Nathan, this is for you:You may have seen the video in which Nathan Fielder interviews a voting security expert who describes a scenario that could be used to skew the results of the Emmys. The plan is very detailed and easy to carry out, although slightly complex. That may have left you with a few questions…
Is the Emmys Voting System Secure?
Nope, the scenario described is valid and would easily work to skew the results.
Could the Emmys voting system become more secure?
YES! It would be pretty easy for the Emmys voting system to become much more secure. Here’s how:The access point in the scenarios and the greatest weakness in the Television Academy's security is the phishing email. If the Television Academy could block that email from getting to inboxes, then they could prevent voters from clicking the link to the fake website. DMARC does exactly that. By implementing a DMARC policy, the Television Academy could secure their domains against spoofed emails, like the one described in Nathan’s video. The end of the video displayed the real URL for voting: vote.televisionacademy.com. To block spoofed messages, televisionacademy.com should implement a DMARC policy.
Is televisionacademy.com protected with DMARC?
Nope. No DMARC policy.
What about emmys.com?
Nope, even less secure.
Television Academy Says it’s Secure...
According to the Hollywood Reporter’s tweet, the Television Academy responded to Nathan’s video stating that "We are quite confident in the security of our site and are continuously monitoring for any phishing activities like those described."How exactly are they doing that? DMARC allows domain owners to monitor their domains and block senders that are not authorized. But televisionacademy.com doesn’t have a DMARC policy! Without DMARC, there is no way for domain owners to monitor who sends emails from their domains, so the Television Academy has no way of knowing if (or when) any phishing emails are sent from their domain.
Would DMARC completely secure the Emmys voting system?
Unfortunately not. DMARC only protects the specific domain it’s assigned to, and domain owner can only protect the domains that they control. So, the phisher could send a phishing message from the domain that they set up for the fake website, for example, emmys2018.com. The resulting email wouldn’t be blocked under DMARC, but it would be easier for voters to identify the phishing email because of the discrepancy between the sender email addresses (real emails from the Television Academy vs the fake domain email). Television Academy could try to protect against this type of phishing attack my buying as many similar domain names as possible and protecting them with DMARC. If there are not logical domain names available for the phishing to buy, it will much more difficult for them to trick voters into clicking on the link to the fake page.
Fraudmarc can help with DMARC Implementation
We help domain owners implement DMARC.Fraudmarc offers a variety of plans and tools to help every domain achieve a DMARC Reject policy. Fraudmarc’s tools help with managing and monitoring as many authorized senders and DKIM selectors as required for your domain. Fraudmarc uses SPF Compression℠, so the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Also, Fraudmarc’s DMARC reports are always free, so you will have the tools and information you need to configure your policies accurately.
Simple. Email. Security