I get the occasional email with some attachment, that I then have to log into some “secure” system in order to gain access to the attachment. Usually it’s a PDF that I need to sign, either for personal or business reasons. And it’s usually a one off process. Recently I’ve seen an even more annoying process. The Original email has the attachment, but the attachment (usually a PDF) has a password included which I need to go to the annoying “secure” system in order to get the password.
Recently I got one of these from my insurance sales guy. He told me (as he emailed me the PDF without a password) that it was done for compliance reasons.
Let’s review why this is a waste of time.
You’ve sent me a document which has a password. The email includes a link to the website which has the password. Assuming that I’m an attacker who wishes to steal this document that means the attacker has access to my mailbox. So that means that the attack also has the URL. And can click on the reset password link on the website, which allows them to reset the password. Then reset the password to the website, and get the password. So the attacker now has the file, and the password for the file. It took said attacker an extra 20-30 seconds to get the passwords.
That’s assuming that the attacker didn’t spend the $20 to get PDF Password Recovery which would allow them to simply remove the password from the document without needing to know what it is. And that $20 is a one time fee. They can unlock all the stolen PDFs that they want after paying for the software, probably with a stolen credit card or just finding a cracked version of it which I was just to lazy to see if there was, spoiler I’m confident if I spent 10 minutes looking I could find a cracked version for free.
In short, I applaud the idea of making sending me a document more secure. “A” for effort, “F” for implementation. Two factor authentication (which is basically what they are going for) doesn’t work when both factors rely on the same device, in this case my email software.
Now you are probably thinking that I must be crazy for allowing this sensitive information to be emailed around like this. The confidential information in this document was my name “Denny Cherry”. The policy number of my new insurance policy, the amount of the policy, and my insurance guys work address. That’s it. Technically there’s nothing in there that really matters.
If we are going to make things “secure”, let’s make them actually secure. Enough of this making it look secure to the general public. I get that we need to have some security around this sort of thing. If this system worked correctly when he uploaded the document to their secure system, it would have asked him for my cell phone number. Then it would have texted me the password for the document so that I had the password and the text at the same time. That would be secure and just about as easy to use.