Data scandal in Germany: Internet experts demand cooperation for increased security
January 2019 by CSA
The theft of highly sensitive data such as account data, the publication of private chat histories in 50 to 60 particularly serious cases and contact data of around 1,000 politicians, journalists, artists and elected officials have shocked the public. During the Christmas holidays, many public figures in Germany received unpleasant surprises.
Such a hacking attack can have negative consequences, not only for those directly affected, but namely when the published data has been stolen through phishing. Phishing is a common method of using e-mails that seem to come from reputable senders such as banks to obtain personal data or access data from addressees. This can harm not only recipients, who carelessly disclose their personal data, but also suspected senders. For the latter, this can damage the company’s image and may even cause a financial loss if phishing emails result in inquiries and staff must be deployed to communicate with the confused or aggrieved customer. "Phishing is very often the first step of a hack," confirms Julia Janßen-Holldiek, Director of the Certified Senders Alliance (CSA). Even in the case of the most recent data scandal, it is suspected that the offender captured part of the data by means of phishing.
Both sides, the recipients and the senders of emails, can effectively protect themselves against phishing. The senders can use suitable authentication methods such as DMARC (Domain-based Message Authentication, Reporting and Conformance) without much additional effort. The new BIMI (Brand Indicators for Message Identification) standard offers a further advantage when using DMARC. Mails from verified senders can be marked with the sender’s brand logo in the recipient’s inbox. "Brand owners are additionally motivated by the logo marking to use DMARC. This in turn protects users through better spam filtering and fewer phishing emails in the inbox," said Marcel Becker, Product Manager at Verizon Media where a first BIMI test with various trademark owners is currently being successfully launched.
On the recipient side, a healthy scepticism towards e-mails from supposedly serious senders and caution when disclosing personal data and access data is the best way to protect against phishing attacks. Stricter rules for the operators of Internet platforms, as demanded by Federal Justice Minister Katarina Barley in the wake of the data scandal, are of little help according to many Internet experts.
Oliver Süme, CEO of the german e-commerce association eco - Verband der Internetwirtschaft e.V., now warns against an exaggerated reaction to the latest scandal: "It is true that the Internet industry and politicians now have to clarify the background to this incident in order to jointly develop appropriate security targets on this basis. I would, however, warn against using this incident again as a hitch for exaggerated and ultimately counterproductive regulatory ideas. Hasty decisions such as the NetzDG*, which we are still critical of, will not help anyone. I call for a constructive dialogue on the responsibilities of the state, application companies and users for improved IT security, in which eco is happy to play its part.
Detailed information on the DMARC authentication procedure can also be found on the homepage of the Certified Senders Alliance. The Certified Senders Alliance (CSA) is a joint project of the German e-commerce association (eco - Verband der Internetwirtschaft e.V.) and the German Marketing Dialogue Association (Deutscher Dialogmarketing Verband-DDV). The CSA forms a neutral interface between mailbox providers and senders of commercial emails. The BIMI standard in particular will also be a topic at the CSA Summit from 10 to 12 April 2019 in Cologne.
Footnotes *NetzDG = Netzwerkdurchsetzungsgesetz - German law to improve law enforcement in social networks. The law, which came into effect on January 1st 2018, requires social networks to remove disputed content