March 24, 2005

E-mail Security

Who else is reading your e-mail?

By Rick Dexter
Special to the Times

There is no doubt that Internet e-mail is convenient. With very little thought about the details of the technology, most of us press the “send” button in our e-mail systems and fire off messages destined for all sorts of people and organizations, some we know and some we don’t.

Some of these e-mails are innocent, like asking your aunt for the recipe of her famous pie. On the other end of the spectrum, bank account, Social Security and credit card numbers are flying around cyberspace in e-mails sent not only by individuals, but also by companies who should know better.

Last year, I transferred money from an online brokerage account to a large nationwide investment management firm. The investment firm sent a confirmation e-mail to the online brokerage containing my name, Social Security number, account number, and estimated balance, along with the account numbers necessary to wire the money to the new firm. The firm put me on the CC line so I got a copy of this message. I was completely furious. Repeated complaints to the investment firm went unanswered. When I finally reached someone, the response was “it is our routine practice to send account transfer confirmations via electronic mail” and the company refused to change or even review their information security procedures. Needless to say, I do not wish to do business with a company that is so lax about their data security.

I traced the details of the path that particular e-mail took between the three parties involved. It went through a total of 37 individual pieces of computer equipment. I had control over three, and the investment firm and online brokerage each had control over four or five. That left at least 25 other pieces of equipment, all out on the public Internet, and all controlled by people other than the three parties in the e-mail. There were at least nine other companies owning equipment that this readable message passed through. Any employee of any of those nine companies who had access to any of those network components may have intercepted that e-mail.

In fact, the technology to intercept e-mail is not complex. Software programs exist that routinely intercept and store e-mail into databases that can be searched for key information like passwords or credit card numbers. It’s something like the U.S. Postal Service opening every single letter, converting it to a word processing document, and storing it in a searchable database. Unlike the USPS, doing this with e-mail takes far less work and it can be completely automated.

I’m not trying to cause panic, but in this age of ever-increasing identify theft, it is dangerous to have such a casual attitude about personal information. The best way to protect yourself is to never send anything sensitive or highly personal through e-mail, no matter who you are sending it to. Some companies, like the investment firm, believe that they must depend on e-mail to handle their routine business transactions.

In those cases, security-savvy companies usually will e-mail links to a Web site where a password is required to access the information, while leaving any personal information out of the e-mail. However, with the increase in “phishing” e-mail fraud, this practice is becoming less and less secure.

A much safer, but not as convenient method is to encrypt the e-mail between the sender and receiver so that only people with the decryption password can read the message. Although it is still the most secure way to electronically communicate, the biggest challenge with encryption today is that each sender and receiver must set it up between them in advance. This makes e-mail encryption extremely difficult to implement at a company that deals directly with the public.

Standards are in development that will make e-mail encryption much more automatic and widely available, but we are still several years away from enough widespread adoption for it to be useful in mass-communication. But, even with the challenges of e-mail encryption, it is still quite useful for communicating sensitive information between individuals who don’t mind spending a little time getting it set up.

I’ll cover some of the details of one of the most common e-mail encryption systems next month, as well as some free resources that will help you get started.


Rick Dexter, founder and CEO of NDYNAMICS Network Professionals in Campbell, lives in Almaden. Dexter has over 25 years of experience designing and supporting computer networks, particularly for small businesses and startups seeking reliable and scalable IT infrastructure. If you have a computer question that you would like to have answered in a future column, e-mail it to computerconnection@ndynamics.com.