6

I have completed my internship and my employer wants me send him my bank account details so that he can transfer me my stipend. How can I securely do this? I have Ubuntu MATE 16.04. My employer is not that tech savvy. He would be fine with emails and password protected zip file/google drive text file but telling him to set up pgp/gpg would be too much.

Anders
  • 64,406
  • 24
  • 178
  • 215
Ronnie Day
  • 77
  • 1
  • 1
  • 2
  • 4
    Duplicate from [Ask Ubuntu](http://askubuntu.com/questions/796728/how-to-securely-send-bank-details-to-someone) and [some other dark places](http://www.makeuseof.com/answers/securely-send-bank-details/). Why are those answers and comments not suitable? What is the threat that you are worried about? – Jedi Jul 12 '16 at 06:28
  • 1
    @Parto on Ask Ubuntu said that this kind of question is better suited at security.stackexchange.com – Ronnie Day Jul 12 '16 at 06:44
  • Maybe using an [online service](http://techpp.com/2010/03/09/top-10-online-services-to-encrypt-email-text-messages/)? However I don't trust them. If I were you, I would set a web page and send her/him a link with a hash and make it expire after some days (or when its successfully read). – lepe Jul 12 '16 at 07:04
  • 4
    I'd tell the employer over the phone. (not the last word in security, but this is not *highly* sensitive information) – symcbean Jul 12 '16 at 10:26
  • 1
    RonnieDay, yep typically they would migrate the question over themselves if required. I'm still not clear what you're trying to protect yourself from. If you don't trust the employer with the account details, then you'll have to get a cheque. If you're worried about interception over the Internet, then use the phone. If email specifically bothers you, try Dropbox/Box/Drive...Between [AskUbuntu](http://askubuntu.com/questions/796728/how-to-securely-send-bank-details-to-someone) and now [@BubbleHacker's answer](https://security.stackexchange.com/a/129831/111626), all avenues are covered. – Jedi Jul 12 '16 at 13:22
  • 1
    Is in-person an option? Probably the most secure because there's very little security precautions to take into account besides someone overhearing a conversion/viewing the bank details? – dark_st3alth Jan 11 '17 at 04:03
  • Are you worried about the security of your employer systems? because if you are in paranoid mode you need to have that into account. If you're not, then why bother that much inbetween? I think @symcbean point about phoning your employer is a great solution. – YoMismo Jan 11 '17 at 07:51
  • AFAIK, in France, your bank infos are enough to receive money, but not to be taken some (a signed allowance is required for the other one to take you some money). It means your bank infos could be shared publicly without any risk (anyone would then send you money, but cannot steal some) – Xenos Apr 11 '17 at 14:53

4 Answers4

2

He would be fine with emails and password protected zip file/google drive text file

Firstly, you need to take into consideration the level of security you want vs practicality. In this case, you have mentioned that your employer is comfortable with emails and password protected zips. So, why not do that?

Without being overly complex, how you can do it is:

  1. Type your bank details in a text file and ZIP it up with encryption (you can use AES-256 bit encryption which I believe offers a good enough protection)
  2. Send your password to the ZIP file in a separate email

What I am proposing above protects the transmission of the file. Of course, if you decide that the email service cannot be trusted, there are many ways to make it more secure. You could further:

  • Encrypt your ZIP file password with another key which is already known to your employer (e.g. your name)
  • Skip step 2 and call your employer and tell him the password over the phone
  • Send the password using another email service

To me, even if your bank account details (I supposed that is only your bank account number, bank name and your name) are exposed, there are no severe risks. There is no need to make it overly complex.

newbie
  • 139
  • 6
  • 3
    By sending the password in a separate email, you haven't really protected much. Capturing email is most likely to occur when the data is at rest. i.e. someone compromises the email account of the end user, and gets all the old email. If you're going to all the trouble of encrypting the email, just call the recipient up and give them the password over the phone. It's far less likely to be stored permanently in that scenario. – Steve Sether Nov 11 '19 at 16:25
1

Why not send him by Email?

I might be missing something here but I believe that if you have a strong enough password and 2 factor authentication then using any of the big email providers that use HTTPS (Gmail, Outlook, Yahoo, etc..) should be perfectly fine and secure.

Either way it's not like someone can do much with your bank information. The following are possible attack vectors as I quoted from my answer in this question:

1) If I have a picture of your ID and your account information, I can edit the ID to have a picture of me and go to the bank with the fake ID and identify myself as you.

2) If I have your login details I can try to brute force online account and then manage your account as I wish.

Check out the rest of the answer here.

Community
  • 1
Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
  • why do you assume gmail can't read the content of the emails? – Incerteza Jul 13 '16 at 13:33
  • @アレックス Of course Gmail can read your content, but its not a threat since the reader is Google and for legal reasons they cannot use that information. Since we see Google does follow the law, they will not do anything with it. – Bubble Hacker Jul 13 '16 at 14:14
  • @BubbleHacker since Google was hacked, what make you think it is secure? – YoMismo Jan 11 '17 at 07:41
  • At least in the EU, if I am registered for a SEPA ID and know your account details, I can withdraw you as much money as I like. Of course, if you read your balances carefully, you'll quickly find out and your bank is required to roll back the transaction at your request. It is still an annoyance, at best. – 5gon12eder Jan 11 '17 at 21:19
1

Your bank account details are private informations, but not secret ones. I still use bank checks, which contain those informations and have no problem with that. And it is common to exchange bank details with clients or providers through simple unencrypted mails.

The security level must be what is required by the risk. You should never publish bank details on Facebook or a public web site, but sending them by mail to a specific recipient is fine.

If you think that is deserves more security, you are on your own, provided your employer accepts it. IMHO, an encrypted zip file should be enough.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

To exchange sensitive files and information with someone else securely, with end-to-end encryption, you may want to consider using EncryptedSend. Information that you send through this service is encrypted using javascript running in the sender's web browser, and decrypted using javascript running in the recipient's web browser, so that only encrypted information passes through the service's servers. This is a good solution for non-tech-savvy people who don't have the technical know-how to use tools like GPG, PGP, etc. In fact, the sender does not even have to be registered with the service.

mti2935
  • 19,868
  • 2
  • 45
  • 64