Email Is Not Secure Naturally.
Lately we’ve been hearing about email servers and scandals involved with email in the news. Some people have commented: “So what? Email is secure.” But it’s not, there are steps you must take to make your email secure! We have had clients ask us to email them passwords or other important information. We do not agree with being careless in the handling of very sensitive information. Instead, we pick up the phone and give them a call or use another method such as a trip to their office.
Email was not designed with any privacy or security in mind. Email was designed back when the internet was a much smaller place for simple messages.
How Can Email Get Intercepted?
Email must travel through several servers while making its way from sender to recipient. A message sometimes “hops” through more than a dozen servers on its journey. Each server it touches is mandated by law to store the message, sometimes for several years afterwards. Furthermore, the distance traveled between hops is often spent unencrypted.
The networks where your emails pass through are a series of routers and switches. All of these connections are owned by different people with varying security standards. It is safest to assume that anything you write in an email can be intercepted and read by anybody, as if it had been published to the front page of a newspaper.
Email servers are where your messages are physically stored before being downloaded to your email browser. Email servers are insecure by default. If a message was originally sent unencrypted across unencrypted networks, it’s going to come onto the server unencrypted.
Even after reaching its intended destination, many computers do not have a login screen or a lock screen code – same with many phones and tablets. If you leave your tablet at the local coffee shop with no lock code, for example, you’ve just compromised all of the email stored inside.
What Are My Options to Keep My Email Secure?
Use end-to-end encryption. This is a process which scrambles the message using a complex mathematical formula that can only be solved using a long public key stored on the receiving end. This can prove to be logistically daunting depending on the number of people you contact regularly. This is because all of them must have a copy of your public key set up in their email program in order to read your emails. Even with this type of encryption, email headers are still left open. You won’t be able to hide who you are sending an email to. The NSA has even touted scanning email headers for information during digital pat downs.
Mix It Up
You could send an email to a client letting them know that you’re texting them a password, for example. Then send the text with no additional references about what it’s for. Sending sensitive messages in multiple parts using different channels reduces the likelihood that a man-in-the-middle will receive enough information to do damage.
Use a Service
For sending passwords, LastPass is still one of the most secure services around. You can share passwords in LastPass with other LastPass users.
Messaging apps get mixed reviews from a security standpoint. For example, Skype used to be considered a good encrypted chat service. That is, until it was confirmed that Microsoft had built in a dangerous back door for themselves. Even if you trust Microsoft, back doors very seldom go unexploited once they’re known to exist.
Services like DropBox are also useful and fairly secure. Since Dropbox encrypts everything you upload and download over a secure HTTPS connection, your file transfer should be secure from start to finish, though mobile DropBox is not secure. You could also create and send an encrypted ZIP file.
It’s important to continue downloading and applying updates for the services you use. Even if you are using a mainstream app, it could still be insecure if you haven’t updated it lately. For a long time, iMessage was thought to be secure. Then vulnerabilities were found and Apple had to release security patches to close those holes. If you’re not sure about a security patch, visit the provider’s website and check their support area for recent updates.