In other news from the house-hunting front, we’ve been working with lenders to finance the purchase of a house. Lenders want a lot of information. They want bank statements, driver’s license copies, landlord information, tax returns, income statements, current address, credit card statements, letters of employment and so on. Of course, they also want that ubiquitous, unchangeable, universal secret password, the social security number.
You would think, given the nature of this collection of information, and the rising prevalence and cost of identity theft, that these people would be careful with this information. If you’re cynical or just a realist, maybe you wouldn’t think that. Anyway, you’d be wrong. One of the first lenders we dealt with EMAILED A COMPLETE, FILLED COPY of the application form to us for signatures. No encryption, whatsoever. It was like an identity theft starter kit. After we confronted them about it, they said they had no idea this was insecure, and offered to fax or FedEx the documents instead.
If you don’t already know this, you really need to know: Email, without any special add-ons, is the opposite of secret. It is the digital equivalent of a postcard — anyone along the way can read it, and you have no idea who will be along the way. Would you tape your social security card to the back of a postcard and send it across the country? Furthermore, there’s no guarantee that an email’s “From:” address is accurate, as you may have deduced from spam email that you’ve received. All it takes to forge it is changing a string of text when putting the message together.
There are ways to use email to send secure, confidential communications. Probably the most universal and robust way is with PGP or (preferably) GPG. The main reason these solutions aren’t used more widely is that encrypted communication is difficult to do correctly. Keys have to be generated, passwords selected, keys exchanged and signed, managed, and sometimes even revoked. A number of pieces have to fit together, including the encryption engine, mail program plug-ins, and file encryption software. The difficulty of using proper encryption is not, however, an excuse for sending my SSN in plain text via E-mail. When used with good enough ciphers, email can be safe even from the prying eyes of the US Government, who would have to spend hundreds or thousands of years of computer time attempting to crack your key. Furthermore, with or without encrypting the message, cryptographic signatures may be used to verify that the purported sender of the message is in fact the true sender of the message. This eliminates the problem of From address forgery.
Should you wish to send encrypted e-mail my way, you may find my public key here.