[reallymarkedup]

Quote:

Originally Posted by zx10guy

I was told to email those documents to them. I was stunned. I said to her that you know sending sensitive documents via email is a huge security risk. She said that's the only way they can receive documents. I asked if they have a fax number. No.

Email is incredibly secure, the primary security risk inherent to sending an email is sending something to the wrong address. The easiest way to mitigate that is to have the third party send you an email you can respond directly to.

If you want an extra layer of security save your documents as a PDF and secure that with a password. If you want even more, secure the PDF with a password and then upload it to a protected server with 2fa requirements so that the receiving party has to log in, download the document, and then still enter their password. But really all of that is theater at that point, you would have been fine just sending the email.

None of the security breaches that have occurred were because of someone hacking an SMTP server. They were all stupidity on the part of the organization we blindly trusted to protect that data.

[zx10guy]

Quote:

Originally Posted by reallymarkedup

Email is incredibly secure, the primary security risk inherent to sending an email is sending something to the wrong address. The easiest way to mitigate that is to have the third party send you an email you can respond directly to.

If you want an extra layer of security save your documents as a PDF and secure that with a password. If you want even more, secure the PDF with a password and then upload it to a protected server with 2fa requirements so that the receiving party has to log in, download the document, and then still enter their password. But really all of that is theater at that point, you would have been fine just sending the email.

None of the security breaches that have occurred were because of someone hacking an SMTP server. They were all stupidity on the part of the organization we blindly trusted to protect that data.

That's a big negative. Email flows through servers and can traverse different servers before arriving to its ultimate destination. Even financial institutions tell people to never send anything over email with sensitive personal information. For my day to day work we are not allowed to send email with sensitive information outside of the organization without first encrypting it with tools such as PGP.

What you don't understand with this state agency is there is no method of doing pseudo two factor authentication. It goes into one general email bin and gets processed from there. Me sending something password locked/encrypted and then following up with an email with the password does nothing in this case. At a minimum my state should have half a brain to set up a secure "drop box" for me to upload my documents which most financial agencies I've worked with now do.

[reallymarkedup]

Okay. Well carry on then.

[JeffL0]

Quote:

Originally Posted by zx10guy

That's a big negative. Email flows through servers and can traverse different servers before arriving to its ultimate destination.

This. SMTP was never intended to be secure, the protocol was implemented before anyone knew how to spell security.

The above mention of encrypting files before sending is the bare minimum, the further suggesting of uploading to a secure sever rather than sending via email is another good measure. Where people often fail in this encryption attempt is they then send the password over the same insecure channel. Better to convey the password over a different/independent method, such as a voice call.

[M_Six]

Quote:

Originally Posted by vreihen16

The latest breach was of a company that did background searches for employers, and somehow they had a private copy of every single SS# ever issued that was stolen.

The news is full of "how to know if your info was stolen" clickbait articles. Rather than read the article, assume that it has been stolen if any digit in your SS# is in the range of 0-9.....

Up until the Age of the Internet, Massachusetts used your SSN for your driver's license number. It was printed right there on your license. Imagine losing such a license today? Full name, DOB, SSN, address, all on one card.

[vreihen16]

Quote:

Originally Posted by M_Six

Up until the Age of the Internet, Massachusetts used your SSN for your driver's license number. It was printed right there on your license. Imagine losing such a license today? Full name, DOB, SSN, address, all on one card.

Funny thing is that NY State used a 17-character driver's license number until converting to a 9-digit number in the 1990's. I still remember mine, because I had to write all 17 characters on racing registration forms every weekend.....