9

If email sent by my bank included S/MIME signatures that my mail client can verify, then I would have the assurance that the mail was not tampered with or sent by some malicious third-party. Most prominent mail clients have S/MIME support (Outlook, iOS, Thunderbird, Mail.app) so why aren't S/MIME signatures more prevalant?

sigjuice
  • 193
  • 5
  • 3
    10 - 20 years ago we all "knew" that SSL was perfectly safe and if your browser showed a little padlock, then the connection was Secure From Hackers©. Then some smartass figured out how to manipulate the browser address bar with javascript, and the InfoSec industry was born. – 0xSheepdog Feb 19 '16 at 06:32
  • So sarcasm aside, PKI is neither easy nor simple. And when it IS easy and simple it's too expensive for most use cases. – 0xSheepdog Feb 19 '16 at 06:33
  • My bank may be an exception, but all emails I receive from them are correctly signed. I know most people don't care or don't even know what it means, but for me, it helps me to trust them. – Najkin Feb 19 '16 at 07:10
  • I'm with @Riokmij here - my bank (Postfinance in Switzerland) does sign all their mails via S/MIME as well, and I appreciate it. – The Compiler Feb 19 '16 at 09:35
  • Postfinance too :D – Najkin Feb 19 '16 at 10:58
  • Because they are too busy implementing security theatres (like asking for only some digits of the passcode or using a random on-screen keyboard for entering it) instead of implementing real security. – André Borie Feb 20 '16 at 00:46

2 Answers2

11

It's usually a costs vs. benefits decision.

Costs:

  • Create your own CA infrastructure or buy a public certificate for each sender
  • Teach employees how to use it
  • Teach employees how not to use it, especially how to make sure that the secret key is really kept secret
  • Teach the customers what this strange stuff in the mail means
  • Properly deal with certificate expiration, revocation and all this stuff
  • ...

Benefits:

  • Usually the argumentation goes like this: nobody else is using this so there cannot be lots of benefits

Thus unless the benefits are higher than the costs or some regulations require the use of signed mails it will not be implemented.

Apart from that correctly using S/MIME is not that simple for the recipient too. While there might be indicators which show if a mail is signed or not few understand how these indicators look like, what kind of different indicators there are and that you should not trust any indicators which are included in the mail itself and try make the user believe that everything is secure: i.e. something like trust seals, "scanned by whatever antivirus" messages etc. Thus there is also the cost of teaching all the users.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Another fine answer! One easier alternative than S/MIME is a secure mail service. Some banks just send you a notification to visit their secure mail server to get the real message. But this is costly too. – Neil Smithline Feb 19 '16 at 06:17
  • 3
    @NeilSmithline: The method I know is that each account includes a mailbox accessible from inside the online banking only and that one only gets a notification mail about new messages in this mailbox. – Steffen Ullrich Feb 19 '16 at 06:23
4

My bank never sends e-mails. Instead, there's a messaging service inside my online banking interface I can use. Furthermore, it is stated on both the bank's site and the printed materials I receive by mail that my bank NEVER uses e-mail for communications.

I understand this solution is good for the bank, because they are saving costs by not having secure e-mail infrastructure. Not contacting me by e-mail also seems like a fair compromise between accessibility and security. Should my bank decide to communicate with me via mail, my first question would be: how do you tell which e-mail I have genuinely written, and which was send to you in my name with fraudulent intent?

If I have to obtain my own certificate and somehow validate it with the bank, only to be able to get their messages in my e-mail client, I'd personally prefer to stick with the existing solution.

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
  • You don't *need* to do anything in particular with S/MIME signed messages. You can perfectly well just ignore the signature portion of the mail, and nothing bad will happen. But if it is there, it's possible to verify should you wish to do so. From that perspective, it *can* help, and it *won't* hurt (except for growing the emails by a few kilobytes each, but to within experimental error nobody cares about the size of their emails anyway these days). – user Feb 19 '16 at 13:37
  • 1
    True, but if my bank replaces the web messaging by signed e-mails, it will hurt me. I won't be able to request any service without coming to the bank personally anymore. My bank is actually 80km from where I live, I didn't bother to transfer my account to a closer office simply because I don't need to: I just write them a message whenever I need something. – Dmitry Grigoryev Feb 19 '16 at 13:46
  • 1
    A problem with web-hosted secure-messaging services is that you no-longer get a non-repudiable copy of your correspondence with the bank. You could take screenshots and copy text, but that involves extra effort that you get by using email already. (e.g. a bank could send you a self-hosted message promising that a $100k transfer will arrive in your account, then delete the message and break their promise - you would lose your proof of a promise they made). – Dai Apr 19 '19 at 18:52