff found that only two of the web-hosting companies
implement SPF or DKIM by default and none offer support for DMARC as a
standard feature of their hosting services.  Furthermore, three of the 11
hosts do not provide any method for configuring DMARC.  Although the use of
DMARC is possible with the other eight hosts, their small business
customers would need to have independent knowledge of DMARC and configure
it on their own – something that a small business that is relying on the
web host’s expertise is unlikely to do.

Among other things, the Staff Perspective recommends that small businesses
pay close attention to the security features offered by web hosts so that
they can choose a host that will protect their websites and email accounts
with SSL/TLS and email authentication technologies. It also urges that web
hosts implement these technologies for their small business clients.
Finally, it recommends that publications that review web hosts evaluate the
availability of SSL/TLS and email authentication technologies in their
reviews.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180221/050266fc/attachment.html>