Many companies, that should know better, are putting their customers identity at risk by encouraging customers to submit identity documents using insecure means.
I recently applied to a financial institution to open an account. Wishing to authenticate my information they requested I submit validating government documents by fax. Most government issued documents, with picture ids, do not fax well, and as is the norm. I was then requested to scan and attach my identity documents to an email and send to the institution.
Why isn’t email secure?
Email isn’t secure because it was never meant to be the center of our digital lives. It was developed when the Internet was a much smaller place to standardize simple store-and-forward messaging between people using different kinds of computers. Email was all transferred completely in the open – everything was readable by anyone who could watch network traffic or access accounts (originally not even passwords were encrypted). Amazingly, email sent using those wide-open methods still (mostly) works.
Today, there are four basic places where most people’s email can be compromised:
- On your device(s)
- On the networks
- On the server(s)
- On your recipient’s device(s)
The first and last places – devices – are easy to understand. If someone can sit at your computer, grab your phone, or swipe through your tablet, odds are that your email is sitting right there for them to read – You do use a lock screen or password on your devices, right? Same thing goes for your recipients’ devices. But even passwords and lock screens sometimes aren’t much help. While a few email programs encrypt the email messages they store on the device, most don’t. That means anyone (or any program) that can access the device’s internal storage can probably also read email and get to file attachments. Sound far-fetched? It doesn’t have to be a person; rifling through email is one of the most common things malware does.
Networks are a little tougher to understand, and covers three basic links:
- Your connection to your email provider (whether that be your ISP, Google, Outlook, Yahoo, Apple, or someone else)
- Any network connections between your email provider and your recipient
- Your recipient’s networking connection to their email provider.
If you’re sending email to someone on the same service you use (say,), you have at least the first and third potential network vulnerabilities: your connection to and your recipient’s connection to . If your recipient’s email is elsewhere (say a company or school) then you have at least one more: the connection between and your recipient’s email provider. The reality of network topography means each of those connections involves a series of routers and switches (perhaps a dozen or more), probably owned and operated by different outfits. If one connection is secure, there’s no guaranteeing any other connection in the sequence is secure. And if you’re concerned about things like the NSA’s PRISM surveillance program, indications so far are that some of it happens at these interim network points.
Email was not designed with any privacy or security in mind.
Servers are the machines at your email provider or ISP that physically store your email. If someone cracks (or guesses, or steals) your email password, they probably don’t need your devices; they can log in to your email provider directly and read any email stored there. That might be only a few messages, but it could be weeks, months, or years worth of email – including at least some messages you’ve deleted. But that’s not the only risk. Most email services store your messages as plain text. So, any attacker who can access those servers (say, via a security flaw or by stealing an admin password) can easily access all the stored email and attachments. Why don’t providers protect stored email? Partly because of the overhead that would create, but storing the email unencrypted lets people search their messages (you like to search your email, right?) and enables services like Gmail to automatically scan mail for keywords to sell advertising (and you like advertising, right?).
Gtwo, specializes in helping companies maintain a secure environment for communications and the uploading and downloading of sensitive documents. Appropriate for law offices, financial institutions, accountants etc. Call us today to see how we can preserve the security of your client relationships.