US banks that can send PGP/MIME e-mail
nobody at dizum.com
Sun Mar 3 11:24:43 CET 2013
On 2013-02-23, Jerry <jerry at seibercom.net> wrote:
> Well, each to his/her own I suppose; however, I would not approve of
> the file being sent to my PC regardless. There is always the
> possibility of the email being intercepted and exploited or my PC being
There is a security element to this, but it actually works the other
way around. SSL is considerably *less* secure than an openPGP
message. Here's why:
* CAs: SSL requires you to trust a certificate authority (and to
date CAs have already been exploited).
* MitM: There are also a number of MitM techniques that work on
HTTPS connections. One attack that comes to mind involves
establishing a non-SSL connection to the customer. They get no
pop-up about a bad cert because there's no cert involved. The
attacker even uses an icon of a padlock for the site, so if the
customer is careful enough to look for the padlock, but not
careful enough to look where the browser puts it, they will be
fooled. Alternatively, an attacker can simply use an untrusted
cert knowing that many people will just click through their
browsers popup warning anyway because they cannot be bothered.
* Phishing: There are many tricks that bait customers into logging
into a rogue site that masquerades as their banks, ultimately
creating a compromising interaction would be avoided if the
statement were properly delivered.
* storage: When a customer downloads their PDF statement over https,
the PDF is unencrypted and it remains in that state, vulnerable to
anyone who penetrates their home pc. Securing the storage
requires additional effort on the part of the customer (generally
unlikely). OTOH, if PGP is used, the statement is encrypted in
storage by default. A customer would have to proactively decrypt
the attachment with intent to archive it in the clear in order to
achieve the same vulnerability as the status quo.
> If I want confidential information delivered to my PC, that should
> be my business. If an institution wanted to offer that option, and
> thereby being issued a released of responsibility, I have no
> objections to it.
You would not need any such release of liability. All natural people
banking in the US are free of liability per regulation E. (I say
"natural" people, because businesses do not get reg. E protection).
Although banks bear the liability for poor security choices, they
generally do not care. They just need a facade that complies with the
poor standards and comforts the relatively street-unwise shareholders.
IOW, they only need to *appear* secure, they don't actually care to
*be* secure. Hence why they don't bother with PGP.
If banks had a genuine interest in security, they would at a bare
minimum be PGP clear-signing their e-mail notices to customers. It
would impose no technical changes on their customers, but customers
keen to detect phishing could do so, and the bank could then honestly
say that they've taken an effective step toward mitigating phishing
attacks. Dumb user tools could then be created that makes it possible
for everyone to detect phishing attacks, not just those who are keen.
> I do not consider the clicking on of a secure link and downloading the
> document to be an inconvenience, but rather a security feature,
Requiring a periodic human interaction is obviously less convenient
for the human. And as I pointed out, it simultaneously less secure.
More information about the Gnupg-users