Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Is it now safe to send bank statements etc by email

A virtual pub for off topic, light hearted pub related banter and discussion. No trainers
swill453
Lemon Half
Posts: 7962
Joined: November 4th, 2016, 6:11 pm
Has thanked: 984 times
Been thanked: 3643 times

Re: Is it now safe to send bank statements etc by email

#448450

Postby swill453 » October 7th, 2021, 8:33 am

servodude wrote:For email attachments are effectively converted to text and sent in the message

In some ways not a lot has changed since UUCP...

Scott.

servodude
Lemon Half
Posts: 8271
Joined: November 8th, 2016, 5:56 am
Has thanked: 4435 times
Been thanked: 3564 times

Re: Is it now safe to send bank statements etc by email

#448453

Postby servodude » October 7th, 2021, 8:53 am

swill453 wrote:
servodude wrote:For email attachments are effectively converted to text and sent in the message

In some ways not a lot has changed since UUCP...

Scott.

True.
But I can understand why; if you've got a proven conduit for text message make everything base64 and it'll work ;)

Well normally that is..... I was actually bitten by something of this ilk a couple of weeks back when I was brought in to help with a strange problem
- code they had worked for ASCII packets (and had for years) but was intermittently failing for new binary packets

Turned out it was due to char signed-ness and how that was munging the checksum calcs(over 7F and it went down)
- change a function prototype from buffer of char to one of uint8 and it "just worked"

Took me a day at contractor rates to find it; changed 5 chars of code; they were over the moon! :D

-sd

elkay
Lemon Slice
Posts: 282
Joined: November 5th, 2016, 1:50 am
Has thanked: 737 times
Been thanked: 129 times

Re: Is it now safe to send bank statements etc by email

#448537

Postby elkay » October 7th, 2021, 1:29 pm

mc2fool wrote:
elkay wrote:In the last few years there has been a big move to end-to-end encryption between sender and recipient, using TLS.

Not quite. It's a good point that hop-by-hop transport level encryption has been increasingly used for email delivery, but it's not end-to-end.

There is no end-to-end connection in the delivery of emails; at it's simplest it's sending client to sending server, which stores the message and then sends it at its own convenience to the receiving server, which stores the message until it's collected by the receiving client. Each of the connections are (can be) encrypted but the email itself is not.

To get end-to-end encryption between sender and recipient requires encrypting the email itself and that's PGP.


That's where my understanding differs. My understanding of TLD is that everything is encrypted between the server that is sending and the final server receiving the email, and any servers in between will not be able to see the content of the message.So man-in -the-middle interceptions and the like are not possible. The content is encrypted. Certailnly to a level that financial institutions use it.

PGP goes a step further in that the content is encrypted for the final step to the client effectively, and may be useful in some scenarios, but for me TLS provides all the encryption that most people need most of the time.

regards
elkay

didds
Lemon Half
Posts: 5244
Joined: November 4th, 2016, 12:04 pm
Has thanked: 3244 times
Been thanked: 1018 times

Re: Is it now safe to send bank statements etc by email

#448541

Postby didds » October 7th, 2021, 1:38 pm

Alaric wrote:
Fluke wrote: said that it was a computer generated message and that they could see a payment had previously been made to the account and so no further checks were needed.


It sounds as if they need to give fresh instructions to the computer which is generating messages. Either that or review the messages before sending them unnecessary demands.


from their perspective though maybe its a case of no need to do so?

bascially when push comes to shove they can see transactions and rubber stamp the accopuint.

Or they get an email and look and acheive the same.

trather than jump through hoops to avpid either the above. paths fo elast resistance etc.

didds

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: Is it now safe to send bank statements etc by email

#448548

Postby mc2fool » October 7th, 2021, 2:08 pm

elkay wrote:
mc2fool wrote:
elkay wrote:In the last few years there has been a big move to end-to-end encryption between sender and recipient, using TLS.

Not quite. It's a good point that hop-by-hop transport level encryption has been increasingly used for email delivery, but it's not end-to-end.

There is no end-to-end connection in the delivery of emails; at it's simplest it's sending client to sending server, which stores the message and then sends it at its own convenience to the receiving server, which stores the message until it's collected by the receiving client. Each of the connections are (can be) encrypted but the email itself is not.
To get end-to-end encryption between sender and recipient requires encrypting the email itself and that's PGP.

That's where my understanding differs. My understanding of TLD is that everything is encrypted between the server that is sending and the final server receiving the email, and any servers in between will not be able to see the content of the message.So man-in -the-middle interceptions and the like are not possible. The content is encrypted. Certailnly to a level that financial institutions use it.

PGP goes a step further in that the content is encrypted for the final step to the client effectively, and may be useful in some scenarios, but for me TLS provides all the encryption that most people need most of the time.

No, SMTP is a store-and-forward system. There is no direct connection between the initial sending SMTP server and the final receiving SMTP server, except in the case where there are only the two, and at every interim SMTP server the email is stored before being passed on. TLS only provides encryption between the SMTP servers on a hop-by-hop basis, not end-to-end.

Re "financial institutions use it", if you're talking about websites, that's different because there is a direct connection between your browser and the bank's website.

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: Is it now safe to send bank statements etc by email

#448572

Postby mc2fool » October 7th, 2021, 3:50 pm

elkay wrote:That's where my understanding differs. My understanding of TLD is that everything is encrypted between the server that is sending and the final server receiving the email, and any servers in between will not be able to see the content of the message.So man-in -the-middle interceptions and the like are not possible. The content is encrypted.

P.S. It occurs to me that you may be getting a little confused about the levels of protocols here and talking about a slightly different thing to what is actually the case. Apologies if not and you already know this stuff....

The first thing to get clear is that with TLS it's not the contents of the email that's encrypted but rather the connection between two servers (or client<->server).

That connection will go through several nodes in the network, that is computers that route the packets from source to destination. As is the nature of packet switching networks, the first 1500 bytes (standard IP4 packet size) of your email to California may go through a bunch of nodes to Cornwall to be sent through the transatlantic cable that starts there and the second 1500 bytes may go through another bunch of nodes to Ireland to be then sent through the Ireland-US cable, etc, etc, with them all getting collated at the destination.

If the connection between source and destination is TLS encrypted then none of those nodes transporting the connection will be able to see the contents being carried over the connection (that's why it's Transport Layer Security ;)).

Now, in the simple case what we have on sending an email is:

sending client -> sending SMTP server (which stores the message*, and tries to forward it on at its own convenience)
sending SMTP server -> receiving SMTP server (which stores the message* until it's collected)
receiving SMTP server -> receiving client

Now, each of those connections (the "->") can be TLS encrypted, but there is no end-to-end connection between sending client and receiving client.

* And how the servers store the email is up to them, it could well be in plain text as that's what they'll receive from the transport layer, as it's just the connection (the "->") that's encrypted, not the email.

Now, things can get more complicated, esp. when using large email providers, who tend to have farms of servers handling email. If you take a look at the headers of an email between such providers you'll find several "Received From/By" headers, usually with gobbledygook server names. So, you might well get:

client ---> sender.com server -> s_int_1 server -> s_int_2 server ----------> receiver.com server -> r_int_1 server -> r_int_2 server ---> client

Each of the connections (-> of any length) may be TLS encrypted but each will be only a this-to-next encryption, and not one that goes on to the following connections; each will have its own. Of course, the s_int_1 & s_int_2 servers, being part of sender.com's setup are all very likely in the same computer room, and ditto for r_int_1 & r_int_2 as part of receiver.com's setup.

Now, having (hopefully) clarified all that, I do agree that the use of TLS has definitely made emails more secure. But, as I say, if you want to have end-to-end encryption to guarantee that nobody else can see your emails, you need to use PGP.

You may find this, and in particular the links in the first paragraph, of interest:

https://elie.net/blog/security/how-email-in-transit-can-be-intercepted-using-dns-hijacking/

UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: Is it now safe to send bank statements etc by email

#448645

Postby UncleEbenezer » October 7th, 2021, 11:49 pm

servodude wrote:
Mike4 wrote:
mc2fool wrote:To get end-to-end encryption between sender and recipient requires encrypting the email itself and that's PGP.


Yes. We've had PGP for 30 years now, and it's still the best possible security for email (among other things).
Would attachments be encrypted as well as the content of the email message?

Thanks.


Yes
For email attachments are effectively converted to text and sent in the message

-sd

That will depend entirely on your software.

If I wanted to attach something secret, I'd encrypt it before attaching to any email.

servodude
Lemon Half
Posts: 8271
Joined: November 8th, 2016, 5:56 am
Has thanked: 4435 times
Been thanked: 3564 times

Re: Is it now safe to send bank statements etc by email

#448646

Postby servodude » October 7th, 2021, 11:59 pm

UncleEbenezer wrote:
servodude wrote:
Mike4 wrote:

Yes. We've had PGP for 30 years now, and it's still the best possible security for email (among other things).
Would attachments be encrypted as well as the content of the email message?

Thanks.


Yes
For email attachments are effectively converted to text and sent in the message

-sd

That will depend entirely on your software.

If I wanted to attach something secret, I'd encrypt it before attaching to any email.


I would also if I was ever forced to send something sensitive via email

I'm worried now that I have given duff assurance (or might be putting my attachments at risk of being compromised) do you have examples of software where
- attachments are not sent via text encoding (be it Base64/MIME or uuencode style stuff)?
- or PGP being applied only to selected message parts?
It has been decades since I thought I had to care about these things

- sd

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Is it now safe to send bank statements etc by email

#448658

Postby Infrasonic » October 8th, 2021, 7:41 am

When I sold my mothers house under an EPoA I asked my conveyancing solicitors if they could do E2E encrypted email for all correspondence (I have an anonymous Proton Mail email account) - never got a response.
I was hopeful as they had all their staff photos removed from their website placeholders as an ID theft deterrent.

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Is it now safe to send bank statements etc by email

#448659

Postby Infrasonic » October 8th, 2021, 8:20 am

Another point to make is that even if something is E2E encrypted unless it is also zero knowledge then it isn't entirely anonymous/secure.

As an example WhatsApp is E2EE but FB will have the decryption keys. In theory this is so they can provide details with an appropriate court order - in practise do you want to trust Facebook or any other large corporation to 'do the right thing' morally? There's a FB whistle-blower case currently active in the USA.

Proton Mail and Tutanota have both had to comply with court orders and reveal information about their encrypted email users - PM does state in its T&C's that this is the case and I knew that before signing up.

Microsoft Exchange recently had a major issue with compromised security - bugs that had existed for years, had been reported and not fixed by MS.
In the USA the FBI started fixing compromised setups remotely as they were so worried about the large scale state level espionage ramifications.
https://securityboulevard.com/2021/04/y ... more-bugs/

There are also issues around criminal organisations infiltrating by putting in their own people or compromising existing staff (happens in the Police, banks et al) - so zero knowledge would be much more secure there.

Signal is E2EE and zero knowledge messaging, it does use your real mobile number though (there are convoluted ways around that).

UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: Is it now safe to send bank statements etc by email

#448671

Postby UncleEbenezer » October 8th, 2021, 9:23 am

Infrasonic wrote:Another point to make is that even if something is E2E encrypted unless it is also zero knowledge then it isn't entirely anonymous/secure.

That's two separate issues. Is it encrypted, and who has the keys? Zero knowledge is inherent in the fact of being encrypted.

If you use trusted software such as commandline gnupg then all is well.
If you use backdoored software then someone else can listen in.
If you use unknown software (for example, anything that's not open source) or a third-party/outsourced service then you don't know - unless they declare openly that it is backdoored. You may choose how much to trust your software or service provider.

As an example WhatsApp is E2EE but FB will have the decryption keys.


I didn't know that. But one thing to bear in mind is that corporations don't do this voluntarily, but on the insistence of governments. Australia famously outlawed service providers (like facebook) providing non-backdoored services a few years back, and other governments including ours continually flirt with similar ideas including banning them from disclosing that there might be a backdoor!

In theory this is so they can provide details with an appropriate court order - in practise do you want to trust Facebook or any other large corporation to 'do the right thing' morally? There's a FB whistle-blower case currently active in the USA.


For a consumer-oriented service I'd trust them not to nuke themselves quite so gratuitously. The risk/reward for facebook of abusing users' privacy would be horrific. Leave that to specialists, such as NSO (Pegasus).

UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: Is it now safe to send bank statements etc by email

#448681

Postby UncleEbenezer » October 8th, 2021, 9:51 am

servodude wrote:I'm worried now that I have given duff assurance (or might be putting my attachments at risk of being compromised) do you have examples of software where
- attachments are not sent via text encoding (be it Base64/MIME or uuencode style stuff)?

That's actually not at all unusual. A text encoding like base64 has been optional for attachments since the 1990s, possibly even the late 1980s.

- or PGP being applied only to selected message parts?

Yes, that's the norm in my own usage.

Though now you mention it, if you have software that offers you an option to encrypt your entire message, I'd expect it either to encrypt all attachments automatically or at least prompt you to ask. Not a matter I'd considered, since I haven't written a mail client!

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Is it now safe to send bank statements etc by email

#448690

Postby Infrasonic » October 8th, 2021, 10:15 am

PGP has never taken off in the mainstream because it is fiddly to set up - email services like Proton Mail make it much easier if both sides use PM.
https://protonmail.com/support/knowledg ... o-use-pgp/

servodude
Lemon Half
Posts: 8271
Joined: November 8th, 2016, 5:56 am
Has thanked: 4435 times
Been thanked: 3564 times

Re: Is it now safe to send bank statements etc by email

#448696

Postby servodude » October 8th, 2021, 10:31 am

UncleEbenezer wrote:
servodude wrote:I'm worried now that I have given duff assurance (or might be putting my attachments at risk of being compromised) do you have examples of software where
- attachments are not sent via text encoding (be it Base64/MIME or uuencode style stuff)?

That's actually not at all unusual. A text encoding like base64 has been optional for attachments since the 1990s, possibly even the late 1980s.

- or PGP being applied only to selected message parts?

Yes, that's the norm in my own usage.

Though now you mention it, if you have software that offers you an option to encrypt your entire message, I'd expect it either to encrypt all attachments automatically or at least prompt you to ask. Not a matter I'd considered, since I haven't written a mail client!


Takk!
Consider me educated by your posts.
Haven't written an email client either; but I do vaguely remember hand rolling emails on a telnet port.
I've also had to use SMTP for binary payloads over the orbcomm LEO constellation which is probably what cemented the MIME/Base64 idea

-sd

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Is it now safe to send bank statements etc by email

#448701

Postby Infrasonic » October 8th, 2021, 10:52 am

UncleEbenezer wrote:
In theory this is so they can provide details with an appropriate court order - in practise do you want to trust Facebook or any other large corporation to 'do the right thing' morally? There's a FB whistle-blower case currently active in the USA.


For a consumer-oriented service I'd trust them not to nuke themselves quite so gratuitously. The risk/reward for facebook of abusing users' privacy would be horrific. Leave that to specialists, such as NSO (Pegasus).


I wouldn't!

History has shown that large companies often do things that are reprehensible and potentially commercially suicidal - divide and conquer + deep pockets making it very difficult for individuals to actually get justice unless the state steps in.

I use Google, Microsoft, Facebook, Twitter etc. with the full knowledge that nothing is truly private - so I don't put anything on their services that I would not be comfortable with being in the public domain. I use fake ID and contact info if I can get away with it (increasingly difficult).

If I want to go incognito I use a Linux container via Tor with E2EE and zero knowledge services only. Even that is not 100%.

Sunnypad
Lemon Slice
Posts: 744
Joined: November 4th, 2016, 1:17 pm
Has thanked: 153 times
Been thanked: 309 times

Re: Is it now safe to send bank statements etc by email

#448780

Postby Sunnypad » October 8th, 2021, 4:30 pm

Infrasonic wrote:When I sold my mothers house under an EPoA I asked my conveyancing solicitors if they could do E2E encrypted email for all correspondence (I have an anonymous Proton Mail email account) - never got a response.
I was hopeful as they had all their staff photos removed from their website placeholders as an ID theft deterrent.


Just out of interest, why did you want all the emails encrypted?

I think my solicitor would have thought i was mad if i had asked that, they wanted bank statements emailed.

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Is it now safe to send bank statements etc by email

#448786

Postby Infrasonic » October 8th, 2021, 4:50 pm

Sunnypad wrote:
Infrasonic wrote:When I sold my mothers house under an EPoA I asked my conveyancing solicitors if they could do E2E encrypted email for all correspondence (I have an anonymous Proton Mail email account) - never got a response.
I was hopeful as they had all their staff photos removed from their website placeholders as an ID theft deterrent.


Just out of interest, why did you want all the emails encrypted?

I think my solicitor would have thought i was mad if i had asked that, they wanted bank statements emailed.


I would make the same request to any party where I was discussing sensitive information like large amounts of money, bank details or other uniquely identifying personal information.

Information can be knitted together from various sources and if a high enough value target then pursuing ID theft becomes worthwhile. ID theft is something you really never want to suffer from as not only can it be financially devastating it can also take ages (years in some cases) to get recognised by the relevant authorities as a persona grata again.

I did all my identification stuff in person in the solicitors office with my solicitor in the end, nothing of note went via email.

Sunnypad
Lemon Slice
Posts: 744
Joined: November 4th, 2016, 1:17 pm
Has thanked: 153 times
Been thanked: 309 times

Re: Is it now safe to send bank statements etc by email

#448855

Postby Sunnypad » October 9th, 2021, 12:03 am

Infra - that's what we did, all the important stuff in the office, though they probably just put it straight on their system anyway.

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Is it now safe to send bank statements etc by email

#448993

Postby XFool » October 9th, 2021, 6:03 pm

Infrasonic wrote:
Sunnypad wrote:
Infrasonic wrote:When I sold my mothers house under an EPoA I asked my conveyancing solicitors if they could do E2E encrypted email for all correspondence (I have an anonymous Proton Mail email account) - never got a response.
I was hopeful as they had all their staff photos removed from their website placeholders as an ID theft deterrent.

Just out of interest, why did you want all the emails encrypted?

I think my solicitor would have thought i was mad if i had asked that, they wanted bank statements emailed.

I would make the same request to any party where I was discussing sensitive information like large amounts of money, bank details or other uniquely identifying personal information.

Information can be knitted together from various sources and if a high enough value target then pursuing ID theft becomes worthwhile. ID theft is something you really never want to suffer from as not only can it be financially devastating it can also take ages (years in some cases) to get recognised by the relevant authorities as a persona grata again.

I did all my identification stuff in person in the solicitors office with my solicitor in the end, nothing of note went via email.

Unfortunately this has all now become standard operating procedure, accelerated by COVID and offices not staffed.

Recently I helped someone with a local authority housing application. The lot: Local Authority forms, bank statements, medical records(!), personal details - even a signed letter giving me authority to act on their behalf had to be sent by ordinary email.

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Is it now safe to send bank statements etc by email

#449003

Postby Infrasonic » October 9th, 2021, 6:58 pm

XFool wrote:
Infrasonic wrote:
Sunnypad wrote:Just out of interest, why did you want all the emails encrypted?

I think my solicitor would have thought i was mad if i had asked that, they wanted bank statements emailed.

I would make the same request to any party where I was discussing sensitive information like large amounts of money, bank details or other uniquely identifying personal information.

Information can be knitted together from various sources and if a high enough value target then pursuing ID theft becomes worthwhile. ID theft is something you really never want to suffer from as not only can it be financially devastating it can also take ages (years in some cases) to get recognised by the relevant authorities as a persona grata again.

I did all my identification stuff in person in the solicitors office with my solicitor in the end, nothing of note went via email.

Unfortunately this has all now become standard operating procedure, accelerated by COVID and offices not staffed.

Recently I helped someone with a local authority housing application. The lot: Local Authority forms, bank statements, medical records(!), personal details - even a signed letter giving me authority to act on their behalf had to be sent by ordinary email.


Yep, I've been through similar escapades over the past couple of years with HMRC and various pension funds under the EPoA. Registered post snail mail was used in the end.

During the first lock down I was only impressed by one bit of technology - namely the NHS smartphone app.
It let me register within the app with a real time phone video of me repeating verbatim a prepared script, sending an encrypted smartphone photograph of my photo ID drivers license and a couple of other ID hoops.
Seamless and very impressive!
So if a state run entity like the NHS (not exactly renowned for their cutting edge efficiency!) can get their s*it together why can't everyone else?


Return to “Beerpig's Snug”

Who is online

Users browsing this forum: No registered users and 11 guests