CIA director John Brennan said in October 2015 that he was “outraged” when a hacker broke into his personal email account but added the attack highlights how everyone’s personal data is vulnerable on the internet.
The information stolen included email contact addresses, his wife’s pension identification number, and the Social Security numbers and personal information of US intelligence officials.
Statistics provided by Hotspot Shield (an internet security company) reveal that around 150 billion emails are sent every day. Of these, each of us on average sends or receives 15 emails with attachments per day, i.e. 5,000 per year.
Alarmingly, 62% of people lose files received as attachments and 53% of people surveyed recall receiving emails with sensitive data such as credit card information and social security numbers.
What director John Brennan and a property management company in the Algarve, who contacted Safe Communities Algarve recently, have in common, however, is that they are concerned about the issue of email security.
The property management company asked me a very important question: whether the use of email is a secure way for their clients to pass passport information to their company?
This is a very good question because passing sensitive data affects virtually all of us. Secondly, it involves a much broader issue and that is, how do you send sensitive information from one side of the world to another with minimal risk that it will be intercepted and used for fraudulent purposes? Remember, most people who have had their email address book compromised is as a result of poor password settings or lack of email security.
Before you send your credit card information or other sensitive information online, over the phone or by mail, it helps to think like a hacker.
The reality is that 60% of companies have experienced a data breach of some kind in the last two years, many of which can be directly traced back to poor email security practices.
So the next time you’re about to share your credit card number, consider: where are the potential breach spots along the path your information will travel? What are the security loopholes, and how can you close them up so your information doesn’t fall into the wrong hands?
A number of internet security experts have thankfully considered these issues and the following highlights some of the common methods of sending credit card information, and their ratings concerning the security risk levels for the average consumer.
Unsecured email – Risk level: High
Security experts unanimously agree a normal unencrypted email is a very unsecure way to send sensitive information. Emails can be hacked, spoofed and eavesdropped.
Unsecured email offers criminals four points of exposure – your own computer, your email server, your recipient’s email server, and your recipient’s computer – making it one of the riskiest ways to send sensitive information.
Even if you are submitting the message through a secure connection, if either computer is infected with a virus or other malware, it leaves the door open to hackers.
“The designers of email didn’t intend for it to provide confidentiality,” said John Ackerly, CEO of Virtru, an email privacy company. “It’s kind of like sending a postcard, as opposed to sending a sealed letter.
Fax – Risk level: medium
The traditional method of sending information by fax is fairly secure. As long as both fax machines transmit and receive through the traditional method over telephone lines (as opposed to internet faxing), the process poses minimal privacy threat. “If someone was able to intercept the telephone line, all they would hear is the screechy noise” – the one you hear when connecting to the internet by dial-up modem.
A big risk enters when you can’t be certain the intended recipient is the only one who will see the fax. If you’re sending your credit card or other sensitive information, it is prudent to make sure that the recipient will be standing by the fax machine ready to receive it and immediately confirm its arrival. Also, make sure any confirmation printouts containing sensitive information – either on the sending or receiving end – are destroyed. This does not apply to personal fax users however.
Postal mail – Risk level: medium
Although it is becoming less necessary to send information such as bank statements by post, on occasion an order form or a bill will require sensitive information to be sent. Unfortunately in these situations you seal up the envelope and hope for the best.
There is a risk, however, that mail can simply become lost or stolen, so the risks are obviously there. Using couriers can reduce this risk, and this is now one of the preferred ways of sending credit cards worldwide.
Secure websites – Risk level: medium
You’ll know you’re at a secure website because your web browser will display “https” in the location or URL bar. Most web browsers feature a graphic lock you can click to examine the site’s security certificate. Secure sites help ensure that the data you send will be encrypted.
If sending sensitive information, consider using a document storage site such as Dropbox, or Oneshar.es, which allows you to send confidential information that self-destructs.
The catch involved in using these sites again is “weak endpoints”, say some experts, which means you can be on the most secure site over a secure internet connection and still have someone literally watching your keystrokes via spyware. The answer? Keep your malware protection up to date and stay vigilant.
Text message – Risk level – low (with additional protections)
It is hard for people to hack into text messages, but the risk to security involves their long life span; they exist on your phone until you delete them. If either the sender’s or recipient’s phone ends up in the wrong hands and the text message has not been deleted, it could pose a problem.
New technologies can make text messages more secure. There are companies that have added encryption technology to text messages and also include a message self-destruct feature, so they don’t stay permanently on the recipient’s end.
Encrypted email – Risk level: low
Although unsecured email is one of the worst ways to transmit sensitive information, you can eliminate a lot of risk by adding email encryption technology. Available options include Virtru and Infoencrypt. Any mail plug-in that utilises PGP (which stands for Pretty Good Privacy) will add a level of security by scrambling the information in transit until your intended recipient unlocks it with a security key. Some keys have an expiration time, providing additional protection.
Since the revelations about data snooping by the National Security Agency, Google and Yahoo have begun encrypting emails by default, but if your recipient doesn’t have encrypted email, your message is still vulnerable after it leaves the Gmail or Yahoo servers. In other words, security is only as good as the weakest link.
Additional ways to beef up your security
Watch out for public Wi-Fi – connecting to the internet in a public hot spot, such as a coffee shop, leaves your computer and your information vulnerable to attack. Disable file sharing and use a virtual private network (VPN) if you can.
You can send your credit card information in pieces. For example, send the number in one encrypted email; the expiration date in another; and your billing address in a third.
If you’re creating a paper trail by fax or mail, obscure some of the digits of your credit card number, and instruct the recipient to call for the remaining information.
Be sure to keep your computer up to date on anti-virus software – and don’t be shy about asking recipients what level of protection they have on their computers, too.
By David Thomas
David Thomas is a former Assistant Commissioner of the Hong Kong Police, consultant to INTERPOL and the United Nations Office on Drugs and Crime. In October 2011 he founded Safe Communities Algarve an on-line platform www.safecommunitiesalgarve.com here in the Algarve to help the authorities and the community prevent crime. It is now registered as Associação SCP Safe Communities Portugal, the first national association of its type in Portugal, with a new website www.safecommunitiesportugal.com launched in May 2015. He can be contacted at firstname.lastname@example.org, or on 913045093 or at www.facebook.com/scalgarve