Facebook can send me secure e-mail, why can’t my bank?

Sometime, two decades or so ago, I remember reading about Pretty Good Privacy (PGP), a mass-market implementation of e-mail encryption and digital signatures using public key cryptography (PKC) that created a practical public key infrastructure (PKI). A decade or so later, I wrote a piece for The Guardian (I used to write the “Second Sight” column for The Guardian from 1999 until 2005) saying that safe, secure e-mail would become the norm and that the end of spam was inevitable (an economic argument based on computational costs). How utterly wrong I was. Spam continues to this day, although to be fair it less of a pain than it used to be, and since Generation Whatever never use e-mail anyway so soon it won’t matter whether it is encrypted or not since the next generation will view it as nothing more than a relic from the early days of the web, a vestigial service of no practical use or interest to them.

But we are where we are, and the thing that always struck me as most important about PGP was that it worked. Yes. It worked (and so does S/MIME ). Encrypting e-mail and adding digital signatures works. It has worked for years. Hence I was nicely surprised to see an announcement from Facebook that they were to start using PGP to encrypt and sign notification e-mails as a defence against spoofing and phishing. I thought I’d give it a try so I signed up. It was easy. I downloaded GPG for OS X, created a new key pair for my Facebook-related e-mail address and turned on PGP.

facebooks if you want encrypted

After this, when my next Facebook notification e-mail arrived, it had indeed been encrypted using my public key and signed by Facebook’s private key. Hence I could be certain that it had come from Facebook and certain that it was for me and certain that no-one else had intercepted it and read it. It works. Haven’t figured out how to read it on the iPhone yet, but hey, someone will point me in the direction of a GPG for iOS soon I’m sure.

encrypted facebook

This led me to wonder, idly, why my bank didn’t encrypt and sign e-mails as well since, as you might have noticed, tampering with e-mail leads to rather a lot of fraud. And then I thought no more about it until I came across a message in my junk mail that purported to come from Barclays. When I read it, I noticed that it was digitally-signed so that I could be sure it came from them. Hurrah. But when I clicked on the signature to verify it…

barclays bad sig

I saw the red warning and naturally assumed that the e-mail was dodgy. The incomprehensible error message suggested to me that it didn’t come from Barclays after all. The fraudsters are getting better all the time! Just to recap: I now live in a world where I can be sure that a message from Facebook really did come from Facebook and that no sensitive information in the message could have been snaffled by miscreants-in-the-middle but I haven’t the slightest idea whether a message that says it comes from my bank really does, whether it really is for me or whether it’s been altered by crooks in transit. Truly bizarre: no wonder my kids don’t use e-mail any more. Companies do though.

attackers accessed previous CEO Dave Freygang’s email account and used it to send phony emails to Accounts Payable employees. The emails instructed them to electronically transfer $3 million to a Chinese bank. One employee fell for the scam and sent two $1.5 million transfers spaced four days apart.

[FromMagazine publisher loses $1.5 million in phishing attack – SC Magazine]

Ah well, you might think. No one cares about companies losing money because they can’t be bothered to implement secure e-mail. It’s their own fault and they are losing their own money. It’s like Gilfoyle says in Silicon Valley S02E07, it’s not even hacking, more a form of natural selection. Of course, I think industry reaction would be different if fraudsters were using the lack of e-mail security to steal money from hard-working families. Oh, wait…

Two days before the set completion date of February 27, Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into… Posing as Mr Lupton, the fraudsters swiftly emailed Perry Hay & Co again – from the same email account – and told it to disregard the previous details and send the money to a different account instead.

[From‘Fraudsters hacked emails to my solicitor and stole £340,000 from my property sale’ – Telegraph]

This is a problem that has reached industrial scale. Criminals are targeting e-mail as the weakest link in the corporate chain and automating mass attacks against it.

The gang’s members, who were mainly from Nigeria, Cameroon and Spain, used malware and social engineering to compromise the computers of various large European companies. They then gained access to corporate email accounts and monitored them for payment-related communications from customers… Whenever such requests were detected, they used the email accounts to instruct customers to send their payments to bank accounts under their control.

[From European authorities bust cybercrime gang that hijacked business payments | Network World]

We have made absolutely no progress since I first read about PGP all those years ago. We have e-mail security that works and it is used by Facebook but not by companies or banks or solicitors or anyone else. Surely it’s time for a change. It was no big deal to log in to Facebook and see “tell us your PGP key” and it shouldn’t be a big deal to log in to my bank and see “tell us your PGP key” either. Or they could stop using e-mail, just like the kids, and message me through the bank app that sits on my phone, by my side 24/7, and knows who I am, where I am and what I have been doing. Anyway, that’s all for today. I’ve just had an e-mail from Barclays that I have to deal with…

email from the real Barclays

Toodle pip!

And I’ve got my bronze swimming certificate

When I’m talking about identity, I sometimes joke that our ill-thought out perspectives on the topic have led to the bizarre situation that in the UK it is much easier to get a job with a bank than an account. In The Daily Telegraph for 29th January 2011, I read under the headline “False CV Fooled Bank” that:

A fraudster used a false CV [claiming degrees from Oxford and Harvard] to gain a £165,000 per annum job at a City investment bank.

I assumed that everybody made up stuff on their resumes, but it turns out that it’s against the law, so the culprit, Mr. Peter Gwinnell, was prosecuted and given a suspended sentence (I assume he’ll skip over this on his next CV). We keep being told that employers use Facebook profiles nowdays (I hope they use mine: it says that I am the most intelligent person alive today and that Nelson Mandela queued for my autograph) so perhaps CVs will soon be a thing of the past. Just out of curiosity I googled Mr. Gwinnell and found that as well as his empty LinkedIn profile, the bald fact of his departure is there on the web.

PETER GWINNELL Appointment terminated as director on 15 Feb 2010 (Document)

[From AHLI UNITED BANK (UK) PLC of W1H 6LR in LONDON UNITED KINGDOM]

To be honest, if an employer wanted proof of my A-Level in Mathematics or O-Level in British Constitution or the Degree I scraped through with in 1980, I’d be hard pressed to provide it. I don’t have the faintest idea where the relevant certificates are. I suppose I could ring the University and ask them to send me a letter, but how would the employer know I hadn’t forged the letter. And how would Southampton University know that it is me calling? Or, for that matter, how would they know that I hadn’t forged the O-Level in British Constitution certificate?

When I started my first job after university, I don’t remember being asked to provide any such proof. Come to that, I don’t remember being asked to prove who I was either. In those days, all you needed was a national insurance number. But if employers are going want proof, like the actual certificates, then there will be a bit of a premium on the certificates. Once the certificates are worth something, they will be stolen. This is what happens in China.

Local officials said the files were lost when state workers moved them from the first to the second floor of a government building. But the graduates say they believe officials stole the files and sold them to underachievers seeking new identities and better job prospects — a claim bolstered by a string of similar cases across China.

[From Files Vanished, Young Chinese Lose the Future – NYTimes.com]

How are we going to deal with this digitally? It shouldn’t be that complicated for Harvard to create a digital certificate to attest to the fact that the owner of a particular identity did, in fact, graduate. If there were some sort of device or token, perhaps some form of card, that contained my educational identity (ie, key pair) then Harvard could simply sign the public key with their private key and the whole problem is fixed (glossing over, of course, where this device or token might come from, and so on).

Something does have to be done though. The current system is simply a joke. It’s quite funny when someone cons a bank into giving them a senior position despite knowing nothing about banking (imagine!) but one of the areas that really bothers me, and probably should bother you too, is the ease with which medical credentials are forged.

A conman from Lancashire who posed as a vet and nearly killed a pony by botching its castration has been jailed for two years. Russell Oakes also masqueraded as a doctor, carried out an intimate examination and charged for false diagnoses, Liverpool Crown Court heard. The 43-year-old, of Hesketh Bank, admitted 41 charges of fraud, forgery and perverting the course of justice.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

How did he do this? Was he a master forger, capable of producing an authentic-looking medical school diploma using specially-aged paper, his engraving skills and authentic ink procured from the correct German manufacturer? No, of course not: this is a post-modern crime.

He bought a fake university certificate off the internet, the court heard.

[From BBC News – Bogus Lancashire vet jailed after botched castration]

Now imagine an alternative infrastructure. I am asked to prove that I have a degree from Southampton University. I log on to the university using my OpenID id.dave.com and answer some questions, provide some data, to satisfy the university that I am, indeed, the relevant dave. My OpenID profile includes a public key, so the university creates a public key certificates, signing that key and some standard data that they provide. I can now give this certificate to anyone, and they can check it by verifying the signature using the published Southampton University public key, resolving the certificate chain in the usual way.

the BBC suffered another embarrassment today after a man interviewed on Radio 4’s World at One who claimed to be a Liberal Democrat MP was revealed to be an imposter.

[From Radio 4 follows Jeremy Hunt gaffe by interviewing fake MP | Media | guardian.co.uk]

How would the proposed infrastructure help here? The system has to be so easy to use that a harassed BBC researcher can use it. Come to that it has to be so easy that military installations, the police and other can use it too.

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD’s military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area

[From Schneier on Security: The Security Threat of Forged Law-Enforcement Credentials]

Step forward the mobile phone. Every single one of the people who were “verifying” IDs in these stories has a mobile phone, so there’s no need to look any further. The military policeman’s mobile phone should be able to check your ID. And your mobile phone should be able to check his ID. And if you’re both using mobile phones, both IDs can be checked simultaneously. We already know that symmetry is an important property of an identity infrastructure: the bank needs to be able to check it’s me, but I need to be able check it’s the bank. And the mobile phone can do both. So next time Peter shows up for an interview, the interviewer can simply tap Peter’s NFC phone against their NFC phone and see a full list of his credentials.

(Law enforcement has special additional issue though: sometimes, the policeman doesn’t want to reveal that he’s a policeman, but that’s a topic for another day.)

Red army

[Dave Birch] Oh no! According to tonight’s news reports, the UK is bracing itself for cyberattack from the “hackers” supporting Julian Assange and Wikileaks. Apparently vital government services are at risk from the group called “Anonymous” launching distributed denial-of-service (DDOS) attacks. A bit like this guy, from the group “Not Anonymous At All”:

A 17-year-old from Manchester has been arrested by the Metropolitan Police’s e-crime unit (PCeU) on suspicion of being behind a denial of service attack against the online game Call of Duty.

[From Call of Duty DDoS attack police arrest teen • The Register]

He was, of course, traced from his IP address. I thought it was funny, in a way, that journalists and politicians refer to the LOIC kids as “hackers” when they are anything but. What’s more, as I said when Charles Arthur was kind enough to invite me on to The Guardian’s Technology Podcast, they have chosen a particularly funny way to join the Anonymous group of internet vigilantes: software that isn’t anonymous in the least and that delivers their IP addresses to their intended victims, thus making it easy for them to be traced and arrested. This is, in fact, precisely what has happened.

A 16-year-old boy was arrested in the Netherlands in connection with a series of cyber attacks on Visa, MasterCard

[From Dutch teen arrested over cyber attacks on Visa, MasterCard]

My personal views about Wikileaks and the “Cable Gate” DDOS attacks are irrelevant. (I will say this: that if you don’t like MasterCard then cancel your card and leave mine out of it). But they will certainly have an impact on thinking and the calls for “something to be done” mean change. Since there’s no way to stop people from copying data (as the music industry has discovered), that’s probably not a fruitful line of thinking. So what will happen?

What technology may lead to are “red” and “blue” internets. (Note that “blue and red” are here allusions to the military labelling of secure and insecure networks, they are nothing to do with blue and red pills in The Matrix.) Essentially, there will be secure and insecure internets both running over the same IP networks.

On the red, open, internet people and organisations will exchange encrypted data across an untrusted network. Some people may choose not to connect to the red internet at all and only crazy people (and organisations) will send unencrypted data to unauthenticated counterparties.

On the blue, closed, internet you will need to authenticate yourself before you are allowed to access anything and a digital identity infrastructure will deliver privacy (and in some cases anonymity) through cryptography, not through data protection registrars or privacy ombudsmen. In order to connect to the government, or Facebook, or Amazon, you will have to use the blue internet: they simply won’t be connected to the red internet any more. At home, I will probably set my internet connection to blue only.

Now, some of you may be concerned that, as The Daily Telegraph told us, the Chinese government have a master key that can decrypt everything on the Internet, in which case the entire Internet will be — very literally indeed — red forever.

While sensitive data such as emails are generally encrypted before being transmitted, the Chinese government holds a copy of an encryption master key which could be used to break into redirected traffic.

[From China ‘hijacks’ 15 per cent of world’s internet traffic – Telegraph]

But look on the bright side: since the Chinese have “a copy” of this mythical master key, someone else must have the original, and they will be able to read all of the Chinese government’s e-mail and put that on Wikileaks too.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Stux on you

[Dave Birch] The media are full of cyberwar at the moment. I’m sleeping safely in my bed knowing that we now have a cyberwar strategy. But there does appear to have been one cyberwar attack that has already succeeded. The story about Stuxnet is fascinating, especially now that the Iranians have admitted that it worked.

President Mahmoud Ahmadinejad admitted Monday that “several” uranium enrichment centrifuges were damaged by “software installed in electronic equipment,” amid speculation Iran’s nuclear activities had come under cyberattack.

[From France24 – Iran admits uranium enrichment hit by malware]

So whoever wanted to stop the Iranians from enriching uranium (the Americans, the Saudis, the Israelis etc) found a cheaper and more efficient way to do it than launching cruise missiles or dropping bunker busting bombs.

Vote “no” to yesterday’s technology

[Dave Birch] The recent Pew report on the Future of the Internet makes the same point that I have been droning on about for ages. Looking at PCs and the web doesn’t tell you anything about the future, because the future is mobile.

“Clearly, in the long run, mobile wins,” says Consult Hyperion’s Birch. “For most people, in most of the world, most of the time, the mobile phone is the most important device.”

[From FST]

Now, in some advanced countries, it is seen as natural to being to transfer applications that hinge on identity over to the most personal interweb interface, the mobile phone. An interesting case study is Estonia. We’ve looked before at Estonia’s use of new technology and they are back at the forefront this month:

Lawmakers approved a measure Thursday allowing citizens to vote by mobile phone in the next parliamentary elections in 2011… The mobile-voting system, which has already been tested, requires that voters obtain free, authorized chips for their phones, said Raul Kaidro, spokesman of the SK Certification Center, which issues personal ID cards in Estonia.

[From Estonia to vote by mobile phone in 2011 – International Herald Tribune]

This is a similar architecture to that being deployed in Turkey, where the key pair at the heart of scheme is stored in the SIM and the on-board application uses it for digital signatures.

Population-scale PKI

[Dave Birch] The Land Registry, the government agency that records who owns Britain’s land and buildings, has spent the past decade developing an e-conveyancing system to make buying and selling houses easier and more certain. It’s going to be using PKI to secure the system. Authorised parties will be able to exchange information quickly, securely and reliably with each other and the Land Registry. Documents will be encrypted and “signed” with a digital certificate, and people will require a secure token, username and password to produce and read the documents. Final testing is underway and when it goes live, expected in early summer, it will be able to process up to 300,000 documents a day and support up to half a million security “certificates” from property professionals such as conveyance attorneys.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.