Our Fellow Dukes!
How is life? Jack and I have had quite the schedule the last few weeks, and hope to get back into the groove of writing as the summer weather ends. We aren’t giving up on the blog nor getting bored with, in actuality we still talk about it pretty much every other day lol!
With that being said, I’ve recently been thinking about refinancing my car loan to a better rate, and want to talk about why it is very important not to use email as your document exchange medium. I mean we all know about the Equihax – Jack wrote about it on the 19th.
It gives evidence that your personal data is your personal responsibility….since we can’t even trust the credit data aggregators (who we don’t even give permission to hold our data to secure it properly). Let’s jump into the reasons why email should be off your list when it comes to passing information that could be used in identity theft.
1. Email is insecure
Before getting into a few the risk of emails, I’d like to dive into how the Internet works at a high level when you send an email.
- You login to your email, write your message, and hit send to email firstname.lastname@example.org
- The message travels across many routers, switches
- The message finally reaches your destination email server (like gmail).
- Servers are things that provide hosting on the Internet, for example Duke of Dollars is hosted on a server, which serves the content)
- While the Google email server is trusted, and uses SSL to encrypt traffic (the small lockbox you see on most browsers by the URL), it can’t guarantee that the multiple servers you go through to get there are. If you are on your work email, and send something to Google, that means it has to travel from the work email server to the Google server. The email travels through various routers and switches to get there.
- The message finally arrives to email@example.com, with no idea whether or not that person has forwarded it to others or posted its contents on a black market site for identity theft
Here’s a nice visual representation from the Kavi Help Center
The whole process and protocol was developed years ago, near the dawn of Internet and has been a vital part of our communications once it took off. The problem with that time, security wasn’t in mind when the protocol was created. Yes, measures have been taken to improve it, but that doesn’t make it the best option.
Messages aren’t encrypted
Most of us don’t have encryption set up on our email clients (Outlook for example), so when we send an email, if that email found itself in the wrong hands, then they can easily read it. It is in plain text, no decryption key necessary.
Emails can be kept on servers for a long time (who knows how long Google keeps those emails in backups?)
If you’re using your ISP (Internet Service Providers) email service, and it is a small rural company – can you trust them the same way you trust Google? Probably not. They may have your plain text emails stored on servers for a very long time. If someone accesses them or intrudes their network, your emails are there for the taking. Add in the attachments you sent to your refinance company, and KABOOM -> ID THEFT RISK!
Many people don’t use 2-factor authentication
What in the world is 2-factor authentication? If you log into your email using your awesome secure password with 2-factor authentication enabled, then you will then be asked to authenticate another way in addition to the password. It could be authentication apps, email, or SMS. I recommend the authenticator app from Google or Microsoft.
By using these apps, if your password was compromised, your account has that extra level of security to keep you safe! You don’t want hackers emailing your family distribution list messages of profanity or other ridiculous spam.
How many different computers, tablets, and phones do you have logged in for your email? So does everyone else. Each one presents another risk to the security of those emails, as they again (broken record yet?), are in plain text for anyone who accesses any of those devices can easily read.
2. Secure Messaging Platforms are a Thing – Use Them or Lose The Company!
Many banks have secure messaging as part of their overall online experience. Have you ever received an email requesting you to login to view the secure message? Great!! That’s how it should be done.
Companies do this because they control the security of the message, make sure it is transferred over a secure encrypted Internet connection (the SSL lock), and require you to login to see it. It’s not transferred out and about, and not stored in plain text on their servers.
This is the way we should be communicating private information with regards to identity thefts with our bank, loan, etc companies. If they don’t have one…they shouldn’t have you as a customer :).
3. Companies should be held accountable
Like I mentioned above, refinancing my car loan has been on my mind. The main reason this post was written happened to be inspired from the process.
At the early staged of the process, personal information was requested from me and requested to be emailed back. I refused to do so, and gave some information on why this isn’t secure and shouldn’t be practiced at any company handling loans. They gave me the option to mail them instead. Like the real mail service, not electronic – I’m super old school.
As the process continued, a secure message was sent to me requesting a few more documents. The documents were attached in the secure message – boy I was impressed and happy they did it. I was very appreciative of this as they contained information that I’d rather not be emailed.
Hours later, a co-worker from the same company had sent me a new email. I open it, see the attachment, and couldn’t believe my eyes. THE SAME DOCUMENTS were sent to me over email. This was after asking not to have them emailed to me from the beginning! I wrote up a nice professional email stating to not send my document over email, recommended not sending any documents over email, and instead use their own secure messaging platform.
The takeaway I want to leave you with here…it is not only the companies responsibility, it is also on you to say no and scold them for doing such a thing! They shouldn’t request or send you any documents over email!
As my blood was boiling (it is still jittery with Equifax hax), I send the email over. And with an absolutely low climax ending, I went on with my day.
Have you ever been asked to email personal information? Have you did it in the past?
I have did both before learning it wasn’t the best method of doing so. Definitely hope this post inspires you to hold companies accountable with your information, at least with most companies you are volunteering your information to through applications (contrary to the darn credit companies).
Have a great week! Let us know what you think!