One result of getting your online credentials stolen may be fraudulent phishing emails pretending to be from a company you do business with. There are two ways said business can mitigate that: encrypt all their email, or just stop using it, writes David Birch.
You’re aware by now that Facebook has been hacked. Some 30 million people had their phone numbers and personal details exposed in a “major cyber attack” on the social network in September. Around half of them had their usernames, gender, language, relationship status, religion, hometown, city, birthday, device types used to access Facebook, education, work, the last ten places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches all compromised.
Now, I don’t care too much about this personally. Like all normal people I have Facebook and enjoy using it to connect with family and close friends, but I don’t use my “real” name for it and I never ever gave in to their pleading for my phone number – not because I was unsure that it would at some point get hacked (I assumed this to be the case) or because I thought that if I used it for two-factor authentication they might use it for advertising purposes, but on the general data-minimization principle that’s it’s none of their business.
(We should, as a rule, never provide data to anyone even if we trust them unless it is strictly necessary to enable a specific transaction to take place.)
One of the reasons that I don’t care is that I’m not worried about spammers getting my data and pretending to be Facebook. That’s because when I get email from Facebook, it is encrypted and signed using a public key linked to the e-mail address I use for this purpose (pseudonymous access). Like so:
My e-mail client (in this case, Apple Mail) will flag up if the signature is invalid. If you want to send encrypted email to me at email@example.com then you can get my PGP key from a public key server (check the fingerprint is 50EF 7B0E FD4B 3475 D456 4D7E 7268 01F2 A1C5 075B if you want to) and then fire away. It’s not that difficult. Facebook asked me if I wanted secure email, I said yes, they asked me for my key, I gave it to them. End of. I really don’t understand why other organizations cannot do the same.
Banks, for example.
Here’s an e-mail that I got purporting to be from Barclays. They are asking me for feedback on their mortgage service and inviting me to click on a link.
I suppose some people might fall for this sort of spamming, but not me. I deleted it right away.
This of course might lead reasonable people to ask why Barclays can’t do the same as Facebook. That is, why can’t Barclays send email that is encrypted so that crooks can’t read it and signed so that I know it came from the bank and not from spammers? Surely it’s just a couple of lines of COBOL somewhere ask me to upload my public key to their DB2 and then turn on encryption. Right? After all, it’s unencrypted and unsigned email that is at the root of a great many frauds so why not give customers the option of providing an S/MIME or PGP key and then using it to protect them?
Well, I think I know why.
I can remember a time working on a project for a client in Europe who asked, because of the very confidential nature of the work, that all email be encrypted and signed. We spent all morning messing around with Outlook/Exchange to get S/MIME set up, to sort out certificates and so forth. But we eventually got it working and sent the first encrypted and signed mail.
The client called back and asked if we could turn off encryption because the people working on the project were reading the email on smartphones and didn’t have S/MIME on their devices. The next day they called and asked us to turn off signing because the digital signatures were confusing their anti-spam software and all of our emails were being put in escrow.
So we know absolutely everything about security and so did our counterparts, and we still gave up because it was all too complicated. It’s just too hard.
(In Denmark, incidentally, that excuse won’t wash. The Danes have decided that emails containing “confidential and sensitive persona data” – which certainly includes bank details – must be encrypted. The Data Inspectorate are reasonable people though – they note that this change “will require some adjustment in the private sector” and so the new rule will be not be enforced before 1st January 2019.)
Let’s not use encrypted and signed e-mail. I’ve got a better idea.
Why don’t Barclays STOP USING EMAIL AND TEXTS since they have an APP ON MY iPHONE that I use ALL THE TIME and they could send me SECURE MESSAGES using that. It’s time to move to conversational commerce based on messaging and forget about the bad old days of insecure, spam-filled, fraudophilic (and frankly passé) email.
This article first appeared on Tomorrow’s Transactions