In my line of work we encourage encrypted communications and securing sensitive data especially when it comes to PII.
However it’s increasingly common to see systems put into place that are obviously only there to mitigate litigation aspects should anything go wrong.
Take American Express for example:
An email from them asking you to send a copy of your passport/driving licence/etc… to confirm your identity suggests that you may reply via email however:
Please note that the internet can be insecure. You must use a secure encryption method when sending personal data and/or documentation to us via email to safeguard your personal data
Great… you encourage your customers to encrypt their personal data.
So I’ll just send over a truecrypt volume encrypted with twofish-aes-serpent shall I?
Or perhaps a PGP encrypted volume, whats your public key?
What about just an AES256 encrypted zip?
Okay so that’s point 1.
- They’ve suggested that it is on the customers own head to protect their data. However they have not listed the accepted formats of encryption that they use.
So we’re assuming because they’ve not provided us with a public key they don’t want pgp or gpg encryption. They want something simple that doesn’t require too much infrastructure in place so we’ll go with the AES256 encrypted zip, which providing they have winzip/7zip/*ziprarace client means they can enter in a password and decrypt the contents.
Great, so how do I get the password to you?
AMEX are right, internet communication via email is all in the clear, so if someone was in the middle of my traffic (i’m on a corporate network, chances are they’re monitoring it at least so files could be logged or archived in an antivirus mail gateway for example) they could intercept the cleartext data and have my passport details.
So I encrypt it and send it via email, attacker or corporate network now only has an encrypted zip file.
How do AMEX suggest I send a password to them? I call their customer service desk, expecting them to give me a number to SMS it to or a voice service that instead reads me a password when I dial the number and enter my reference code?
Oh you just send it via email. I think you’re meant to send it all together
…I explain my concerns..
Erm, I’ve never been asked that before I guess I could give you another email address to send it to
- Sending encrypted data along with the password in the same email is as good as sending cleartext data.
- Sending encrypted data along with the password via the same mechanism is as good as sending cleartext data.
So despite all of AMEX’s good advice above “You must use a secure encryption method…” actually there is no way to use a secure encryption method to keep your data safe when dealing with them.
Extra Note:Along the same lines, as I mention above I regularly get asked to encrypt reports that are deemed commercially sensitive. So I email out the encrypted zip file, and they request that I SMS them the password.
2 minutes later, their blackberry chirps… twice*.
*Did you guess what just happened?
Their blackberry received both the encrypted zip and the plain text password. Loss/Theft of the blackberry once again could result in the loss of commercially sensitive data.