Sometime, two decades or so ago, I remember reading about Pretty Good Privacy (PGP), a mass-market implementation of e-mail encryption and digital signatures using public key cryptography (PKC) that created a practical public key infrastructure (PKI). A decade or so later, I wrote a piece for The Guardian (I used to write the “Second Sight” column for The Guardian from 1999 until 2005) saying that safe, secure e-mail would become the norm and that the end of spam was inevitable (an economic argument based on computational costs). How utterly wrong I was. Spam continues to this day, although to be fair it less of a pain than it used to be, and since Generation Whatever never use e-mail anyway so soon it won’t matter whether it is encrypted or not since the next generation will view it as nothing more than a relic from the early days of the web, a vestigial service of no practical use or interest to them.
But we are where we are, and the thing that always struck me as most important about PGP was that it worked. Yes. It worked (and so does S/MIME ). Encrypting e-mail and adding digital signatures works. It has worked for years. Hence I was nicely surprised to see an announcement from Facebook that they were to start using PGP to encrypt and sign notification e-mails as a defence against spoofing and phishing. I thought I’d give it a try so I signed up. It was easy. I downloaded GPG for OS X, created a new key pair for my Facebook-related e-mail address and turned on PGP.
After this, when my next Facebook notification e-mail arrived, it had indeed been encrypted using my public key and signed by Facebook’s private key. Hence I could be certain that it had come from Facebook and certain that it was for me and certain that no-one else had intercepted it and read it. It works. Haven’t figured out how to read it on the iPhone yet, but hey, someone will point me in the direction of a GPG for iOS soon I’m sure.
This led me to wonder, idly, why my bank didn’t encrypt and sign e-mails as well since, as you might have noticed, tampering with e-mail leads to rather a lot of fraud. And then I thought no more about it until I came across a message in my junk mail that purported to come from Barclays. When I read it, I noticed that it was digitally-signed so that I could be sure it came from them. Hurrah. But when I clicked on the signature to verify it…
I saw the red warning and naturally assumed that the e-mail was dodgy. The incomprehensible error message suggested to me that it didn’t come from Barclays after all. The fraudsters are getting better all the time! Just to recap: I now live in a world where I can be sure that a message from Facebook really did come from Facebook and that no sensitive information in the message could have been snaffled by miscreants-in-the-middle but I haven’t the slightest idea whether a message that says it comes from my bank really does, whether it really is for me or whether it’s been altered by crooks in transit. Truly bizarre: no wonder my kids don’t use e-mail any more. Companies do though.
attackers accessed previous CEO Dave Freygang’s email account and used it to send phony emails to Accounts Payable employees. The emails instructed them to electronically transfer $3 million to a Chinese bank. One employee fell for the scam and sent two $1.5 million transfers spaced four days apart.[FromMagazine publisher loses $1.5 million in phishing attack – SC Magazine]
Ah well, you might think. No one cares about companies losing money because they can’t be bothered to implement secure e-mail. It’s their own fault and they are losing their own money. It’s like Gilfoyle says in Silicon Valley S02E07, it’s not even hacking, more a form of natural selection. Of course, I think industry reaction would be different if fraudsters were using the lack of e-mail security to steal money from hard-working families. Oh, wait…
Two days before the set completion date of February 27, Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into… Posing as Mr Lupton, the fraudsters swiftly emailed Perry Hay & Co again – from the same email account – and told it to disregard the previous details and send the money to a different account instead.[From‘Fraudsters hacked emails to my solicitor and stole £340,000 from my property sale’ – Telegraph]
This is a problem that has reached industrial scale. Criminals are targeting e-mail as the weakest link in the corporate chain and automating mass attacks against it.
The gang’s members, who were mainly from Nigeria, Cameroon and Spain, used malware and social engineering to compromise the computers of various large European companies. They then gained access to corporate email accounts and monitored them for payment-related communications from customers… Whenever such requests were detected, they used the email accounts to instruct customers to send their payments to bank accounts under their control.[From European authorities bust cybercrime gang that hijacked business payments | Network World]
We have made absolutely no progress since I first read about PGP all those years ago. We have e-mail security that works and it is used by Facebook but not by companies or banks or solicitors or anyone else. Surely it’s time for a change. It was no big deal to log in to Facebook and see “tell us your PGP key” and it shouldn’t be a big deal to log in to my bank and see “tell us your PGP key” either. Or they could stop using e-mail, just like the kids, and message me through the bank app that sits on my phone, by my side 24/7, and knows who I am, where I am and what I have been doing. Anyway, that’s all for today. I’ve just had an e-mail from Barclays that I have to deal with…