back to article RAF web survey asks for bank details via unencrypted email

An online survey of the Royal Air Force’s website aimed at journalists has invited would-be participants to send their banking details using unencrypted email to third-party organisers. Independent experts told El Reg that the badly thought-out advice left media pros exposed to a heightened risk of fraud. The survey invite …

  1. Hans Neeson-Bumpsadese Silver badge

    call me naive, but....

    ...I don't quite get what the risk is of publishing your bank account number and sort code. It's on every cheque I write, and I give these details out to anyone who wants to transfer money into my account.

    Yes, I know Clarkson got dodgy direct debits set up on his account after he published his details, but this seems more like a lack of checks (no pun intended) by the banks that direct debit requests are genuine, rather than an inherent fault in having account number and sort code visible

    1. Anonymous Coward
      Anonymous Coward

      Re: call me naive, but....

      Banks don't do checks on Direct Debit set ups, they rely on the DD guarantee.

      1. Hans Neeson-Bumpsadese Silver badge

        Re: call me naive, but....

        "Banks don't do checks on Direct Debit set ups, they rely on the DD guarantee."

        Is that not the problem then?

        1. DaLo

          Re: call me naive, but....

          To an extent but it works similar to credit/debit cards. They rely on the organisation setting up the direct debit to do the security checks as they are the ones who will lose out if the DD is cancelled or revoked.

          If you send your debit card and expiry date to anyone (which you do all the time in petrol stations, shops etc) then anyone can buy something using those details. The rely on the merchant to do address, cvv checking etc.

    2. Mr Dogshit
      WTF?

      Re: call me naive, but....

      Yeah, this is something I have never understood. In more civilised (continental European) countries you pay someone by transferring money to their account. They provide you with the details, you transfer the money, they see the money has arrived - job done. No fannying about with cheques.

    3. Anonymous Coward
      Anonymous Coward

      Re: call me naive, but....

      I was wondering the same thing.

      I've received, and sent, account names/numbers/BSBs by cleartext email before. Did so this week even.

      Knowledge of an account name and associated EFT details should be enough for someone to place money in that account, there should be an alternate mechanism for retrieving those funds. In my case, that's getting off my arse, going to the bank, filling out a Withdraw form and signing it in front of the teller, who then checks my signature with the one on the computer / passbook (under blacklight).

      Credit cards/Debit cards are more dangerous, since you just need knowledge of those numbers to either make a convincing fake card or to do an online payment, they should definitely be not sent in the clear. General EFT details, I don't see the problem.

  2. Anonymous Coward
    Anonymous Coward

    If you sign up with Three Mobile (UK) for a business account you have to send them you details and a chosen password by e-mail.

    I queried this and asked if they had a secure way to send the password - even by phone after the account was set up but they said no, it had to be done by e-mail. They said to make it secure I could scan a letter and attach that to the e-mail (I'm not kidding you). They also stated that the e-mail went straight to them so it would be secure(!). I persevered and tried to make them see sense but, no the only way to set up a contact on the account was by e-mail with the password included.

    Maybe you could check this out because this practice needs to stop and an enquiry from a respected outlet(*) like yourself might just help it on the way.

    *Varying degrees of respectability are assumed

    1. Anonymous Coward
      Boffin

      I've had this happen several times

      My solution is to send them the details in a password protected .zip file; then phone them with the password for the file.

      Of course, they could then leave it on an unsecured computer, but at least I know it wasnt copied and read by anyone other than the NSA, CIA, GCHQ, Google, MI5/6, Interpol, GreenPeace etc, on its way there.

      1. This post has been deleted by its author

  3. Steve Knox
    Facepalm

    EEEEE

    This wouldn't be as much* of a problem if we had end-to-end e-mail encryption everywhere.

    I'm not even talking forcing users to use PGP or similar (though that would help more.) I'm just talking about requiring SSL/TLS for every SMTP connection between mail clients, servers, and routers and encrypting datastores.

    The technology to accomplish this is ages old at this point. We've got the computing power, we've got the bandwidth, storage is cheap enough. What's missing, except for companies that actually care about their customers' privacy?

    * (Still somewhat of a problem because if you're not encrypting with your own private key, a bad actor with internal access could get your data.)

    1. streaky

      Re: EEEEE

      I'm just talking about requiring SSL/TLS for every SMTP connection between mail clients, servers, and routers and encrypting datastores.

      Most* of the time this does happen in the real world so, y'know.

      *If your email client and/or server is set up correctly it shouldn't be possible to force a downgrade.

      1. Steve Knox

        Re: EEEEE

        I'm just talking about requiring SSL/TLS for every SMTP connection between mail clients, servers, and routers and encrypting datastores.

        Most* of the time this does happen in the real world so, y'know.

        Perhaps less than you think. I used to work for a small community bank here in the States, and one of my jobs was testing and verifying this very encryption between the bank and its service providers (to prevent the chance of sending a customer's sensitive data unencrypted.)

        I saw about a 75% encryption rate**. The most glaring exception? Google. Every time a message went through Google -- even when they accepted it via a TLS-encrypted connection, it was shunted between several of their servers in plaintext, then passed on. They used encryption into their network and out from their network but not internally.

        Now this was a few years ago, so maybe they've fixed this, but I learned then not to assume that just because the technology is widely available, that it's widely in use.

        **Google's Transparency Report includes a section on this: https://www.google.com/transparencyreport/saferemail/ and their current numbers are roughly in line with what I found two years ago.

  4. ElectricFox
    Headmaster

    Have you been raiding Lewis Page's photo album

    Because those look like Fleet Air Arm sea harriers on the main image: not RAF...

    </pedant>

    1. nematoad Silver badge

      Re: Have you been raiding Lewis Page's photo album

      Yes they are. Sea Harriers FRS 1 from 801 Sqn Fleet Air Arm.

      Probably taken in the mid '80s after their return from the Falklands.

      I have sent in an e-mail letting El Reg know, which is what you should have done.

  5. Anonymous Coward
    Anonymous Coward

    The clue is in the name?

    LAGOmS trategy? 419 Blaze it!

  6. Yet Another Anonymous coward Silver badge

    Innovative funding stratergy

    Those F35s are very expensive and in these times of austerity ....

  7. Stuart 22

    Unencrypted data better than none?

    Oh dear, another sad story from the distant past. But it does involve Harriers (both Fleet Air Arm and the RAF).

    We were invited to tender for the computerisation of the engine records. These were held on cards and had to follow the aircraft to its operating base whether on land or sea. Each flight was recorded. They were sometimes typewritten, sometimes handwritten. They were absolutely vital to the operation of the planes because unlike conventional aircraft the time the engine could fly without being stripped was not just on hours flown but how many VTOLs had been made. A few minutes of VTOL equated to many hours in flight. The detail was vital. No time free, no flight.

    There was only one copy of the card. So the easiest way to disable our entire fleet was not to try and shoot the Harriers down (v difficult) but go after the lumbering Hercules behind them carrying all the records. One shot, a squadron grounded.

    Don't tell the Argies.

    1. allthecoolshortnamesweretaken

      Re: Unencrypted data better than none?

      So now a sqadron (or more) can be grounded by disrupting the ground crew's communication links with, say a DDoS on the server storing the engine records?

    2. Vic

      Re: Unencrypted data better than none?

      A few minutes of VTOL equated to many hours in flight. The detail was vital. No time free, no flight.

      It was indeed vital - the Harrier is single-engined, and vertical operation is very wearing on the engine.

      We've got XZ457 in the collection; that's what happens when the engine decides it's going to have a little lie-down...

      Vic.

  8. Flash.Gordon

    Those are actually Royal Navy Sea Harriers, 800 squadron, my old squadron.

    1. nematoad Silver badge

      My mistake

      Yes, you are right. I was wrong in saying it was 801.

      Put it down to age and the fact that they both have a trident in their crest.

      Mea culpa.

  9. Anonymous Coward
    Anonymous Coward

    > send their bank details or PayPal account details

    Someone obviously doesn't know how Paypal works then.

  10. phil dude
    Thumb Down

    liability....

    I should write a script to post this comment every time some company does something stupid.

    They have no downside for losing your information. If laws were written correctly to fine them of X% gross for every Y% customers data lost. Then they would not care so long as they get your $$$, they would need to know nothing else about you.

    P.

    1. cantankerous swineherd Silver badge

      Re: liability....

      as mr dude says, the banks have shifted liability onto the mug punter, which is _the_ reason for "fannying about with cheques".

      incidentally, re all the stuff about end to end encryption of email being a panacea. surely the latest dell fiasco (plus others I CBA to look up) tell us that email is utterly useless for anything meant to be remotely secure?

      1. John Brown (no body) Silver badge

        Re: liability....

        as mr dude says, the banks have shifted liability onto the mug punter, which is _the_ reason for "fannying about with cheques".

        ...and the cheque guarantee scheme has been discontinued so even if you wanted to pay by cheque in shops etc for smaller amount up to the limit (£100??), those shops who were still accepting cheques almost certainly won't now.

  11. nematoad Silver badge
    Coat

    Interesting.

    I note the change of header photo. This is a real RAF connected one.

    There is one odd thing about it though. Manned aircraft pilots wreaths are a brown colour, these as you can see are blue. These are for the pilots of drone aircraft. This is quite a new brevet and I don't think that many have been awarded.

    I'll get my anorak.

    1. Danny 2 Silver badge

      Re: Interesting.

      Gemma is a Reaper.

      ISIS use Captagon amphetamines that we keep interdicting. Why don't we just coat them with a stronger poison and let them through?

      https://www.newscientist.com/article/mg22830494-400-17th-century-plot-to-use-plague-hats-as-bioweapons-revealed/

  12. No such thing as an Anonymous Coward
    FAIL

    If you sign up with Hetzner, you get the following request...

    Dear xx yyyyyyyyy,

    Thank you very much for your order.

    As a new customer, we kindly request that you provide us with a copy (scan/photo) of your passport or ID card for authentication purposes.

    This requirement is only necessary when you place your first order with us.

    Please would you send the document by fax or as an email attachment to this email address.

    The document submitted is saved for a period of three weeks.

    Best regards

    Your Hetzner Online Team

    Hetzner Online AG

    -----------------------------

    I never got the server. Not after questioning their ability to keep my details secure. The reply was to state that they had cancelled my order.

    For a company renting servers, you'd think they could put together a secure upload location.

    Still have all the emails, including the one with their bank details in Germany and Switzerland.

  13. Anonymous Coward
    Anonymous Coward

    Chocks away!

    I say, Algy and Ginger, it's been a frightfully long time since one saw a quid in one's bank account.

    1. Stevie Silver badge

      Re: Chocks away!

      Silly blighter caught a packet in the how's-your-father, dicky-birded and caught his tail in the can!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020