Understanding when and how to be secure

Over the years I have come to the maxim that "Everything should be as secure as is easy to use, and no more secure" to steal a theme from Einstein. One of my peeves has been the many companies who, feeling that E-mail is insecure, instead send you an E-mail that tells you you have an E-mail if you would only log onto their web site (often one you rarely log into) with the password you set up 2 years ago to read it. I often get these for things like bills and statements -- "Your statement is now available online." A few nicer ones tell me that my statement is online but the e-maiil does contain the total in the statement. Only if the total is unexpected do I need to login to see the statement.

None of these sites seem to offer me the option of saying, "My E-mail is secure, at least if you are doing your job, so just send me the data in E-mail" or of using one of the end-to-end encrypted E-mail systems. Alas, there is more than one E-mail system, but it's not hard to do the two most popular, PGP/GPG and S-Mime and they are fairly widely supported in mailers.

As I noted, my own mail is secure in that I run an SMTP server on my home server, and only access it over encrypted IMAP. If they have set up their server to do encrypted SMTP (which should be the default by now, frankly) then the mail is generally secure (though it does do a brief unencrypted stop at my spam filter system.)

However, somtimes the contents of the mail need no security, and so instead it's just annoyance. I have an acccount with Wachovia bank, and yesterday got an E-mail that there was an "important, secure E-mail" I should read on their server. After logging in, I found that all they had to say was public information about their merger with Wells Fargo, and how accounts would be shifted over. There was no reason that needed to be secure, since the only secret to reveal was that I had an account there, and the E-mail revealed that.

So I wrote a note back to complain, telling them not to make me jump through hoops to read public information. What's so much fun is the response I got back:

Thank you for contacting Wachovia. My name is Tulanee E, and I am happy to assist you.

Mr. Templeton, I would be happy to assist you. However, to guarantee the security of your information prior to confidential information being disclosed or any account activities being performed we need to verify your personal information. For this we kindly ask you to please call us at 1-800-950-2296 to discuss this issue. Representatives are available to assist you 24 hours a day, seven days a week.

I apologize for any inconvenience.

My goal today was to provide you a complete and helpful answer. Thank you for banking with Wachovia.

Sincerely,

Tulanee E Online Services Team Online Customer Service: 1-800-950-2296

Comments

These systems often will often offer to email you a new access password in case you forgot yours, so anyone who can read your email can also get a new password to log into the system and read your waiting protected messages. In these cases, there *no* actual security/convince tradeoff - just 100% annoyance.

With no rational justification, I'd always assumed that there must be some legal reason why they do do this. Maybe by having you log in, they fulfill some requirement to deliver the communication to you that would would not be (at least legally) fulfilled by just blindly sending you the same communication in email?

The Universal Commercial Code has all sorts of rules about the timing of communications. Sometimes it matters when the signer sends it, other times when the receiver receives it- and it changes if the agent is a common carrier (like the US Post Office) or not. Maybe an expert on UCC could weigh in on how these rules apply when email is involved, and if this could be the cause of this behavior?

-josh

I agree in general with your complaint, but have a few observations...

As far as I can tell, encrypted email just isn't in wide enough use. I am a long time developer with network and security experience, and I don't use it. None of my correspondents, including one whose profession is network security consulting, use secure email. It is one of those good ideas that hasn't come anywhere close to critical mass.

My flex benefit provider has a partial solution. They send me an encrypted PDF and I have to enter part of my associated debit card number to decrypt it. That seems reasonable.

BTW, another gripe I have is those that don't use enough security. The same outfit that sends me the encrypted PDF requests that I send them back data on medical expenses, but suggest FAX (somewhat secure but unreliable and clunky) or email with NO security.

Finally, another related issue. Lots of sites require that you provide data to use if you forget your password (favorite dog name, high school name, etc). I consider feeding this information to lots of sites to itself be a security hazard, especially when the site security is really not important to me.

Yes, it is not widely used. It is, however, fairly widely deployed, but few people have created keys.

I believe if the sites that sent all these annoying, "You have an E-mail, why don't you log in to read it" E-mails instead offered to send encrypted and signed email using s/mime or PGP, with instructions for how to turn that on, I think a lot more people would deploy it.

However, I want something even easier, a box that says, "I use encrypted SMTP on my server, so since you had better use it too, I OK you sending me confidential e-mails to this address."

This would actually enable a lot of folks. For example, now that gmail is all accessed via https, all users of GMail and similar services could turn on that box. That's actually quite widely deployed.

It's (usually) not about security, it's about generating hits on their website. Marketing 101 believes that the more a customer interacts with you, the more likely they are to remain a customer or expand the relationship. If they just gave you the info you needed up front, you'd never see their web site at all and there would be no chance to cross-sell you all their other services. Ok, fine - at least give me a direct path to get that statement instead of hiding it under layers upon layers of menus and pages.

Add new comment