German bank fights phishing with electronic signatures

German retail banking giant Postbank AG, the target of several phishing attacks, aims to curb the theft of online personal information with the help of electronic signatures.

The bank will begin attaching electronic signatures to all e-mail correspondence with customers, Postbank spokesman Jürgen Ebert said Thursday.

The Postbank mail certification service uses the S/MIME (Secure Multipurpose Internet Mail Extensions) standard, already integrated into numerous e-mail applications, including Microsoft Corp.'s Outlook, according to Ebert.

The electronic signature, which the bank attaches to its e-mail, is issued by TC Trust GmbH, the German subsidiary of GeoTrust Inc.

Only Postbank customers using e-mail applications with both S/MIME authentication and TC Trust certification will receive a certification symbol, confirming that the text message is from the bank, according to Ebert.

Currently, only Outlook supports the Postbank service, he said.

Phishing attacks use spoofed e-mail and fraudulent Web sites to fool respondents into entering personal financial data such as credit card numbers, account user names and passwords, which can then be used for financial theft or identity theft.

The attacks, which have hit Postbank and several other large German banks over the past couple of years, have resulted in more than 80 percent of online banking customers in the country doubting the authenticity of e-mail correspondence from their banks, according to a survey by German market researcher TNS Infratest Holding GmbH & Co. KG.

Under the Postbank certification system, users can verify an e-mail by clicking a certification symbol, which, when opened, provide details about the signature.

A warning symbol appears if any inconsistencies arise during the signature authentication process.

The system operates in a similar way to trusted Web pages, according to Ebert.

The T-Online e-mail service provided by local network operator Deutsche Telekom AG plans to support the Postbank service by July, he said.

Discussions are also underway with America Online Inc., which offers another frequently used mail client in Germany, he added.

Customers using e-mail programs that currently don't meet the S/MIME and TC Trust requirements will receive a message that the signature is not recognized. If they wish to enable their programs to support both, they are advised to consult the Postbank Web site for details: http://www.postbank.de/ql_1101979537043/pbde_home.html.

Postbank's electronic signature service isn't possible with Web-based e-mail services provided by local Internet service providers such as GMX GmbH and Freenet.de AG, according to Ebert. One exception is Web.de GmbH.

Plans are underway to switch the certification service from TC Trust to Verisign Inc., which already provides certification services for Postbank's Web pages, according to Ebert. "We started with TC Trust but we think it's better to have everything with Verisign, which is more widely used," he said.

Postbank, which was spun off from the former German public administration for post and telecommunications, is one of the country's largest consumer banks with 11 million customers, of whom nearly 1.7 million have online banking accounts.