6

A reputable and clearly identified institution asked me, for legitimate reasons, to e-mail a scan of the passport. However, I regard the passport as a sensitive document and am pretty reluctant to use the e-mail to that end, for generic/general security concerns. One other case, for example, could be an invoice, a confidential contract, and suchlike.

Beside faxing, what are safe and workable alternatives for transferring the copy of sensitive document across the web?

XavierStuvw
  • 965
  • 2
  • 8
  • 15
  • 2
    You need to decide what you want to protect your passport image from and how much you care about it. The ultimate solution is to get to the destination with your passport and scan it for them in their office. If all you care about is a random SMTP server getting dumped on the email's way there, then encrypt, even by an archive with a password. – Vitaly Osipov Sep 23 '17 at 02:54

3 Answers3

8

if you can contact the recipient by other means besides email, one easy way to send securely content over email is putting the content (images,documents,etc) into a encrypted container (a zip, 7zip, .rar file) that is protected with a secure and not easily guessable password. Then after you sent the email contact the recipient and provide them with the password.

Is important to mention that this method is relying on the secrecy of the second channel to provide access to the content sent by email, so a direct call and a sms is usually ok.

Jorge Alvarenga
  • 101
  • 2
  • My thought as well, thanks for the additional detail! – Jonathan Sep 22 '17 at 20:36
  • 1
    However, in the words of the Linux-based manual page of the command zip, the option --password comes with the following commentary (verbatim) "... THIS IS INSECURE! ... And where security is truly important, use strong encryption such as Pretty Good Privacy instead of the relatively weak standard encryption provided by zip‐file utilities" – XavierStuvw Sep 24 '17 at 19:40
  • @XavierStuvw See https://security.stackexchange.com/a/103589/10863 – Luc Mar 19 '18 at 16:34
3

As long as you trust this institution, and that they are who they say they are, I would simply recommend encryption. Encrypt the e-mail if your e-mail application supports it, and the recipient supports it. If you can't encrypt the whole e-mail, you should at the very least be able to encrypt a zipped file of the image, and provide the password used to decrypt it in a separate e-mail, or ideally send the password by another method, such as a text message. Don't make the password something you use regularly though (should be a password made specifically for this document).

One thought is that such an institution should have a secure way set up already to receive such documents. Since they apparently do not, that raises a red flag. Make sure you are really dealing with who you think you are dealing with. For example, if you got a phone call or something requesting it, and you did not initiate it, it is likely a scam. A passport would likely be quite useful for an identity thief.

Jonathan
  • 3,157
  • 4
  • 26
  • 42
0

Do this: Open the email where the institution asked you for the passport. Right click and select "Show headers" or something similiar.

Then check the topmost "Received:"-header, and walk downwards. Disregard any headers with 127.*.*.* IP, a 192.168.*.* IP, or a adress between 172.16.*.* to 172.31.*.* (as these usually is internal communication between spam filters, antivirus engines and other mail-handling software local to your provider).

When you have arrived at the first public header, read if encryption was used.

Example of encrypted mail:

Received: from THE_REPUTABLE_INSTITUTION (THE_REPUTABLE_INSTITUTION [THEIR_IP])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by YOUR_EMAIL_PROVIDER (Postfix) with ESMTPS id C98D076010F
    for <YOUR_EMAIL>; Wed, 20 Sep 2017 09:10:45 +0200 (CEST)

Example of a nonencrypted mail:

Received: from THE_REPUTABLE_INSTITUTION (THE_REPUTABLE_INSTITUTION [THEIR_IP])
    by YOUR_EMAIL_PROVIDER (Postfix) with SMTP id 1359D7600C2
    for <YOUR_EMAIL>; Sat, 16 Sep 2017 21:03:38 +0200 (CEST)

Now when you have verified the email is encrypted in-transit, just send the passport. (Actually, I had a hard time finding a non-encrypted email in my mailbox with over 200+ emails, thats how common email encryption has become today)

This isn't a 100% foolproof method, as the mail might be encrypted one-way only, eg your mail provider does receive but not send encrypted mail, or the institution does send encrypted mail but not receive one.

But it should be sufficent for your purposes. If you haven't received a mail from them, just send a email. As a bonus, ask them to "forward your original email as attachment to you", then you can even see if they received the email encrypted.

Note that this method can only be used for non-regulated communication, eg where you isn't REQUIRED to secure the communication, but you WANT. If there is regulations for securing the communication, for example PCI-DSS or HIPAA or similiar, then email is usually specifically prohibited, regardless of its encrypted or not, and then you can read in the regulations how the information should be transferred. Usually over registred snail-mail unless urgent, then faxing is allowed.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • Thanks for the answer. It seems to address a rather specific aspect of communication which is pretty relevant but not a direct answer to the question. So I have asked the question https://security.stackexchange.com/questions/170495/ which you may want to migrate your answer to, and perhaps elaborate – XavierStuvw Oct 02 '17 at 07:46
  • And your document ends up in at least 2 malbox histories. – akostadinov Mar 19 '18 at 13:51