When is “Secure Email” only a Veneer of Security?
I recently applied for a new insurance policy with fairly well known insurance agency (who shall remain nameless). When all the preliminaries were done, the representative emailed me copies of the new policies. They were “secure” emails. I was very impressed … they thought enough of my privacy and identity to ensure that sensitive documents would be sent securely. And, working in an email security company, I actually know and appreciate the ramifications of that perhaps more than most.
So, once I finally got around to accessing the message, I discovered that it was really not secure at all! Even though the subject said “secured”, the representative said it was secure, and the PDFs of the policy documents were not physically in the message, it was really completely insecure! My faith in the company is now somewhat tarnished (though they might not even know about the issue) … and I have serious doubts about whatever provider they are using to facilitate these “secure messages”.
How do I know it was insecure?
Here is how accessing the message worked:
The message essentially:
- Thanked me and asked me to click on a link to access the message contents
- Asked me to “register” once I clicked on the link — providing a username, password, and security questions/answer. This is required because I had never communicated with the company before.
- Presented me with the message contents
It all seemed secure on the surface:
- The sensitive information was not sent in the regular email to me
- The web communications were secured over SSL.
- All of the message content was transmitted securely over SSL.
- I had to register — and have to use that password to access the message in the future.
The security problem unveiled
A secure message must meet the following two basic criteria:
- No one eavesdropping on your network communications should be able to access the secure message content
- Only the intended recipient should be able to open the message.
These two criteria are completely violated in this example “secure” message. Why?
- The notification to the recipient is not itself secured and may be eavesdropped upon by someone (e.g. someone using the same wifi hotspot, in the same corporate network, using the same ISP, etc.)
- If the eavesdropper reads the notification message and follows the message pick up link, then that person can register as me (as I had never registered before), providing any old password he likes. Then, that person can access all of the documents and has also locked me out of access!
Of course, individual recipients may be more or less secure by using SSL for accessing email on their servers, having TLS-supporting inbound email servers, etc. However, that doesn’t fully prevent eavesdropping as it does not require this sender to send the notice in any kind of secure way.
So, while I know that noone read this message, as I still had to register when I picked it up. Someone perhaps could have and then would have perhaps had access to sensitive/private information.
Any company using a “secure email” system like this should be very wary as it provides only a veneer of security and is not HIPAA compliant.
How could you “Fix” the security flaw?
The access afforded to eavesdroppers arises because anyone who can access the email message can register and login … there is no authentication of the recipient and no assured encryption to prevent eavesdropping.
One simple solution is to use SMTP TLS for communication with the recipient’s server. This works very well as it ensures that all communications between the sender and recipient servers are encrypted automatically and seamlessly. However, a large majority of email servers do not support TLS yet, so this is not a practical solution.
The real solution is to ensure that only the intended recipient can open the secure message. This is done by requiring the recipient to enter a password or to answer a predefined question before access to the message content is granted. With a system like this, even if an undesirable got access to the “pick up your secure message” notification, that person could not access the message content without also knowing the password or answer.
LuxSci SecureLine Escrow
LuxSci’s End-to-End email encryption service (SecureLine) has a component called “SecureLine Escrow”. It works exactly like this.
- The sender pre-determines security questions for the recipients
- The recipient gets a notification message
- The recipient uses a secure link to access LuxSci’s web site, answer the security question, and then access the secure message content
This does provide a true “secure message” environment. SecureLine can also automatically use SMTP TLS to provide simpler message security to recipients whose mail servers do support TLS encryption. It also supports PGP and S/MIME message encryption for those who wish to use such technologies.
Read more about LuxSci SecureLine.