Think that's bad?

The Co-Op bank's automatic phone-computer-thingy called me last week. The first things it wanted were my date of birth and credit card details. Clever, eh?

Paris because it combines gross stupidity with unwise public behaviour.

Imprint of house keys too?

Yet more proof that nobody has any clue what they are doing anymore.

I would love to hear the excuses from them when all this information ends up on a laptop, on a train, with auto login enabled, and all data in plain text, as this seems to be the norm now.

Doh!!

Email business letters

I thought it had been decided that email constitutes a business letter, and as such must contain the registered company name and address... which equifax's doesn't.

Also, the standard disclaimer at the end of their message seems to acknowledge that email sometimes goes astray... seems very contradictory to their request!

As much as I don't trust the postmen/women, some things are better done with snail mail.

This happened to me as well

I placed an order with J.R. Music World via Amazon.com (in the US) using a Visa with a non-US address. About a day after I placed the order, I got an e-mail from JR requesting that I reply with a front and back scan of my credit card. They didn't want to process the order because of the international billing address.

I would not be surprised if this happens frequently. Mail-order companies ask for faxed copies of credit cards if they're not certain about the identity of the customer. The Internet equivalent is a digital scan/photo by e-mail.

The irony of this---increasing the risk of identity theft with extra measures to verify identity---is not small.

Information Obstacles

Another daft example: egg (yes, *that* egg) was perfectly able to check my identity to the level necessary to support a card application, but then decided that I needed to supply further identification at the point I wanted them to give me the contents of the file relating to that application.

Part of the trouble seems to be that the Information Commissioner's standards for identity checking are more specific than those applicable for money-laundering - and part seems to be the general stupidity of the financial services companies (to whom, don't forget, those sub-prime Structured Investment Vehicles seemed like a good idea).

Getting your credit report by post is always a good idea since the £2 charge is regulated by law: get the report online for however much the agencies think they can get away with and you'll only see the same data.

Human Error?

my arse....

That form doesn’t look at all like the sort of thing that one agent has come up with in response to one request, my guess is it’s a standard communication they use over and over again in response to these types of queries

This would indicate a process failure and at least a failure in work instructions

If whoever wrote the communication is sufficiently inexperienced to not know what they are requesting is crap, then what are they doing writing it, much less communicating it to other staff?

If this is one agent who has decided to go it alone then why? Why did he feel he needed to? What was so wrong with the work instructions and tools he was given that they necessitate writing your own documentation for basic requests?

I would imagine that for a credit reference agency the communications involved in “please confirm you identity” are bread and butter, used every day. For such an agency not to have an arsenal of relevant, pre-prepared literature on hand is ridiculous and smacks of amateur hour

I’ve spent the last 10 years amongst other things working with a variety of helpdesks and helping them create and maintain processes and work instructions. In my experience helpdesks sending out standard mails containing glaring errors like this is nearly always a big red flag

Either they are lying about simple human error (and the implication that the human involved was low key) or the department involved has little oversight and is forced to come up with its own processes etc at a low level, constantly winging it. Scary situation since these are the self appointed guardians of your credit reference

On the other hand it would help explain why so many people I have known have ended up with such glaringly obvious errors on their credit reference

What a joke!

Secure email box ?

Do the monkeys at equifax not know that email hops through 100's of computers before it arrives in their 'secure box', giving anyone who has the tools 100's of opportunities to intercept the email and send it on without anyone being any wiser?

No wonder we live in this age of fraud and theft..ignorance.. it's not an excuse!

Still better than Centrica

The "Security Specialists" at British Gas/Dynosecure asked me to send all contact details and my PASSWORD in clear text over email to them. Along with full address information in the mail which house and phone number it is about.

They also did not reply, confirm or by any means acknowledge an email sent to them on the subject

That is called largest UK security specialists at their best. British Gas fronts for Group4/Securicor so this statement is fully factually justified.

Tagging this with Ms Hilton as she is probably more qualified regarding security than one of the largest home security providers in the UK.

Promoting dangerous security practices

This is the most unprofessional piece of tripe I've ever seen from a supposedly reputable online company. Emailing copies of sensitive financial documents? If my bank or financial adviser asked me to do this, not only would I be instantly moving to another bank, I'd be doing exactly what Thomas has done and thow them to the media wolves.

Banks and credit card companies make a big meal out of never, ever using email to communicate sensitive financial data. As a developer of eCommerce websites, I know firsthand the extent of security processes and standards involved in handling credit card transactions online. By asking a customer to submit such information in this form and manner, Equifax has committed a serious breach of the procedures established by the credit card companies. If Thomas' debit card is either a Visa or Mastercard, the response of either company will be to immediately suspend Equifax's licence to conduct transactions through their systems.

In an age when we are pulling out all stops to educate John Q Public about security awareness, this level of incompetence cannot go unpunished. Such idiocy reflects badly upon everyone in the eCommerce industry and undermines public confidence in the security of online transaction processing. A full audit of all Equifax systems and procedures is called for; at the very least the IT management responsible for implementing such an insecure system should heavily fined and sacked.

Come on, you've all missed the obvious...

About as bright as a previous ISP of mine who (without being prompted) emailed me "reminders" of my email user account name and password when the time came to renew services. I was aghast and phoned them to complain. I was informed that it was standard procedure as many customers forgot their details and therefore couldn't access their accounts when the time came to renew services. The customer services person was adament that their emails were totally secure and suitable for sending user names and passwords despite being unencrypted.

Only when I complained in writing did the company apologise and change their default "helpful" attitude across the board.

I'm constantly amazed by the attitudes of (IT) companies which should know better. Having said that, most of them probably advise HM Government!

Paris obviously, because even she isn't that insecure - or maybe she is...

Is snail mail any more secure?

We've got a new postman, and everyday seems to bring another piece of misdelivered mail. One last week felt like a bank card. (It was in a "discreet" plain envelope that just shouted "bank".) And presumably there are human beings, aside from the postie and unintended recipients, who have access to snail mail and could pinch, say, 0.05% of that being delivered to Equifax. (And if they're really smart thieves, then, after reading it, they'll put it in a new envelope and add it to the next day's post. Who would know?) I'm probably wrong on the details, but I'm sure its possible for rogue employees to read snail mail.

Is the risk greater than that of a plaintext email be snarfed by someone at an ISP? I can't quantify either. Certainly it's happened. But my emails rarely pass through a dozen SMTP relays (NOT HUNDREDS). And separating the genuine missives from the spam seems beyond human ingenuity. Finding this stuff at the packet level, would be even more impressive - particularly if its a jpeg of a credit card. Surely there are easier ways to get ill gotten gains from the web?

That said, I'd won't be trusting my financial details to an unencrypted connection any time soon. But maybe that's down to my faith in tin-foil millinery. ;-)

This is not good

I for one would be very suspicious of a company asking you to do this it does concern me such a reputable company would start asking this. Anyhow, I have tipped off a relevant organisation who may well be going to have words with Equifaxc very soon as it's helpful to have contacts in this industry.

Equifax will give all your details away to spammers

About a year after I used Equifax (with a unique email address) I started getting spam to that address, it was paypal phising scams!

They tried to tell me that this unique email address containing their company name was randomly guessed by the spammers and yet somehow I didn't get all the other randomly guessed email addresses at my domain.

Email is VERY secure

Why on earth are we all so paranoid about email security? It's just as secure if not more so than the alternatives.

Have you never overheard one of your office colleagues talking to his or her bank and giving out their date of birth and mother's maiden name over the phone? Or passed the office fax machine and seen a forgotten confidential memo there? Or sent something through the post and had it lost? Or taken your utility bill and passport to your local building society branch for them to photocopy, only for them to put it on the wrong pile and lose it or have the office cleaner pick it up off the floor the next morning?

Email is a darned sight more secure than the alternatives, as it goes more or less straight to the intended recipient, and is generally logged in the process. Unless you're the police, or work for the recipient's IT department (in which case why should you be any more untrustworthy than if you work in the post room?), how exactly do you propose going about intercepting someone else's email??

-Rolf

It's so frustrating with free and open public key encryption available.

There is no reason for *anyone* to send you sensitive information or request it without using encryption. It's very easy to use, free to get hold of, and plenty secure enough for this kind of thing.

You can also verify that the email you received was the one sent, that the person who sent it is who they say they are and they can verify that they are in fact talking to the correct person.

All it needs is a secure key exchange.

Email is NOT secure

Email has no security. It might be reliable - but getting less so due to the quantity of spam.

As a former email system admin, I had the ability to look at any email while it was stored in our queue. I had no interest to do so, but sometimes a mail will stick in a queue if there is something wrong with the address for example. In that case, you might look to see if there's something obviously wrong. Addressed to Amason.com, for example. Or sometimes badly addressed emails can loop back.

To repeat, unencrypted email has no security. The chances of someone looking at it are low, but only due to the volume of email in general.

I have sent passwords by email, but not with reference to the account to which it relates. Normally I would send the account name by email and the password by phone.

Hundreds of mail hosts?

To sort out the confusion a little...

e-mails will rarely go through more than a couple of mail hosts. For example, when you're sending e-mail from your ISP to a friend/colleague who works for a corporation, the e-mail will frequently pass through something like this:

1) Your system (of course)

2) Your ISPs internal mail system

3) Your ISPs external mail system

4) The recipients external mail system

5) The recipients internal mail system

6) The recipients system

Of course, this is just a simplistic example. An unencrypted e-mail can be examined (and a copy made without your knowledged or consent) at any of these points.

Now onto the "hundreds"...

Because of the way the Internet works, transferring data between systems can take pretty much any route. Usually these routes are fairly obvious and take the shortest/fastest route (least cost) but in theory there's nothing really stopping some of the data packets going around the world while others just take the easy hop across the street. In any case, you cannot be sure of the exact route that all of the data packets that your e-mail is made up of. If one of the routers that it passes through makes copies of the packets and re-assembles them, you'll never know. It's this enormous unknown that also makes unencrypted e-mails so insecure.

Mind you, you're more likely to "lose" your personal details by printing them out and leaving them on your desk (or by having spyware on your or the recipient's systems) than you are to have Internet routers snoop them from data packets.

@Martin

"As a former email system admin, I had the ability to look at any email while it was stored in our queue."

Of course you could, no one is denying that. As an employee of the organisation concerned you can read emails. Big deal. If you worked in the post room and your job was opening all the mail you'd be able to read all the mail too. Why should one be any more secure than the other?

Clearly you have to trust the employees of the organisation to whom your sending your personal information, however you send it. But people worrying about email seem to think it's wide open for all and sundry to read if they choose to, which simply isn't true in general.

I trust email. On the other hand, I *am* always very careful before I connect to my mail server using a convenient wifi hotspot called "Free Public Internet (passwords harvested here)".

Par for the course

Sadly, this kind of thing is all too common.

There are plenty of people in clerical jobs who understand computers simply in terms of what they can do, rather than fundamentally how they do it. It's the main reason, I would submit, that 'business people' clash with 'IT people', and vice-versa.

Assuming that the Equifax source quoted is of the business category, there is a rationale that makes perfect sense from their perspective. They would see it something like this:

1) User sends email

2) Internet delivers email to Secure.Portal@Equifax.co.uk (or whatever)

3) An Equifax team member who has access to the Secure Portal email box (and no-one else) processes the email.

Meanwhile, at a system level:

1) The user's PC could have any amount of spyware or keyloggers

2) Any of the dozens of email repeaters en route might be untrustworthy

3) Any network device in the delivery route may have a packet sniffer in place

4) The company's own email administration staff might be subverting traffic

5) Etc...

Unfortunately, business users only ever tend to concern themselves with business risks. They'll recertify ACL lists of group email accounts, but never worry about how to ensure that the email itself is untainted.

I spend a significant amount of time at work explaining to end-users why they don't want what they think they want.

Email Servers are not Quite Random

What the wasters do is settle their servers down just outside the Equifax gateways. This is where the concentration of juicy clear text email is.

Just like spying on large corporations-- just sit outside their gates and watch the traffic. Even better if you can grab a choke point outside the gates carrying a large percentage of the traffic.

So, security by hoping to hide in an ocean of spam is misleading, unless the sender and receiver are random (which isn't the case when communicating with and entity like Equifax, which wants information which can be usefully employed for ID theft).

You all still don't get it

"What the wasters do is settle their servers down just outside the Equifax gateways"

And how exactly do you propose to do that, short of working for BT or LINX or something? More importantly, how do you propose to do it without being caught?

"The user's PC could have any amount of spyware or keyloggers"

So you're saying that sending a form in by registered post and then having someone key it in at the institution concerned, rather than sending it to them in an unencrypted email, is immune from this? (And why do you think large corporations and financial institutions are so paranoid about filtering web and email access, not giving users admin rights on their desktop PCs, etc. if not to minimise the risk of precisely this sort of malware being installed.)

Remember, everyone is criticising Equifax for asking for data to be emailed to them. If they'd asked for it to be posted no-one would have batted an eyelid but I've yet to see ANYTHING to suggest that email is any more likely in practice to be intercepted than a letter.

@ Rolf Howarth

You obviously do not have enough of an idea about the general way how emails get transmitted across the wire. It is very simple to run a packet capture (network sniffer) for just one minute and pull out all the email details from that data. The only way to give email a modicum of security is to ensure it is encrypted end to end.

Email is secure - PAH! Twat.

Pah yourself

Actually, having written a number of email clients, I *do* know how email is transmitted. And yes, of course it's possible to eavesdrop on the SMTP traffic - *if* you have physical access to the network.

If I send an email from my home to my insurance company or whatever, how exactly do you propose to sniff those packets? Sure, you could park outside my house and tap my phoneline, or try to hack my (encrypted) WiFi connection. But frankly, why would you bother?

If you really want my debit card receipts that badly why not just search my trash (I shred most of them, but there's bound to be a few at the bottom of an old carrier bag that I've missed) or better yet, just get friendly with the kid on minimum wage who works on the checkout and sorts all the receipts at the end of the day. And once you've seen the receipts what will you do with them? And why should I care unduly?

The one time someone did try to use my card fraudulently my bank actually phoned me up and said there were some suspicious transactions, did I recognise them? No? Ok, no problem, we've refunded them already. End of story.

There's lot of things I worry about (loss of liberty and living in a police state, for example) but email security isn't one of them. I don't have anything particular to hide but if any one of the hundreds of organisations that are allowed to snoop into my private life wanted to find out what I get up to they wouldn't have to intercept my unencrypted email to find a few paltry debit card receipts - they'd just ask my bank.

One last on snail vs email

These two sentences are from a covering letter in application pack for a job at a local POLICE FORCE:

"Enclosed you will find an application form which needs to be completed and returned to us by...[Date] We accept applications by post to the above address but for speed and _security_ we recommend _emailing_ them to the address given."

(My emphasis.)

:-)

@Rolf Howarth

"Actually, having written a number of email clients, I *do* know how email is transmitted. And yes, of course it's possible to eavesdrop on the SMTP traffic - *if* you have physical access to the network."

I've written E-mail and IM clients myself. And I appreciate your point that it's difficult to cause trouble unless you're directly involved in the communication route.

But I still wouldn't trust unencrypted email as far as I could spit. This story is entirely analagous to someone requesting that I, "Photocopy my credit card, front and back, then attach the copies to the back of a postcard and send it to PO Box 123, UK".

No.

The Royal Mail mail be trustworthy. But do I trust that every pair of hands my envelope passes through is whiter than white? No, I'd be a fool.

Multiply this by a thousand and you have the current wild-wild-west state of the internet. Maybe my message will get through unmolested. Maybe it's even probable.

Would I trust that as fact? Good God, no....

YMMV, of course.