Ask Slashdot: Why Do Firms Leak Personal Details In Plain Text?

An anonymous reader writes "Having entered my personal details (full real name, home address) to websites with an 'https://' prefix in order to purchase goods, I am still being sent emails from companies (or their agents) which include, in plain text, those same details I have entered over a secure connection. These are often companies which are very keen to tell you how much they value your privacy and how they will not pass your details on to third parties. What recourse does one have to tell them to desist from such behaviour whilst still doing business with them if their products are otherwise desirable? I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation — in any territory — which addresses this?"

depends

[bloodhawk]

It really comes down to what their privacy policy says, the country you are in and if they claim they do not share any information with 3rd parties and you were smart enough to use separate email addresses or unique identifying information so you can show the information had to originate with them then in many countries there definitely are legal avenues you can follow. But for the most part you are shit out of luck, find someone else to deal with. I started creating unqiue information that I can easily map to individual sites so I will know who is fucking me over whenever I register somewhere.

Re:depends

[tysonedwards]

Why do firms leak personal details in plain text?
In the words of Tweak Tweak: "Uh... It's easy?"

Re:depends

[AmiMoJo]

They see it as providing better customer service. Instead of an impersonal bulk email they can send you an impersonal form email with the name you entered at the top of it, complete with the incorrect capitalization that so many people seem to enjoy. Why make you go look for your account number when they can just send it to you in every single communication.

Re:

[Pentium100]

It is also useful for proving (not conclusively though) that the email is not phishing.

Re:depends

[symbolset]

Or explained even easier. It's profitable.

Re:

[lightknight]

Exactly. Using token based systems, or really anything with any kind of security increases costs. And a lot of businesses are operating in reactive mode when it comes to IT...you will get what you need only after there is a clear and present need for it. So...upgrades / fixes only happen after a giant leak, or multiple giant leaks, occur. It's all taken from the 'if it isn't broken, don't fix it' ideology.

Re:

[kermidge]

More like "even if it's shitty design, as long as it works, ship it". Management types typically don't think or care much about security even now. If they do get around to security they haven't the knowledge or thinking tools to consider and evaluate stuff - they rely on IT-management types who are often in the same boat but with a tech flavor. Real security would require hiring and listening to people who know this shit and can design and code appropriately. This doesn't happen much, it seems.

For recou

Re:depends

[jellomizer]

For most Security Leak issues, it comes down to a simpler problem.
Most people have crappy computer skills.
You can have a perfect system, but it takes one guy from sales or marketing to take the data, dump it as an excel of csv file and just email it or drop it in a public space because he just doesn't want to be bothered by dealing with IT

XKCD [xkcd.com] kinda shows this problem. We still don't have a good way to transfer files with people on different network. We have the technology but no clear standard.

Re:

[tqk]

XKCD [xkcd.com] kinda shows this problem.

Not really (but thanks for that anyway :-). My free email acct. allows attachments as big as 50 Mb.

Re:

[clgoh]

But maybe not the recipient's account.

https does not mean they are stored encrypted

[Anonymous Coward]

https is designed to prevent others from intercepting the traffic en route - it has basically nothing to do with how the data are stored. Should everything be encrypted? Yeah. Passwords should be salted+hashed+more because the company has no valid reason to know what the plaintext is. I hope that if I am buying something that they have a valid reason to know what the plaintext version of my address is - I don't think the USPS is that good (yet).

Re:https does not mean they are stored encrypted

[Anonymous Coward]

He's not claiming that the data is stored encrypted. All he is saying that the data he sends encrypted shouldn't be sent back to him unencrypted later.

Re:

[Gonoff]

He's not claiming that the data is stored encrypted. All he is saying that the data he sends encrypted shouldn't be sent back to him unencrypted later.

He seems to be mainly saying tht he does not like his address getting into the hands of other parties.The fact that these other paties don't give a toss about his privacy does not really seem surprising.

Re:https does not mean they are stored encrypted

[gbjbaanb]

and his solution is to mail the IT department at the company, like the PHB there gives a fig (or possibly even understands the problem)

When he should do is mail the legal department instead, or failing that the CEO or CIO. They might not understand the situation either but they'll understand the words "privacy" and "violation" and sit up, then they'll pass the blame on to the IT PHB and he'll have to "just fix it" in some way. Which he will do by getting an underling to remove most if not all of the personally identifying information from all emails in a overly-broad way, until the Marketing department decides it needs to put your address on every email all over again.

Re:

[bwcbwc]

Well, that plus the fact that by sending an unencrypted email that is stored on the mail servers of an unknown number of ISPs and mail forwarders, they are (probably) violating the privacy notice that says they are only sharing his data with affiliated parties, government, etc.

I was going to suggest S/MIME backed by certificates issued by a low-cost/free certificate authority (this would be a good service for the Open ID foundation or Amazon to get into, since they already have a widely-used SSO service), b

Re:

[greg1104]

Perhaps he should stop using shitty email providers that don't support smtp/imap encryption then.

There is no reason his email has to be unencrypted. Mine sure as hell isn't.

Your incoming mail can easily be unencrypted for some number of hops between the sender and your ISP. There aren't that many SMTP systems that support transport encryption still. And I would wager the odds someone sending this sort of message is sending is originating via an unencrypted channel is even lower than average.

Re:

[Attila Dimedici]

Are you saying that you have a way to prevent someone from sending you unencrypted email?

Re:

[Attila Dimedici]

The person I responded to seemed to imply that you can force other people to send you encrypted email. I was under the impression that whether or not email is encrypted is decided on the sender's end of the connection. Are you telling me that you can impose encryption on those who send you email? That you can stop them from sending unencrypted email?

Re:https does not mean they are stored encrypted

[ArsenneLupin]

No smpt doesn't support encryption between servers.

Actually it does [ietf.org]. But obviously both servers (sender and receiver) must be configurered to use it (which most aren't, unfortunately). And sender must be configured to check receiver's certificate (which even less are).

It's not a protocol issue, but a configuration issue.

And knowing this, it is indeed unwise to include such confidential info in an e-mail.

Re:https does not mean they are stored encrypted

[KiloByte]

It's opportunist encryption, which is worse than worthless, as it gives a false sense of security. All you need to defeat this encryption is to interfere in any way with the encrypted connection, SMTP is required to deliver the mail in plain text.

GPG is not a real solution as even no one among technically minded people I know uses it for encryption. Signatures, yes, especially in Debian where around 50% of posts on mailining lists are signed, but, I recall exactly one case when a piece of sensitive data I received was GPG encrypted.

But. an easy solution does exist: DANE. It's the only way to make that opportunist encryption mandatory (servers are required to abort delivery in face of failure), and DNSSEC prevents DANE settings from being stripped away by an attacker. Obviously, you need stapled certificates rather than mere CA selection, but that's common sense. With that, server->server and possibly client->server communication is secure, and when IMAP is protected by DANE, server->client as well. Local storage remains in plain text which is an obvious problem, but at least that is outside the topic of this discussion.

The problem is, I'm not aware of any mail software that actually uses DANE yet :(

Re:

[symbolset]

HTTPS means that you have a securely encrypted connection with the remote server. Not that the people who own the remote server are going to keep your privacy sacred.

Re:https does not mean they are stored encrypted

[ArsenneLupin]

HTTPS means that you have a securely encrypted connection with the remote server. Not that the people who own the remote server are going to keep your privacy sacred.

But it does mean that nobody on the path can listen in on the connection. Which is defeated if then the same info is sent back over an unencrypted channel.

https has no bearing

[bcjanes]

The reason you get emails with your personal information has nothing to do with https (secure) v/s http (insecure), it has to do with the company you did business with sharing/selling your information with their 'business partners' and / or selling it to marketing companies, and the tracking cookies from other websites you've visited.

Re:https has no bearing

[Anonymous Coward]

Gibberish. It has to do with the company not realizing that email is insecure.

Re:

[Architect_sasyr]

AC has a point. This is why you get companies (here's a local example: http://www.attache.com.au/products/attache-accounts/ [attache.com.au] ) who give you your pay slips via HTTPS (because it's secure) but have the beancounters email through the base files in plain text (because they've got no idea how any of this works).

Name and address?

[scottbomb]

People are waaaaay too paranoid these days. There is nothing sacred about your name and address. No one can steal your identity with it. If the email had your SSN or DOB in it, that would be different. But your name and address? If you have a landline phone, it's probably in a phone book and on numerous telephone directory websites and has been for years. Public court records have your name and address too. Nobody cares.

Re:Name and address?

[Anonymous Coward]

The thing that gets me is that when people give social security numbers, they always give the last four digits. The problem is that those are really the most sensitive for anyone who got one before the year 2011. I met a guy in college who could construct a whole SSN using your place of birth and birth date. The reason is that the first 3 represented geographic location and the middle 2 were given out in a certain order. The last four ticked up for each person assigned and where therefore the hardest to narrow down and guess. The reason is that they were not designed to be used the way we use them, and instead the government should come up with a ground up, randomly assigned number to actually identify people with or require that the ssn not be used that way.

Re:Name and address?

[Anonymous Coward]

The reason is that they were not designed to be used the way we use them, and instead the government should come up with a ground up, randomly assigned number to actually identify people with or require that the ssn not be used that way.

Or we could just go with digital signatures aka RSA. It is 2013. Why the fuck are we still relying on a system that, each time you identify yourself to someone via SSN, you give them the non-revocable ability to impersonate you forever? It is earth-shatteringly stupid.

Re:Name and address?

[Bing Tsher E]

The Government could fix the whole SSN issue by doing something direct and simple.

Publish all SSN's in a big directory.

They were never intended to be 'secret numbers' that would be used to validate anybody's identity. They were registration numbers for the Social Security System.

Publishing them ALL would force businesses and organizations to come up with real 'secure identifiers.'

Re:

[zyzko]

This,

I do not live in the US, and we do have here (an evil and communist) centralized SSN system.

Still, companies and even government agencies sometimes (although they are getting wiser...) use SSN's as passwords when they should not - SSN should be public, your "GUID", and just identify that "I am this person", but not verify that identity. It is stupid - because once the SSN leaks out it is extremely hard to change, and you can't manage your identification method on per-service basis (on some less importa

Re:Name and address?

[Anonymous Coward]

Well since it's no big deal, what is your name and address?

Re:

[Sesostris III]

There is a difference in having your name and address returned to you in a plain text email, and having it publishing it on a site like Slashdot.

To be honest, I always thought the secure information was the credit/debit card number. Now it that was sent in a plain text email I'd be annoyed.

Re:Name and address?

[Zontar The Mindless]

I am sure that the incredible fucktards at Air China who sent recently sent me a flight confirmation would like to know that.

It contained my full legal name, home address, and phone numbers. This does not bother me so much, as this is Sweden where most information of this sort is considered public knowledge. Want to know how much my flat is worth and what I paid for it? Did I pay taxes last year, and if so, how much? Feel free to hop on over to Skatteverket and file an info request.

The email also contained this:

Identifying document: US Passport
Identifying document number: #XXXXXX
Identifying document valid until: xxxx2020

Until 3 days ago, as I have not yet actually used this passport for travel, the only people on Earth who knew this number were me, the US Dept of State, and the Swedish Migration Bureau. Now who the fuck knows. Who THE FUCK knows.

And my girlfriend cannot understand why I threw a fit over this, or why I am talking about legal options.

Re:

[phantomfive]

Is the passport number actually useful for anything? I can understand the desire to not send it in plaintext, and I would have been upset if that happened to me too, but I'm having trouble thinking of what an attacker could do with that number.....

Re:

[Zontar The Mindless]

Use my passport number plus my full legal name and DOB to forge a passport that might easily pass for the real McCoy in some places.

Airports all have RFID/barcode scanners now, but there are many other ways into and out of countries. E.g., when I visited Cambodia a couple of years ago, the Khmer border guards at both Poipet checkpoints just looked at the photo, wrote down my name/nationality/passport number in their list, and waved me through. (No, I did not merely visit the gambling "free zone", I actually

Ya but

[Sycraft-fu]

In those places, a $100 bill would work as well or better than a passport for getting through checkpoint guards. The idea that someone would bother with your passport number in trying to forge a passport to get through there is rather laughable, since they didn't even bother to check said number to see if it was legit.

At a border with better security? Not going to work. Passports have a lot more security to them than that, particularly now.

Basically if places have weak security, the have weak security. Someone isn't going to bother to try to get a legit name and number to forge a passport. If they have tight security, then it wouldn't do any good as they check the other features, which wouldn't match.

Re:

[ratnerstar]

"I have all the expensive and complicated tools I need to make a counterfeit passport, but I lack some random dude's name and passport number to put on it! Curses, foiled again!"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[caluml]

"Want to know how much my flat is worth and what I paid for it? Did I pay taxes last year, and if so, how much?"

Yes! Finally!

Re:

[Zontar The Mindless]

If you reside in Sweden, you must by law register with the Folkbokföring (civil registry) and you must update your record with them when you move (got in a spot of trouble over this when I bought a place here and moved into it because I didn't then know about the registry or the law), so finding someone's address is dead simple. Your personnummer ("personal number"), which contains your DOB, is also a matter of public record.

Re:

[war4peace]

I fully agree; when I see someone saying "my name/address is private information" I feel like cracking a big smile. Or pitying them. Whichever comes first.

Re:

[Sesostris III]

It's worse than that. If (say) buying something from Ebay, you need to share your name and address, else how are the third party going to get the physical goods to you?

What they don't share (and which I always considered the important reason for https) are your payment details.

Actually, as I often send stuff either to my work address or to friends and family, I like having the destination address recorded in an email so I can confirm it is being sent to where I want it to be sent to!

(Interesting po

Re:

[jones_supa]

People are waaaaay too paranoid these days. There is nothing sacred about your name and address. No one can steal your identity with it. If the email had your SSN or DOB in it, that would be different. But your name and address? If you have a landline phone, it's probably in a phone book and on numerous telephone directory websites and has been for years. Public court records have your name and address too. Nobody cares.

Remember that the e-mail contains a lot of other information than just the name, address or telephone number. It gives it much more context than just picking some random contact from a phone book.

Re:

[msk]

Week before last a mayoral candidate here mailed pre-printed absentee ballot requests to lots of people in the city.

On postcards.

They didn't apologize.

I'll be voting for someone else.

The reason is simple...

[bogaboga]

...You're dealing with human beings, and human beings make mistakes.

That's why.

Re:

[SeaFox]

...You're dealing with human beings, and human beings make mistakes.

That's why.

Let's not assign to incompetence that which may simply be apathy.
For personally identifiable information that is non-sensitive, is there any reason they should care about taking measures to secure it (especially when it's not their own)?

Because it's not important?

[Okian Warrior]

Why should they care?

There's no benefit to them keeping your information safe, it costs them time, money, and effort to do so, and there's no real consequences when they screw up. They will just put out a statement saying "all of our customer information was stolen, we recommend everyone change their password, and the hole is now patched - it can't happen again!".

Also, they can blame the thieves. "It wasn't our fault, it was that scoundrel who noticed that you can change the account number in the URL to get into someone else's account."

As to "we value your privacy", what does that actually mean? It means that companies have discovered that people trust companies that make that statement, and are more likely to purchase from such a company.

That's all it means, and no more. It doesn't mean that they care or that they abide by the statement, it means that they think they can get more business by using that phrase liberally in their public-facing documents.

You're living under the naive assumption that companies mean what they say and will do what they promise. They do what the consumer protection laws force them to do - any statement that reflects these laws is probably true, while the rest is simple puffing [thefreedictionary.com].

Re:

[King_TJ]

Sure... but even if they really DO care, who's to say they just weren't successful at keeping your info safe anyway?

I've been saying for years now that "computer security" is largely a sham. Time and time again we find out that the biggest manufacturers of anti-virus software are companies run by shifty individuals with poor coding abilities, and respected makers of firewall appliances and routers sourced components from countries like China which had back-doors built into them at the processor level. Encry

Re:

[El Capitaine]

The great thing about those pre-fab solutions is that when someone DOES steal consumer data, you have a scapegoat too!

Well also how are you supposed to store things?

[Sycraft-fu]

See if the point of someone having your information is to, well, be able to access your information then it needs to be stored in that format. A password can be hashed, but something like name and address needs to be stored in text. Encrypting it is the kind of thing that does a limited amount of good. They may well encrypt it on disk, but the software that accesses it still needs to be able to decrypt it, wouldn't be of much use if it couldn't. So if someone busts in through a problem in the software, they

Re:

[chrismcb]

Why should they care?

There's no benefit to them keeping your information safe, it.

Perhaps that is the reason why the asker asked if there was legislation dealing with this. Then the corporation might care.

The usual ID 10 T error

[dbIII]

It's just like some fool sending you an encrypted archive with the password in the same email. It looks cool and they don't know how much of a useless waste of time it is. The actual gatekeepers only get the superficial cargo cult appearance of security from the people that should be the gatekeepers, but that's seen as OK since you'd need to employ somebody to do it all properly. Putting on a show is cheaper.

Key + lock together means why bother to lock?

[dbIII]

It looks like you missed the entire point - if you include the password in the same email as the encrypted file then there was no reason at all to encrypt it in the first place other than a waste of time and a cargo cult illusion of security. Sending the attachment in plain text makes more sense in the situation since all the encryption does is waste time. Less of an idiot would contact you, give you the password, then send the attachment WITHOUT the password - just like how the banks don't send you the A

Passwords

[darkain]

Last year, I switched ISPs... My new ISP emailed me my password in plain text as a "confirmation" after signing up for my account. Needless to say, I was horribly pissed off about it.

Re:

[thegarbz]

I fail to see how this is a problem. The ISP will track your IP assigns and logins anyway to ensure you're not "sharing" an account.

Found that out rather quickly when my sister's router died and I gave her a spare I had here. She was surprised at how plug and play everything was and I got a nasty phone call at the very start of the next business day saying my account has been flagged as two people are logged in from two different IPs. The guy on the phone was able to give me the address and everything.

This

Don't worry about it

[iceco2]

The question is, who are you worried will find this super secret sensitive information (Your name, address and fact you use the site)?
The government? They don't need to intercept the e-mail they have easier ways of knowing it?
Some criminal targeting you specifically who manged to intercept this e-mail? He already knows who you are all he learned is you use this site,
simply seeing the IP is enough?
Some random script kiddie on the internet? intercepting e-mails is not that easy, yes they are in plain text but they are not broadcast over the internet for everyone to see
you have to position yourself along the route it travels (and this route normally doesn't change much) and attack somewhere along it, not impossible but hardly effortless. and why would he?
Which only leaves corporate espionage targeted against the site you are visiting, which though more likely then any other vector still seems a bit far fetched, and in the end all they learn is your name&address.
There are plenty of serious threats out there on the internet, this doesn't seem like one of them.
focus your worrying else where.

Re:

[ArsenneLupin]

I think it depends which info exactly is in that mail. Sure firstname and lastname are hardly confidential. But often these confirmations also contain credit card numbers, social security numbers (if the site asked for it), and other stuff you may not be confortable sharing with the world at large.

It's forbidden in places with sane privacy laws

[Etylowy]

is there any legislation — in any territory — which addresses this?

It's forbidden in Poland. Similar rules apply in many european countries

encrypted email is not standard

[Khashishi]

If they offer the option of encrypting the email, it's not going to work for 99.9% of people anyways.

Re:

[FireFury03]

Yes, it is standard. Go look up S/MIME.

Re:

[thegarbz]

You are talking about A standard. The OP was talking about THE standard.

I can categorically say in the last 20 years I have not received an email implementing any of S/MIME. S/MIME is only marginly more wide spread than RFC1149 [ietf.org]

What's sensitive?

[Todd Knarr]

Your name, address and phone number are published in the phone book. What's sensitive here?

On a Web site, it's done over an encrypted connection not to protect the information but to prevent a third party from sitting in the middle collecting payment information. The combination of personal information with payment information (credit card number and expiration date), that would be sensitive. On their own either set of information should be non-sensitive, but combined it's sufficient to pass the authentication checks merchants and credit-card companies do. But just personal information without any associated payment information, what's anyone going to do with that that they couldn't do by looking through your local phone directory?

Speaking as someone who has worked on Retail sites

[Anaerin]

Generally speaking, retail sites (Ones who have the really important information, like credit card numbers and the like) also only store hashed passwords. So asking for a password will get you a temporary link e-mailed (usually requiring further security questions) to set a new password. Other personal information, your name and e-mail address, are not considered worth securing, as you automatically send them out with every message you send, and all your mail is invariably addressed to you with your full name by your other contacts.

Postal addresses are generally something of a grey area. On the whole, they're not particularly secured (Anyone who was determined to find out could find your address from the phone book, electoral roll, or other public list). Credit card numbers are typically secured by removing/obscuring all but the last 4 digits, and items ordered are again typically treated as "Better to include with a receipt, as a double-check, than to exclude".

There is, as always, a fine balance in the "Privacy is required" to "more information is better" debate, but leaving that aside, while SMTP is a plain-text transfer medium, it generally requires quite a lot of work to actually get someone's details. For instance, you have to:

• Poison a DNS record for a particular host (To point mail traffic at your server), or somehow spoof an IP address/routing record on the open internet

  Note, this will have to be done for the SMTP server(s) of the particular provider's message you want to intercept

• Intercept the particular mail message you want (There's going to be a lot of mail coming through, most of it inconsequential)
• Forward all the mail you've received on to the correct host (Which will be tough if you've grabbed their IP address(es)).

  If you don't do this, the provider will quickly notice they're not getting mail anymore and try to find out why, which'll get you discovered quickly

• Find some way to actually use the mostly useless information you have gleaned.

  So Mr. John Smith lives at 1234 Anyroad, Someville, KY, and bought a can of compressed air and a USB mouse... So what? Start flooding him with ads for compressed air products? Offer him hot USB on PS2 action from waiting serial mice in his area? That'll get you some sales... NOT. Oh, and you can buy that kind of information already, from his credit card company or bank (who make a very nice profit selling those details anyway) for considerably more cheaply and easily than poisoning the entire internet.

This isn't easy, or practical. Sure, if you want to, you can do it, but what is the point? If you're stalking them, there's much easier methods (going through their trash, trawling public records, google searching their name). If you're selling to them, there's easier ways (Buying details lists from credit bureaus, mass mailing).

The problem of secure e-mail has been around for a long time, and many solutions have been proposed for the problem (S/MIME, PGP, Domainkeys), but it's largely a chicken-and-egg problem - Secure mail systems are not universally supported, so it's not used/Secure mail systems aren't used, so they're not supported. Solving this problem is left as an exercise for the reader. Obviously.

Re:

[ArsenneLupin]

Oh, and you can buy that kind of information already, from his credit card company or bank (who make a very nice profit selling those details anyway) for considerably more cheaply and easily than poisoning the entire internet.

Scary. Fortunately, in my country we have banking secrecy laws. Ooops, had. Most people are concerned about the tax man, but these shenanigans are actually a much bigger threat when banking secrecy goes away.

Fake Name

[Charliemopps]

Fake Name... Most emails I receive from such sites start with "Hello Gofuckyourself!" etc... if you want to be creative you can tailor the message to be as entertaining as you'd like. As an added benefit, if you give a different name at each site, when you get spam, you can know who sold your private data.

Password recovery

[hendrikboom]

There's a usual mechanism for password recovery -- tell the site your email address, and it emails you your password. This personal information is sent unencrypted. It's not clear how this would work on encrypted email, because it may also be the email decryption key you've forgotten. Or your password safe's passphrase.

Any suggestions?

Plain text in Snail Mail

[slashkitty]

Another problem I'm having with companies is after I opt for electronic communications, they still send me postal mail. Ads, confirmations, account info. I try to explain that I don't want any postal mail coming to my house. I don't want all my account details going past housemates. I consider online communication to be more secure. How can I get them to stop exposing my personal information?

welcome to walmart i love you

[Progman3K]

Because they're obviously paying top-dollar for their staff and listening to their suggestions

Why isnt encryption on by default?

[Marrow]

I mean, why doesnt thunderbird or iceferret or basically any client "generate a key" like ssh does when its instantiated. Why cant the clients have a button to distribute the public key whenever its appropriate? I see no reason why this level of security cannot live on top of ssl. "You have just uploaded your public key, would you like all email from us to be encrypted using this key before we send it?"

Re:

[Marrow]

By instantiated, I mean either the first time the product is used, or when the local email setup is created.

Legislation addressing this

[Culture20]

I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation â" in any territory â" which addresses this?"

They might be able to sue you for spamming them, but I doubt they have a case.

Re:

[lemou]

Exactly, and their Term Of Services (if there are any), are probably not as secured as their website's sockets.

Re:HTTPS means something specific

[Anonymous Coward]

I believe that his point was that the exact information that was sent encrypted is now being sent in plain-text over email. So, what's the point of using HTTPS to send private information if it's leaked right back through plain-text on port 25, and what can be done to tell companies to stop forwarding all those details through emails. Maybe they could email a link telling the user where to log-in to see his invoice instead of forwarding all his private information through email.

Re:HTTPS means something specific

[Etherwalk]

So, what's the point of using HTTPS to send private information if it's leaked right back through plain-text on port 25

A locked front door and an open back door is better than two open doors. Although yes, they should lock the back door. What we really need is industry-standard secure-ish email.

Re:

[FireFury03]

That's what S/MIME is for... unfortunately no one uses it.

Re:HTTPS means something specific

[heypete]

Interestingly enough, several Swiss banks do. My bank, PostFinance (the bank run by the Swiss post office) uses S/MIME to sign all outgoing mail, including their periodic newsletter. No confidential content is ever sent via email -- users are directed to login to the (https-enabled) website to view the sensitive information. All PDFs, such as account statements, are digitally signed and timestamped by a third-party timestamping service to prove their authenticity.

It's nice to see *someone* getting it right.

Re:HTTPS means something specific

[FireFury03]

Interestingly enough, several Swiss banks do.

Swiss banks must be decidedly more clueful than British ones then. Most of the British banks seem to think that putting some easilly obtainable PII in a plain text email allows you to authenticate it.

A few years ago, the Nationwide took to sending me marketing email that:
1. Came from a domain other than nationwide.co.uk.
2. Included web links to their product descriptions, but also not at nationwide.co.uk (can't remember the exact domain, probably something like nationwidebanking.co.uk or nationwideonline.co.uk - either way, something that could easilly have been registered by a third party.
3. Included the first half of my post code.
4. Wasn't electronically signed.

I complained to them, pointing out that although the stuff they linked to didn't actually ask for any personal account details(*), they were basically muddying the waters when it came to people being able to identify phishing emails from legitimate emails and that they were training people to expect legitimate emails to employ exactly the same properties as phishing emails, which is obviously very bad for security. I also pointed out that it would be better for them to use a technology like S/MIME to allow the user to authenticate the email, rather than some trivially publically available information like half a post code.

They responded - basically they couldn't understand any of my points about why what they were doing was a bad idea or why a postcode isn't suitable authentication criteria.

I escallated the complaint to the regulator. They refused to get involved.

In the end I ended up closing my Nationwide accounts - mainly because of several repeated screwups, one of which almost caused a house purchase to fall through (which they compounded by refusing to talk to me about when I was trying to sort it out); but their utter lack of clue about security certainly played a part.

Unfortunately, since that time, almost all the banks I use have started doing similar stuff. I brought this up with a friend who works in the highstreet banking sector (although not on the IT side) and he pointed out that the banks are generally not interested in security, they only want to limit their liability - if a bank were to sign all their emails and their key got compromised then the bank would be liable, whereas if the customer hands their details to a phisher because the bank has trained them that they should expect legitimate emails to look like phishing emails then the customer is liable.

No confidential content is ever sent via email -- users are directed to login to the (https-enabled) website to view the sensitive information. All PDFs, such as account statements, are digitally signed and timestamped by a third-party timestamping service to prove their authenticity.

I would find it very useful for banks, credit card companies, etc. to email my statements to me (encrypted and signed), as this would allow me to automate archiving of them. It seems very unlikely to happen any time soon though.

Here's a good example of bad email from a bank - in this case, Capital One, a credit card issuer, they email me monthly to say my account statement is ready for download from their website:
1. The email comes from capitaloneonline.co.uk - why not capitalone.co.uk, which is their usual domain?
2. It includes my name and the last 4 digits of my credit card number and says: "So you know that emails we send are genuinely from us, we will always quote the last 4 digits of your account number." - my name, card number and the fact that the card is issued by Capital One are going to be known by *anyone* who has accepted payment from my card. Not exactly great authentication credentials.
3. It includes an "access your account" link, which takes me to the sign-in page on the capitalone.co.uk site. At least they're using the right domain this time, but still it seems risky training people to click rand

Re:

[blackraven14250]

I'm going to take a stab at this, and guess at least #1 a UK thing, because Capital One in the US sends email from their normal domain. The rest still applies though. The other two banks I deal with are regular bank accounts, so the last 4 digits are much less likely to be linked to a full account number, but the presence of links in the email still doesn't sit right. TD Bank doesn't include a link to their site in the email, and they're probably the strongest of the three overall in terms of security for p

Re:

[FireFury03]

The other two banks I deal with are regular bank accounts, so the last 4 digits are much less likely to be linked to a full account number

My "regular bank" credit and debit cards have both the Visa/Mastercard number, *and* the bank account number printed across the front of the card. I wouldn't mind betting that both numbers are encoded on the magstripe, although its very rare for cards to be swiped these days (I'm not entirely sure what data retailers get to see during a chip&pin transaction though).

Re:

[blackraven14250]

Of course the card number is on the card itself. You need it for a whole lot of things, ranging from online transactions to ordering pizza. If you can't keep the physical card secure, that's your problem. I'm not so keen on having the bank account number on it, but it follows the same general principal - if someone has physical access to your card, they aren't going to be able to do any worse with that extra information than the card itself. Think about it - it's a debit card attached to a bank account. At

Re:

[tibit]

Never mind that the last time I was there, one could get a chip card that served as an ATM card, a payment card, a transportation discount pass with your picture on it, and I'm sure I'm forgetting a couple other things.

Re:

[Gonoff]

What we really need is industry-standard secure-ish email.

In the UK we have http://ico.org.uk/ [ico.org.uk] and the rest of Europe has something comparable. The problem is that corporations from your side of the pond don't like it. I think it has even been reported to the WTO as an illegal restraint upon trade.

Many companies make mistakes. Some large, US based, "international" corporations see it as their duty to break civilised laws.

Re:

[ArsenneLupin]

not some bounced tracker through a third-party mailer outfit

Good luck with that! If even the pirate party can't get this right, how will business ever get it?

Re:

[Bert64]

The problem here is with how html links work... the link description (ie what you see) doesn't need to relate to the actual url (the href), so you often see a link which looks legitimate but actually goes to a malicious site, and many mail clients (and even browsers these days) dont make it easy to see the actual url. This is why slashdot puts the actual domain name inside square brackets after every link because it's far too easy to disguise a link to goatse as something else.

So your mail ends up looking j

Re:

[war4peace]

Since when are real name and address called "private information"?
Aren't they public info?

Re:

[Gonoff]

Since when are real name and address called "private information"? Aren't they public info?

Where I work, 3 pieces of personally identifiable information together are considered to make the whole thing trackable directly to you. This is any three of a list that includes things like...

forename
surname
email address
a previous IP address
account number
username
zip or postcode
the fact that you have already done business with them or "sister company"
and so on...

It's not that they are secret but the combination of them can reveal information about you to someone else without your consent.

Re:

[dirk]

The issue is that what is complaining about isn't really private information. Yes, the page he is entering the info into is https, but that doesn't mean everything on that page is private info. It is secure page to prevent man in the middle attacks for things like credit card numbers. Your name and address are not at all private information and can be found out in any number of public records (including telephone books). Just because my favorite type of ice cream is sent to someone on a page that is https

Re:

[Zontar The Mindless]

We'll always have Blade Runner.

Re:

[grahammm]

But it not his email provider which is not encrypting the connections, but the supplier's email provider over whom he no control.

Re:

[Anonymous Coward]

I think the analogy would be whispering something into the company's ear, then having the company yell loudly back "OK, Bob Smith, you ordered a 5-month supply of boner pills, and is your phone number still 867-5309?!" I think the lack of conceptual security awareness contiguity evinced by the rather ramshackle habits of securing one transmission via HTTPs on the one hand and then not securing a future transmission in any way shape or form on the other hand is what seems to have irked the anonymous reader.

Re:

[tftp]

the rather ramshackle habits of securing one transmission via HTTPs on the one hand and then not securing a future transmission in any way shape or form on the other hand

How would one secure an email? Existing S/MIME and PGP are not commonly used.

A company cannot abandon email because it's the only notification method that is guaranteed to be delivered to the purchaser of goods. If you just show a confirmation number on the screen in big bold red letters and ask to write it down, 99% of customers will

Re:

[El Capitaine]

Or just not enclosing personal information in an email? Examples: Never send anyone their current password via email (even if it's at account creation and it's salted/hashed in the DB). Other secure information such as credit cards, ssns, etc......why send them via email? Just say 'Hello , there is issue with your account. Please login to to correct it.' Or lets say we consider receipt of medication purchases private.....have the confirmation email just show the price and delivery address and block ou

Re:

[tftp]

Most people would find it inconvenient when an important electronic receipt comes with all important fields blacked out. When I buy for a company online I forward these receipts to the accounting. What would I do if the email doesn't say what I bought, how much I paid, what c/c I used, and so on?

I understand that it is perfectly possible to have a purely HTTPS online store, without using email at all. You could print your receipts securely on your local printer (or into PDF) and submit those. However har

Re:

[HJED]

Um, SMPT dose not use encryption between mail servers, it is older then TLS and whilst there are secure extensions to the protocol for client/server interactions there is no TLS protocol for server to server interactions.
It is possible to encrypt emails with private/public key combinations, but I have never seen an ecomerce site do this.

But not what you just said

[dutchwhizzman]

Whether or not the information is encrypted is not important in this case. It may be to you, but it's not to the party you are dealing with. The big deal is that you can be reasonably assured that you are in fact dealing with that party and not someone imposing as them, or someone intercepting the communications between you and them. HTTPS will always sign each data transmission, making it virtually impossible to alter the data under way or to have someone else impose you.

HTTPS is seldom about privacy, espe

Re:

[ArsenneLupin]

is thus not going to be caught by a man in the middle attack.

... which is nicely defeated if the man-in-the-middle can just grab it on the way back. So yes, the complaint is relevant.

Re:

[darkain]

The problem is, how do you know which companies do this, until AFTER the fact? The OP stated it came in an email, which is after the fact.

Re:

[Quasimodem]

Your payment is sacred. All other, not so much. (Fixed)

Re:

[lxs]

Because every byte is sacred,
Every byte is great!
If a byte gets wasted,
God gets quite irate.

Let the user spill theirs
On the dusty ground
God shall make them pay
For each byte that can't be found.

Every byte is wanted,
Every byte is good.
Every byte is needed,
In your neighborhood.

Re:

[anyaristow]

I've never seen that for sites that deal with sensitive information, like payment info. If someone manages to get one of my web forum passwords, what gain is there in exploiting it? It's an argument for not reusing passwords, but not a call for much alarm.