Indian Banking Email Not Secure & Authenticated!
From last few days we are analyzing email infrastructure of Critical email from Indian Bank (SBI Cards), we are surprised that emails are not even authenticated and headers are not usual.
And we are shocked when I found sender domain of SBI credit card (sbicard.com) have no SPF, DKIM & DMARC record published.
Due to this Gmail added warning on SBIcard’s email “Gmail couldn’t verify that this message was sent by sbicard.com.” header of SBI email as follow:
It’s very easy to Hack SBIcard.com domain for Phishing emails and steal information of users.
What is Email Authentication?
Email authentication is a way to ensure that an email provider will be able to recognize the sender of an incoming message and fight Spam and abuse. You can use authentication data to verify the source of any message that you receive.
Email services like AOL, Gmail or Yahoo (as well as corporate email servers) use one or more of these authentication methods to verify sender identity: DKIM (Domain Keys Identified Mail) SPF (Sender Policy Framework)
What is SPF Records?
An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
To know more about SPF, Read Here.
What is DKIM?
DKIM (Domain Keys Identified Mail) is an important authentication mechanism to help protect both email receivers and email senders from forged and phishing email. Forged email is a serious threat to all parties in an email exchange.
To know more about DKIM, Click Here.
If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server.
What is DMARC
“DMARC, which stands for ‘Domain-based Message Authentication, Reporting & Conformance’, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email. It considers both DKIM & SPF as a combined authentication method.” – Definition from dmarc.org
Not only issue with SBI card, other popular payment gateway Billdesk have similar issue by the analysis of email header I found that email is not authenticated and verified from source, Billdesk is using shared IP’s pool and lots of other user also using there IP’s, sending 3-4 domain in single email and fan fact is none of domain is belong from billdesk.
SBI card don’t use email authentication (as you have seen the screenshot above). Authentication is highly recommended for every mail sender to ensure that messages are correctly classified and to avoid phishing scams. Bad guys can send phishing messages (messages claiming to be from sbicard.com) to users and ask them to send personal information.
Email authentication is good for both sender and receivers. It’s good for senders because it allows them to take clear responsibility for the email they send and helps reject a forged email claiming to come from their domains.
It also makes it easier for receivers to detect email forgeries, which often come in the form of spoofing or phishing scams.
If you’re receiving a mail from SBI card
You can view the authentication information by opening a message and clicking on the ‘show details’ icon below the sender’s name.
If a message was DKIM authenticated, a ‘signed-by’ header with domain will appear.
If a messages was SPF authenticated, a ‘mailed-by’ header with domain will appear.
If no authentication information exists, there will be no ‘signed-by’ or ‘mailed-by’ headers. this message is most likely forged and you should be careful about replying to it or opening any attachments. You should not enter or send any personal information.
What should SBI do?
Make their email authenticated by email authenticated mechanism adapted by all ISP and email platforms. This helps SBI to protect their brands and maintain their customers’ confidence in their email and in their company as a whole.
From last few days we are analyzing email infrastructure of Critical email from Indian Bank (SBI Cards), we are surprised that emails are not even authenticated and headers are not usual.
And we are shocked when I found sender domain of SBI credit card (sbicard.com) have no SPF, DKIM & DMARC record published.
Due to this Gmail added warning on SBIcard’s email “Gmail couldn’t verify that this message was sent by sbicard.com.” header of SBI email as follow:
It’s very easy to Hack SBIcard.com domain for Phishing emails and steal information of users.
What is Email Authentication?
Email authentication is a way to ensure that an email provider will be able to recognize the sender of an incoming message and fight Spam and abuse. You can use authentication data to verify the source of any message that you receive.
Email services like AOL, Gmail or Yahoo (as well as corporate email servers) use one or more of these authentication methods to verify sender identity: DKIM (Domain Keys Identified Mail) SPF (Sender Policy Framework)
What is SPF Records?
An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
To know more about SPF, Read Here.
What is DKIM?
DKIM (Domain Keys Identified Mail) is an important authentication mechanism to help protect both email receivers and email senders from forged and phishing email. Forged email is a serious threat to all parties in an email exchange.
To know more about DKIM, Click Here.
If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server.
What is DMARC
“DMARC, which stands for ‘Domain-based Message Authentication, Reporting & Conformance’, is an email authentication protocol. It builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email. It considers both DKIM & SPF as a combined authentication method.” – Definition from dmarc.org
Not only issue with SBI card, other popular payment gateway Billdesk have similar issue by the analysis of email header I found that email is not authenticated and verified from source, Billdesk is using shared IP’s pool and lots of other user also using there IP’s, sending 3-4 domain in single email and fan fact is none of domain is belong from billdesk.
SBI card don’t use email authentication (as you have seen the screenshot above). Authentication is highly recommended for every mail sender to ensure that messages are correctly classified and to avoid phishing scams. Bad guys can send phishing messages (messages claiming to be from sbicard.com) to users and ask them to send personal information.
Email authentication is good for both sender and receivers. It’s good for senders because it allows them to take clear responsibility for the email they send and helps reject a forged email claiming to come from their domains.
It also makes it easier for receivers to detect email forgeries, which often come in the form of spoofing or phishing scams.
If you’re receiving a mail from SBI card
You can view the authentication information by opening a message and clicking on the ‘show details’ icon below the sender’s name.
If a message was DKIM authenticated, a ‘signed-by’ header with domain will appear.
If a messages was SPF authenticated, a ‘mailed-by’ header with domain will appear.
If no authentication information exists, there will be no ‘signed-by’ or ‘mailed-by’ headers. this message is most likely forged and you should be careful about replying to it or opening any attachments. You should not enter or send any personal information.
What should SBI do?
Make their email authenticated by email authenticated mechanism adapted by all ISP and email platforms. This helps SBI to protect their brands and maintain their customers’ confidence in their email and in their company as a whole.
Hi Pawan,
Its helpful sharing this post because a lot of online bankers do fall into Internet scam via unauthenticated secure email.
This is not specific to SBI nor India, most developing countries encounter these experiences.
It becomes necessary to watch out for best practices. SBI Card owners must learn something from this post!
I left the above comment in kingged.com as well
Hello Sunday,
Glad to see you again and thank you so much for finding this article useful.
You are absolutely right that online banking is getting insecure and effective measures should be taken.
This article was particularly written for SBI but I am fully agree with you that the same scenario is going through all developing countries.
But, by taking some simple precautions we can prevent ourselves.
Let’s hope for the best.
Have a nice day ahead.