Understanding when and how to be secure
Over the years I have come to the maxim that "Everything should be as secure as is easy to use, and no more secure" to steal a theme from Einstein. One of my peeves has been the many companies who, feeling that E-mail is insecure, instead send you an E-mail that tells you you have an E-mail if you would only log onto their web site (often one you rarely log into) with the password you set up 2 years ago to read it. I often get these for things like bills and statements -- "Your statement is now available online." A few nicer ones tell me that my statement is online but the e-maiil does contain the total in the statement. Only if the total is unexpected do I need to login to see the statement.
None of these sites seem to offer me the option of saying, "My E-mail is secure, at least if you are doing your job, so just send me the data in E-mail" or of using one of the end-to-end encrypted E-mail systems. Alas, there is more than one E-mail system, but it's not hard to do the two most popular, PGP/GPG and S-Mime and they are fairly widely supported in mailers.
As I noted, my own mail is secure in that I run an SMTP server on my home server, and only access it over encrypted IMAP. If they have set up their server to do encrypted SMTP (which should be the default by now, frankly) then the mail is generally secure (though it does do a brief unencrypted stop at my spam filter system.)
However, somtimes the contents of the mail need no security, and so instead it's just annoyance. I have an acccount with Wachovia bank, and yesterday got an E-mail that there was an "important, secure E-mail" I should read on their server. After logging in, I found that all they had to say was public information about their merger with Wells Fargo, and how accounts would be shifted over. There was no reason that needed to be secure, since the only secret to reveal was that I had an account there, and the E-mail revealed that.
So I wrote a note back to complain, telling them not to make me jump through hoops to read public information. What's so much fun is the response I got back:
Thank you for contacting Wachovia. My name is Tulanee E, and I am happy to assist you.
Mr. Templeton, I would be happy to assist you. However, to guarantee the security of your information prior to confidential information being disclosed or any account activities being performed we need to verify your personal information. For this we kindly ask you to please call us at 1-800-950-2296 to discuss this issue. Representatives are available to assist you 24 hours a day, seven days a week.
I apologize for any inconvenience.
My goal today was to provide you a complete and helpful answer. Thank you for banking with Wachovia.
Tulanee E Online Services Team Online Customer Service: 1-800-950-2296