Re: Changing details by email.

Rich <rich@example.invalid> wrote:

For a good long time, email was trivial to forge, and expecting a lowly
minimum-wage boiler room worker to know how to read email headers with
sufficient detail to detect a forged email was a no-go.
 
This was the original source of the "don't do X via email" rules.  And,
much like the use of Fax in the medicial environment (at least in the
US) once something like "email is too easy to forge, don't use email
for account changes" filters into the burearacy such that it makes a
rule, then the rule remains stuck long past the time when the rule no
longer applies (email with DMARC, DKIM, and SPF is reasonably
authenticated, in fact likely a better authentication than the usual
"who are you, where do you live" questions used to authenticate.  over
a phone call).

One key thing here is that the bank/etc doesn't have any insight into your
email system.  It might say that you truly sent the message, but maybe your
sysadmin forged it?

Also, email generates a record.  If they ask you for your security passcode,
that will be recorded in your 'Sent Mail' folder.  Any attacker just needs
to look in there and they have enough to impersonate you.  The bank might
record phone calls, but they can store the recordings securely and may
disable the recording for the security information.

Finally email is asynchronous, which makes it slow to deal with.  Some
companies like it for long running issues since the agent can go back and
read the history, but for simple one-off transactional things having to
back-and-forth to establish identity makes it slower than a phone call.

As to "phone" -- a similar issue applies, only the reverse situation. 
In days long ago, when phone service was from one very regulated
monopoly (in the US, AT&T), the "phone" was very secure (ignoring the
issue of "how do I make sure the voice I'm hearing belongs to person
X).  At that time the phone network was both closed, quite proprietary,
and due to the high regulation, also quite secure (to an extent). 
Enough such that the various bureaucracy's formulated their rules that
"phone calls are secure -- so making this change over the phone is ok".

In general, banks often don't pay a lot of credence to the phone metadata -
the number you're calling from, etc, they only look at the content of the
call.  When they ask for security information it's often of the nature of
'please tell us the 5th digit of your security number' which means anyone
intercepting the call (or looking at your phone screen) doesn't get your
full credentials.  They would have to record you making several calls, which
implies a (virtual) wiretap rather than just something transient like
overhearing a call.

In other words the process is designed on the basis that phone *isn't*
secure, and can cope with limited levels of leakiness.

However, today, the phone network is effectively as "open" as the
Internet, and no more secure than any other very "open" system.  But,
because the bureaucracy's long ago set in stone their rule of "phone is
secure" they continue to operate as if it is just as secure as it once
was, even though for mere pennies one can obtain phone numbers at will
and forge just about everything related to a phone call.

Web and email are also easier to do in bulk (see Nigerian Princes passim),
while phone is typically harder to fake at scale and easier to spot trouble.
Generative AI may change the game on that one, alas.

Theo