Problem solve Get help with specific problems with your technologies, process and projects.

How to confirm the receipt of an email with security protocols

Many websites try to ensure secure registrations by sending email confirmations. But how is it possible to confirm receipt of that email by the correct recipient? Identity and access management expert Randall Gamby weighs in.

To complete registration, several websites send users an email message that contains an HTTPS secured link. However, if that email is intercepted, an impersonator may complete the registration process without accessing the recipient's email account. Is there to set up a server to confirm the email was opened by the intended recipient?

Unfortunately, email protocols don't really include a check point to detect whether the original recipient has received the message (even read receipts can be turned off or duplicated). You have to remember that the original SMTP protocols were developed in the DARPA government network, which was secured against outside access, so interception (and HTTP for that matter) was never considered in the original SMTP standard. However, there are some things you can do if you're concerned about email interception.

One way to ensure that only the recipient can access the email is to encrypt the actual message. New encryption protocols, like Identity-Based Encryption (IBE)-based vendor products, licensed through Voltage Security Inc., allow a sender to encrypt a message without pre-establishing an encryption key by using a data element from the recipient's identity data, such as his or her email address or telephone number. (Though, IBE is used by many companies, it is not, unfortunately, an open standard and must be licensed through Voltage. There's no equivalent open standard.) This would mean that only the intended recipient would be able to decrypt the message body that contains the link.

Another way would be to send an email message to the user with an encrypted attachment containing a link with an out-of-band key. For example, the user might be required to call a toll-free number to get the key, receive a letter containing the key (if not time sensitive), or receive a key through a follow-up email (assuming whoever's intercepting the original email will not have the bandwidth to look for an additional email, say, two hours later).

Assuming the user to whom you're sending the key has contacted you first (since you have his or her email address), you can also ask for additional identity information when he or she connects back to your site. For example, a recipient might click on a link that goes to the registration site and must supply his or her home telephone. The registration application verifies that the number matches the user's record, and then uses telephony to dial the home telephone number; during that phone call, the recipient is given a numeric key which he or she must enter in an appropriate field to finalize the registration.

There's also an emerging identity management technology that you might also want to consider: identity verification software. Using this software, as a user goes to your website, he or she is presented with a series of top-of-mind questions utilizing relevant facts pertaining to the individual. The questions the software uses are developed from information that is obtained by scanning dozens of public records and commercially available databases, and the answer choices presented are unique to each individual (e.g. Which of these three addresses did you live at before your current address?). This technology greatly reduces the possibility that a malicious user will provide correct responses. In addition, a level-of-risk score can be associated with the user's identity. The identity verification software can be configured to address high-risk identities (for example, if the IP address comes from an Eastern European country) or transactions by adjusting the difficulty of the questions during the authentication process. Once the user passes the questions and an acceptable risk score is assigned, he or she is then passed to your website for normal registration.

Unfortunately, these technology options are not free. The encryption will require, at minimum, a hardware appliance with an integration project to connect to your existing messaging system, and training for end users and help desk personnel. The out-of-band key will require telephony integration or process changes to allow the keys to be sent through other mediums (along with strong SLAs to ensure the process doesn't hamper the end users from getting the key). If you use the additional information option, you'll have to reconfigure your Web applications, or portal, along with securing personal information for clients that may decide not to register even though they've provided the company with their preliminary information. Identity verification software will require an architecture project, process changes, hardware and software purchases and training.

Finally, given the costs to implement any of these options, you have to ask, "What are the chances of email interception?" A successful email security breach is almost always caused by an unauthorized person accessing a recipient's email account or through social means (i.e. replying to a factitious email asking for verification information), which doesn't solve the problem, since the email was delivered and read by the valid recipient. Rarely, if ever, are there documented accounts of messages intercepted via a transmission medium (unless you count the U.S. government). The risks you're trying to avoid may not justify the level of protections and spending you will need to put in place. Work with your corporate risk manager to determine what is appropriate for your organization or business process.

For more information:

  • Learn how to prevent brute force webmail attacks.
  • Check out this video on creating an email security strategy.
  • This was last published in September 2009

    Dig Deeper on Email and Messaging Threats-Information Security Threats