We must stop solicitors from using e-mail as soon as possible

I was watching Panorama on the BBC on Monday. It was about hacking, ID theft, the usual stuff. The main takeaway for the general public was, I think, that everyone’s personal details have already been stolen and are common currency amongst criminals.

Hackers have stolen the personal details of millions of customers from companies like Talk Talk. So how do cybercriminals get hold of our data? Reporter Daniel Foggo meets the hackers who can break into any website and finds out how criminals profit from our information.

[From 

BBC One – Panorama, How Hackers Steal Your ID

]

It featured one sad case of a woman who had been misled by fraudsters. She was buying a house and got an e-mail from (she thought) her solicitor asking her to transfer the funds for the house purchase (some £50,000) to a particular bank account. She did. The e-mail was, of course, from crooks and they transferred the money out and were never seen again (so much for the KYC/AML checks we spend so much money on). With so much money at stake, I couldn’t help but wonder, wouldn’t some form of security seem appropriate?

According to the American Bar Association (ABA), only a third of lawyers use encryption to communicate with their clients and of the lawyers who claim that they do use encryption, fully a third cannot say what kind of encryption they use. Of those who could say what type of encryption they use, the most commonly identified type was general purpose software with encryption features that required the recipient to be sent a separate password. Which is perfectly acceptable: I do the same all the time, using some zip utility to encrypt with a password then texting the password to the recipient. But I can’t help but wonder: why it is that Facebook can send me e-mail that is encrypted and digitally-signed and lawyers cannot? It’s not as if there isn’t a threat model!

Mrs d’Adhemar engaged a solicitor to handle the transaction and sent all correspondence through her secure work email address, but used her personal email account for everything else, including contact with the estate agent, Chestertons.

But 10 days after the sale was completed they received a call from their solicitor, who said NatWest had flagged up a problem with their account. Alarm bells immediately rang. The couple didn’t have a NatWest account, they banked with HSBC.

[From 

Email hacking: another home-seller robbed of £270,000 – Telegraph

]

Just in case you are thinking that I’m highlighting odd or exceptional cases in order to make a point, I can assure you that I am not. This sort of thing goes on all the time in the UK.

Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into.

As millions of people do regularly and without thought, he duly replied, sending his Barclays bank account number and sort code.
The email was intercepted by fraudsters. Posing as Mr Lupton, the fraudsters swiftly emailed Perry Hay & Co again – from the same email account – and told it to disregard the previous details and send the money to a different account instead.

[From 

‘Fraudsters hacked emails to my solicitor and stole £340,000 from my property sale’ – Telegraph

]

After all these years, we still can’t make e-mail security work. Imagine the hassle that the average solicitor would face in trying to get an average customer to install GPG or something. It’s never going to happen. The solution, as Ian Grigg pointed out seven years ago when I was going on about the security of e-mail another time, is to stop trying to fix e-mail and (as my teenagers did) move somewhere else. Why not use messaging systems that are secure, like Facetime? Yes they aren’t interoperable (so you would need to know whether the customer had Skype or Yahoo or WeChat or WhatsApp or whatever) but I don’t think it would be hard to set up a few accounts. Then the fraudsters would have to take over the solicitor’s account rather than just send an e-mail. This would have two immediate benefits: first, the security of the account would be specifically the problem of the solicitor and they would fix it by using strong authentication and, second, all communications could be encrypted (I remember that we worked on a pilot system like this – for financial services rather than for solicitors – a few years ago and even then the overheads associated with encrypting and signing were negligible).

We need solicitors to stop using e-mail as soon as possible, but we need to provide a viable alternative. If not social media or messaging, then why can’t we have something like they have in Denmark, where everyone has a sort of secure government postbox?

P.S. It’s a rhetorical question. I know perfectly well why we can’t: it’s because Denmark has a national digital identity infrastructure and we don’t. But why not have it as a bank service, like the Barclays Cloud thingy? Since the solicitor knows your bank account, they would automatically know which bank cloud to send the documents to. And if you wanted to tell your solicitor to send money somewhere else or some other instruction, you would have to do it from inside your bank cloud. Surely, with a nuclear-powered robot on Mars, it ought to be possible to send documents from a postbox in one bank cloud to a postbox in another?

Facebook can send me secure e-mail, why can’t my bank?

Sometime, two decades or so ago, I remember reading about Pretty Good Privacy (PGP), a mass-market implementation of e-mail encryption and digital signatures using public key cryptography (PKC) that created a practical public key infrastructure (PKI). A decade or so later, I wrote a piece for The Guardian (I used to write the “Second Sight” column for The Guardian from 1999 until 2005) saying that safe, secure e-mail would become the norm and that the end of spam was inevitable (an economic argument based on computational costs). How utterly wrong I was. Spam continues to this day, although to be fair it less of a pain than it used to be, and since Generation Whatever never use e-mail anyway so soon it won’t matter whether it is encrypted or not since the next generation will view it as nothing more than a relic from the early days of the web, a vestigial service of no practical use or interest to them.

But we are where we are, and the thing that always struck me as most important about PGP was that it worked. Yes. It worked (and so does S/MIME ). Encrypting e-mail and adding digital signatures works. It has worked for years. Hence I was nicely surprised to see an announcement from Facebook that they were to start using PGP to encrypt and sign notification e-mails as a defence against spoofing and phishing. I thought I’d give it a try so I signed up. It was easy. I downloaded GPG for OS X, created a new key pair for my Facebook-related e-mail address and turned on PGP.

facebooks if you want encrypted

After this, when my next Facebook notification e-mail arrived, it had indeed been encrypted using my public key and signed by Facebook’s private key. Hence I could be certain that it had come from Facebook and certain that it was for me and certain that no-one else had intercepted it and read it. It works. Haven’t figured out how to read it on the iPhone yet, but hey, someone will point me in the direction of a GPG for iOS soon I’m sure.

encrypted facebook

This led me to wonder, idly, why my bank didn’t encrypt and sign e-mails as well since, as you might have noticed, tampering with e-mail leads to rather a lot of fraud. And then I thought no more about it until I came across a message in my junk mail that purported to come from Barclays. When I read it, I noticed that it was digitally-signed so that I could be sure it came from them. Hurrah. But when I clicked on the signature to verify it…

barclays bad sig

I saw the red warning and naturally assumed that the e-mail was dodgy. The incomprehensible error message suggested to me that it didn’t come from Barclays after all. The fraudsters are getting better all the time! Just to recap: I now live in a world where I can be sure that a message from Facebook really did come from Facebook and that no sensitive information in the message could have been snaffled by miscreants-in-the-middle but I haven’t the slightest idea whether a message that says it comes from my bank really does, whether it really is for me or whether it’s been altered by crooks in transit. Truly bizarre: no wonder my kids don’t use e-mail any more. Companies do though.

attackers accessed previous CEO Dave Freygang’s email account and used it to send phony emails to Accounts Payable employees. The emails instructed them to electronically transfer $3 million to a Chinese bank. One employee fell for the scam and sent two $1.5 million transfers spaced four days apart.

[FromMagazine publisher loses $1.5 million in phishing attack – SC Magazine]

Ah well, you might think. No one cares about companies losing money because they can’t be bothered to implement secure e-mail. It’s their own fault and they are losing their own money. It’s like Gilfoyle says in Silicon Valley S02E07, it’s not even hacking, more a form of natural selection. Of course, I think industry reaction would be different if fraudsters were using the lack of e-mail security to steal money from hard-working families. Oh, wait…

Two days before the set completion date of February 27, Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into… Posing as Mr Lupton, the fraudsters swiftly emailed Perry Hay & Co again – from the same email account – and told it to disregard the previous details and send the money to a different account instead.

[From‘Fraudsters hacked emails to my solicitor and stole £340,000 from my property sale’ – Telegraph]

This is a problem that has reached industrial scale. Criminals are targeting e-mail as the weakest link in the corporate chain and automating mass attacks against it.

The gang’s members, who were mainly from Nigeria, Cameroon and Spain, used malware and social engineering to compromise the computers of various large European companies. They then gained access to corporate email accounts and monitored them for payment-related communications from customers… Whenever such requests were detected, they used the email accounts to instruct customers to send their payments to bank accounts under their control.

[From European authorities bust cybercrime gang that hijacked business payments | Network World]

We have made absolutely no progress since I first read about PGP all those years ago. We have e-mail security that works and it is used by Facebook but not by companies or banks or solicitors or anyone else. Surely it’s time for a change. It was no big deal to log in to Facebook and see “tell us your PGP key” and it shouldn’t be a big deal to log in to my bank and see “tell us your PGP key” either. Or they could stop using e-mail, just like the kids, and message me through the bank app that sits on my phone, by my side 24/7, and knows who I am, where I am and what I have been doing. Anyway, that’s all for today. I’ve just had an e-mail from Barclays that I have to deal with…

email from the real Barclays

Toodle pip!


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.