Something happened last week that was so extraordinary, I had to blink and rub my eyes to really believe they weren’t deceiving me!
If you have read my blogs before, you will know I regularly highlight the risks of sending sensitive information via email. I am equally concerned about how businesses protect themselves against external attacks, and negligence.
Today I’ll be focusing on the latter, and use my own involvement in an unfortunate event to illustrate the point I wish to make.
Please note, any companies involved have not been named. Regardless of names, however, this incident demonstrates what can happen when we drop our guard!
I have recently been tasked with evaluating a number of security solutions by my boss – and I settled upon the one I felt best matched our requirements.
Needless to say, I was very keen to initiate a purchase, and preliminary talks were constructive. I even managed to haggle them down a bit on price!
I was feeling good about the purchase, until the seller dropped a bombshell – which changed everything.
They sent me a billing form, and requested I fill in names addresses and credit card details. I would have an issue with filling this in and sending over email insecurely as it is. But when I opened the document my jaw dropped. There, staring me in the face,
was someone else’s full credit card details.
Surely this is just an example of where to enter your details, I thought to myself? Surely they haven’t sent someone’s personal and credit card details to me over email?
After a little bit of digging, I located the biller and the affected business on the Internet. To my horror – and theirs – the information contained on the ‘template’ invoice belonged to another customer and
was genuine, including the three-digit security code!
I immediately notified the seller, and encouraged them to speak to the affected business. I'm honest enough to delete such data. But the reality is it was sent to me unencrypted – and the details could now be in hands of anyone.
It’s little wonder online crime is growing at such a phenomenal rate. I mean, can we honestly blame web gangsters? Aren’t we all guilty of laying everything on a plate for them?
In the new age of austerity, it must be extremely tempting – and even more so than usual – to use details that are so readily and easily available.
This wouldn’t have been a challenge for someone who knew what they were doing, and that's what you ought to find most alarming. For all it requires is someone to use a ‘Packet Sniffer’ – an elementary computer program that hunts and intercepts digital traffic
– to intercept confidential mail.
The frustrating thing for me is this incident could so easily have been prevented.
Ah well, it’s just a good job that I am such an honest chap. If I wasn’t I wouldn’t be writing this blog. Instead, I’d be doing my Christmas shopping on Oxford Street, using a credit card that doesn’t belong to me!
The lesson for us all is to remember to:
1. Send a template invoice that doesn’t contain any confidential information;
2. Whenever possible, send an email of this type in an encrypted format.
Thankfully for all concerned, the source of the breach could be quickly identified, and if any fraud had occurred, it would have been traced straight back to me. At the very least, I would have become a starting point for any investigation.
But this is an all-too-common an occurrence in UK plc. And it’s about time we all woke up to the fact that emails are not a secure form of communication – unless they are sent in an encrypted format.