Security Measures

[arkusM]

So my company does business with a huge bank in the US, that sort of rhymes with "hold", anyway I requested that they send statements/invoices to me via email, no problem...

Well they sent me an Excel file that was password protected and then emailed me the password they used to "protect" the excel file (If we are worried email about security then why are you sending passwords via email? ).

I opened the excel file with the given password and in Sheet1 was two embedded PDF's... Which I was not able to open for whatever reason. After a couple of back and forths I said just send my the PDF's, which they did, but this was in their postscript of the email:

Although G______ has offered addressee(s) named above a secure alternative to sending the information contained in and accompanying this communication, addressee(s) named above have selected this insecure means at their sole risk and agree that G______ shall have no liability and shall indemnify G______ for any loss, liability, cost, expenses, demands, charges and claims of any kind resulting from the use of this insecure means. If this is incorrect, please contact your G_____s representative and ask for the secure alternative.

[bolding is mine]
Really, a secure alternative? an embedded object? If I had the ability to intercept email the ability to crack the excel password would barely be an annoyance, let alone secure the information. Did these guys hire the TSA for advice?

Using the limited tools in my corporate sandbox, would not zipping it and password protecting the zip file be more secure? or if I was a multi-billion dollar mega-corp and could spend some jack on a product, any other of a hundred other methods actually provide some semblance of security?

Another bank I deal with sends their stuff via something called "Ironport" it at least something more than the pretext of security.

Ah the Theater of Security - if it was not so maddening then it would be hilarious.

 

[Joe4]

We deal with a lot of secure transfers of participant/financial data form various vendors (payroll companies, insurance companies, brokers, etc) and the most commonly accepted method of secure transfer seems to be Secure FTP or FTP with PGP encryption.

I am surprised that a large bank doesn't offer FTP options...

 

[tweedle]

The security wasn't in the password ; it was in the fact that the OLE Objects couldn't be opened .

I too deal with a ton of data connections through financial institutions; and sFTP or FTP w/pgp is the norm. Every once in a while there is somebody that thinks it's cool to email a data file from their yahoo account.

 

[arkusM]

The security wasn't in the password ; it was in the fact that the OLE Objects couldn't be opened .

Bwahahaa- Yup. True. so true.
Sigh.

 

[arkusM]

Maybe I'll have to see if they do FTP...

The kicker is the "confidentially" of the deals in this case are really not that significant. It is basic commodity transactions, the most you could get out of them is our address... oh well.

Let the show begin!

 

[Joe4]

Its just standard big corporation forms to protect themselves from the unauthorized use/release of personal information. We come across them all the time.

In the health care field, the unauthorized release of PH1 (protected health information) can result in steep financial penalties. And of course, there are a lot of fears over identify theft.

 

[diddi]

ive been doing a bit of programming for the storage shed industry where it is common for customers to leave credit card details for regular payments. i have found that the 'blowfish' algorithm is really good for encrypting data, which can be emailed or stored without worry of it being wrongly used.