Strange email

jamesd

dunstonh wrote: »

You can opt out if you want but I dont see what your problems with security are.

The problem is that it's inherently dangerous to click on a link in an email. Each time you do it you're risking having your computer compromised by a browser exploit. Not following links in emails is possibly the most important lesson in how to use email safely.

It can be made less risky if the initial email contains pre-agreed personal or other information known only to the place that sent you the email that can't possibly be guessed by a spammer. Has to be pre-agreed or it can be used by someone with stolen information who can fake it by supplying whatever genuine information they have about you to say that it's to prove it's genuine.

jem16 wrote: »

It doesn't take you to a SW website. It takes you to the website of the company providing the encryption.

Groan. That's even worse.

jem16 wrote: »

That opens up with the normal https and padlock in the address bar of a secure site. You are then asked if you have received this email or sent the email - it also gives the email address of the sender.

All of which are easy to forge and completely meaningless if you want to know that you're not reading a site produced by someone trying to get account details, or who compromised your computer as soon as you visited the site. Some of the browsers have site authentication methods that are moderately reliable but they don't block browser exploits.

jem16 wrote: »

From that screen you are taken to another secure website which asks you to fill in several pieces of info to confirm who you are. It also gives the piece of memorable information you chose so you can tell it's legitimate

That memorable information is what might make it much safer, if it was provided in the initial email so you could be sure that the link you're following from the email doesn't take you to an attack or compromised site.

jem16 wrote: »

If it's regular communication between a company or IFA you can choose to use Outlook and install the plugin which will decrypt the message once you enter your password.

That might be more secure, depends on how vulnerable the plugin is to abuse or forgery attacks (emails pretending to be the plugin via a HTML mail exploit).

jem16 wrote: »

I can see why you might be suspicious initially but having used the system I prefer to have the encrypted emails.

I haven't seen it so it's hard for me to see whether it's potentially trustable or not. If there's nothing in the email to authenticate it other than looking like a genuine one and having a forged from address that looks like it's a financial service provider it can't possibly be safe.

It's similar to why I decline to respond when some service provider phones me and asks me for my date of birth to prove my identity. I have no clue who they are until they have disclosed to me some information that only they and I can know, so it would be foolish of me to compromise my date of birth to the unknown caller. So I need to call them back and a number I already knew before the call to be sure I'm talking to the place they are claiming to be from. Calling line identification is useless for this because it can be forged.

I do know that I prefer the inherently safe text-based email and normally view all email only in text form. Safe from attacks that can compromise my whole computer that is. Typical communication from a financial services provider aren't something I worry about having intercepted.

Consider this email:

ONLINE BANKING INFORMATION UPGRADE,

Thank you for banking online at *Alliance & Leicester*. At Alliance & Leicester
bank, your security is our primary concern. And in order to guard against the
recent spate of fraud and identity theft involving online account holders, we
have recently introduced additional security measures and upgraded our software
to protect our online account holders.

The security upgrade will be effective immediately and requires our customers to
update their access and Sign in Protection activation.

Please Upgrade Your Information
<http://www.mybank.alliance-leicester.randomsiteremoved.com/index.assp=mybanknlogin_access/index.php&gt;


For your security, you won't be able to gain access to your accounts until
you've done this.

*Best Regards.
Alliance & Leicester Security Department Team.*

Alliance & Leicester is part of the Santander Group, one of the world's largest
banking groups. More information on Banco Santander can be found at
https://www.santander.com

I have an A&L account. What made it obvious to me that it was a forgery even before I considered the contents was that it was sent to an email address that I'd used only for an online community site. Not A&L. So that told me that it couldn't possibly be genuine. Then there's the obvious red flag about the security details update.

The secure email system that's been described here might be one that can appear to be genuine but which takes you to a site controlled by an attacker. The moment you've clicked on the link it's game over if the site is exploiting a browser vulnerability to compromise your computer. Other than that it doesn't matter what the site has, it's already done its job by getting you to click on the link and deliver the attack payload.

jamesd

middlepuss wrote: »

Yes, I know and you know to look for padlocks, https, encryption etc etc etc, but an awful lot of folk out there don't.

Not that it helps. You can be compromised before you even get to the point of seeing the padlock if you haven't verified that the web address is one you already know as a genuine one, from looking at the text source of the email, rather than what's visible in the email or on the email status line.

middlepuss

jamesd wrote: »

Not that it helps. You can be compromised before you even get to the point of seeing the padlock if you haven't verified that the web address is one you already know as a genuine one, from looking at the text source of the email, rather than what's visible in the email or on the email status line.

Too true. It gets all too easy for the scammers if emails from banks become the norm.

dunstonh

The securemail methods dont ask you for any personal data. All they ask is for you to create a username and password to link to your email address. The only thing cast in stone there is your email address. You choose the password and secure questions and answers you want to use for those. That information is then used to decrypt the contents of the email. The sender and security company dont know the information you have input as you need all bits of information to be matched up to decrypt it. The unipass securemail version is provided by Trend Micro (Trend Micro Private Post) who are one of the major security providers. The Scottish widows system is another big security company (although it would have been better if they used Unipass - they may end up doing so as its a bit like betamax vs vhs at the moment as to who will end up becoming standard).

The sender email cannot be spoofed either as that is part of the encryption algorithm.

James, if you want, PM me your email address and I will send you a securemail. You can then see the process for yourself.

jem16

jamesd wrote: »

The problem is that it's inherently dangerous to click on a link in an email. Each time you do it you're risking having your computer compromised by a browser exploit. Not following links in emails is possibly the most important lesson in how to use email safely.

It can also be inherently dangerous to even open any email. You have to make an informed decision.

In the case of the encrypted emails I receive, it says it comes from the address of the adviser I use and also says it comes from the company that I know deals with the encryption.

That might be more secure, depends on how vulnerable the plugin is to abuse or forgery attacks (emails pretending to be the plugin via a HTML mail exploit).

All the plugin does is to store my approved email address and then to ask for a password to open the email - a password which I have set up myself and no-one else knows.

I do know that I prefer the inherently safe text-based email and normally view all email only in text form. Safe from attacks that can compromise my whole computer that is. Typical communication from a financial services provider aren't something I worry about having intercepted.

It can be if that email contains account information.

Consider this email:




I have an A&L account. What made it obvious to me that it was a forgery even before I considered the contents was that it was sent to an email address that I'd used only for an online community site. Not A&L. So that told me that it couldn't possibly be genuine. Then there's the obvious red flag about the security details update.

That email was obviously a scam. The encrypted email never asks you to update security details.

The secure email system that's been described here might be one that can appear to be genuine but which takes you to a site controlled by an attacker. The moment you've clicked on the link it's game over if the site is exploiting a browser vulnerability to compromise your computer. Other than that it doesn't matter what the site has, it's already done its job by getting you to click on the link and deliver the attack payload.

I very rarely use the web based link. I usually use Outlook which simply opens the email on production of my password.

jem16

jamesd wrote: »

Not that it helps. You can be compromised before you even get to the point of seeing the padlock if you haven't verified that the web address is one you already know as a genuine one, from looking at the text source of the email, rather than what's visible in the email or on the email status line.

That's the point though - my encrypted mail comes from the email address that I know is genuine. It also verifies that same email address as the sender when it takes me through the web based decryption.

jamesd

jem16 wrote: »

That's the point though - my encrypted mail comes from the email address that I know is genuine.

The From address of the email I posted earlier was security.online@alliance-leicester.co.uk.

How do you know the email address it came from is genuine? I'm asking because it's standard practice of spammers and attackers to forge it so it appears to come from a genuine person or company. While calling line identification is unreliable, it's far, far more reliable in practice than an email From address.

jem16

jamesd wrote: »

How do you know the email address it came from is genuine?

How do I know any email address is genuine? I can view the message source of the encrypted emails.

I'm asking because it's standard practice of spammers and attackers to forge it so it appears to come from a genuine person or company. While calling line identification is unreliable, it's far, far more reliable in practice than an email From address.

The security used is Identity Based Encryption. To send the email it must come from a registered email address and your identity must be proved either by using the Outlook plugin or by replying to an encrypted email already sent to you.

To receive the encrypted email again you have to use the Outlook plugin which has stored your identity proof but which still asks for your password to decrypt it. If using the web portal you also have to answer 3 other questions to prove your identity.

As to Caller Line Identity, very few companies actually allow their phone number to be displayed and it usually comes up as Witheld.

jamesd

jem16 wrote: »

How do I know any email address is genuine? I can view the message source of the encrypted emails.

What do you look a there to prove the from address is genuine? Not the From line, I hope, because that's useless for the purpose.

I'm unsure from your wording, but surely you don't mean after following the link in the email to get to the site that is pretending to be a secure messaging site, then looking at whatever source that site shows?

jem16 wrote: »

The security used is Identity Based Encryption. To send the email it must come from a registered email address

What mechanism requires a person sending an attack email to use something other than an email that has the same cosmetic appearance as one using this system, for the sole purpose of getting you to click on a link in the email?

vbm

I love this system that Widows have introduced, I deal with them a lot and use this all the time. Extremely user friendly, quick and secure.