2018-01-08

Financial Ombudsman and PGP

PGP (or GPG) is a system for digitally encrypting and signing information, and can be used to send and handle emails securely. It is used by lots of people all the time. A&A, for example, sign emails (so you can read them anyway but know they are actually from us if you check) and encrypt emails to people that ask us to. We are, however, a tad unusual in doing so. I find few companies that have a clue on this, though my lawyer does, which is good.

I was a tad surprised by the Financial Ombudsman service, as they tried replying to me, but sent a very long email on setting up a pass phrase with a link to their site so they could send me secure emails. It was a long and complicated email, and I had not spotted the bit about PGP right at the end to be honest. They fail in making the email so long to be honest, but are clearly trying to cater for people that have no clue on PGP first, hence fooling me slightly. I wonder if it can be a tad more concise and still be effective.

I replied saying basically that my PGP is on key servers, the key ID, and attaching my public key to the email. That was over two weeks ago (well, we had Christmas I guess).

Today I get an encrypted and signed email! This is where it gets slightly amusing as the email says :-

I've heard back from our IT department today who have said they're unable to open the attachment in the format it's been sent.

Well, the attachment was my PGP public key which, err, they are now using to send me the encrypted email.

After some email exchanges it is becoming apparent that the people you are emailing with don't see the PGP, they see plain text that says it was signed, for example. They get a tad confused by attachments it seems. They do not realise they are sending signed and encrypted emails. When I said "well done" for using my key, they are confused... I tried to explain.

So second slight failing is that they could do with a bit more training for the people that use the system.

However, top marks for a system that considers the financial information being exchanged by email to be sensitive and making use of existing encryption systems like PGP (and possibly some others by the look of it, hence the long initial email). This is a good sign...

7 comments:

  1. Interesting that they made no attempt to verify that the key presented belongs to the human who has an account with them. I suspect it would have been easy to forge an email from you to them saying "Here's my key" and for them to then send that person personal info about you, confident that it's safe because it's encrypted. Especially if they don't actually see the working and hence have no appreciation of it. In fact it could be easy for a third-party to send an updated key and their system will possibly take it on. Unless they initially verify your key, and then use that as a basis for chaining new keys on when they change, they're still open to abuse, perhaps more so under the false illusion of safety because "military grade encryption".

    ReplyDelete
  2. It is highly likely they are using the Symantec PGP gateway which handles all this. I have used this in the past, and as you say it handles everything transparently so the users at the company end don't see anything about the encryption in most cases because the internal traffic is deamed to be "secure." It could be argued that the system is acting as a man in the middle because it is decrypting the email before it reaches the destination and so the user never deals with encryption etc. My argument for this is it causes security issues because the users just send emails as normal with the expectation that some magic down the line will handle the encryption for them. IIRC the settings in the server are set such that they will contact the public key servers and if the email addresses match it encrypts to that key.

    ReplyDelete
  3. In one of their newsletters they stated they use Symantec's PGP Universal product, which sits at the network level so my money would be on the users not seeing it at all.

    ReplyDelete
  4. Actually, automated responses from Andrews & Arnold are sent to customers using the signing key for a different address, e.g. messages from accounts@aa.net.uk are signed by the key for auto@aa.net.uk - I did raise this in correspondence with Accounts and they promised to look into it, but it was never fixed.

    ReplyDelete
    Replies
    1. I was sure we fixed that! I'll have to have another look.

      Delete
  5. They do use Symantec. Rather unfortunately they add their DKIM signature BEFORE Symantec mess with it, so while their plain text mails have a good DKIM, their encrypted mails says

    Invalid (E-Mail was modified)

    So getting their mail is fine, however I now want to reply to them. They don't appear to publish their own Public Key...I see somebody tried hard to get it:
    https://www.whatdotheyknow.com/request/public_pgp_encryption_key?utm_campaign=alaveteli-experiments-87&utm_content=sidebar_similar_requests&utm_medium=link&utm_source=whatdotheyknow

    But I still don't see it (nor should I trust a key I found in a random post)


    ReplyDelete
  6. This site seems to have the "internal doc" on how the ombudsman tells it's staff

    https://www.whatdotheyknow.com/request/274954/response/677727/attach/3/Email%20encryption%20guide.pdf?cookie_passthrough=1

    (sadly does not seem to help ...all the keys listed at keys.financial-ombudsman.org.uk are mine...still can't find the ombudsmans key

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Fencing

Bit of fun... We usually put up some Christmas lights on the house - some fairy lights on the metal fencing at the front, but a pain as mean...