US banks that can send PGP/MIME e-mail

[Nomen Nescio]

On 2013-02-23, Jerry <jerry at seibercom.net> wrote:
>
> Well, each to his/her own I suppose; however, I would not approve of
> the file being sent to my PC regardless. There is always the
> possibility of the email being intercepted and exploited or my PC being
> compromised.

There is a security element to this, but it actually works the other
way around.  SSL is considerably *less* secure than an openPGP
message.  Here's why:

  * CAs: SSL requires you to trust a certificate authority (and to
    date CAs have already been exploited).  

  * MitM: There are also a number of MitM techniques that work on
    HTTPS connections.  One attack that comes to mind involves
    establishing a non-SSL connection to the customer.  They get no
    pop-up about a bad cert because there's no cert involved.  The
    attacker even uses an icon of a padlock for the site, so if the
    customer is careful enough to look for the padlock, but not
    careful enough to look where the browser puts it, they will be
    fooled.  Alternatively, an attacker can simply use an untrusted
    cert knowing that many people will just click through their
    browsers popup warning anyway because they cannot be bothered.

  * Phishing: There are many tricks that bait customers into logging
    into a rogue site that masquerades as their banks, ultimately
    creating a compromising interaction would be avoided if the
    statement were properly delivered.

  * storage: When a customer downloads their PDF statement over https,
    the PDF is unencrypted and it remains in that state, vulnerable to
    anyone who penetrates their home pc.  Securing the storage
    requires additional effort on the part of the customer (generally
    unlikely).  OTOH, if PGP is used, the statement is encrypted in
    storage by default.  A customer would have to proactively decrypt
    the attachment with intent to archive it in the clear in order to
    achieve the same vulnerability as the status quo.

> If I want confidential information delivered to my PC, that should
> be my business. If an institution wanted to offer that option, and
> thereby being issued a released of responsibility, I have no
> objections to it.

You would not need any such release of liability.  All natural people
banking in the US are free of liability per regulation E.  (I say
"natural" people, because businesses do not get reg. E protection).

Although banks bear the liability for poor security choices, they
generally do not care.  They just need a facade that complies with the
poor standards and comforts the relatively street-unwise shareholders.
IOW, they only need to *appear* secure, they don't actually care to
*be* secure.  Hence why they don't bother with PGP.

If banks had a genuine interest in security, they would at a bare
minimum be PGP clear-signing their e-mail notices to customers.  It
would impose no technical changes on their customers, but customers
keen to detect phishing could do so, and the bank could then honestly
say that they've taken an effective step toward mitigating phishing
attacks.  Dumb user tools could then be created that makes it possible
for everyone to detect phishing attacks, not just those who are keen.

> I do not consider the clicking on of a secure link and downloading the
> document to be an inconvenience, but rather a security feature,

Requiring a periodic human interaction is obviously less convenient
for the human.  And as I pointed out, it simultaneously less secure.