Blogger: Mark Diodati
I was speaking with a colleague at a large financial institution. The topic: can organizations “push” information (e.g., bank statements) to consumers via email and still be compliant with the FFIEC guidelines (on the insufficiency of single factor authentication)? After thinking about it, I believe the question is broader: Is security adequate when pushing sensitive information via email?
Some financial institutions email their customers to let them know that their statement is available online. Is this a “push” or a “pull” authentication? I believe it is a pull authentication, because the user must authenticate to the financial institution’s website to retrieve the information. Some financial institutions place a URL link in the email body. It’s better from an anti-phishing perspective to have the user type in the URL into the browser.
Ignoring the security question, there are many convenience benefits associated with sending statements via email. Many customers don’t want paper statements. Some customers use financial management software like Quicken or Money, and <ALT-TAB> between the software and the bank statement to reconcile.
When thinking about use cases and potential fraud, I believe that pushing statements via email is not secure enough. Some concerns:
- Most people store their passwords in their email program (for example, Outlook Express). Anyone can walk up to the computer, click on the e-mail desktop icon, and get access to the consumer’s bank statements.
- Most users access their email via POP3. POP3 passes user credentials in cleartext. Anyone with a network sniffer along the path can grab the consumer’s credentials and re-use them to access the consumer’s emails.
- Man-in-the-browser attacks are becoming more prevalent. These attacks utilize workstation malware to capture user credentials. If a consumer checked their email from a web browser at an infected kiosk, the email credentials could be captured for later use. Maybe consumers shouldn’t use a kiosk machine to access their bank accounts, regardless of whether a statement is delivered via email. Also, there is a risk that the consumer’s bank statement could be recovered on the kiosk machine.
Some might argue that similar risks exist with paper statement delivery. The differentiator is that the fraudster must have physical access to the consumer’s mailbox, which raises the attack bar.
What damage can be done once the fraudster gets the statement? The bank statement has the consumer’s account number, postal address, and a list of transactions (including payee information). This information is a treasure trove for initiating an identity theft attack.
I have other residual concerns about emailing bank statements. How is the integrity of the bank statement maintained through electronic delivery? How would the consumer know if the bank statement has changed? I can envision a scenario where a fraudster takes money out of the consumer’s bank account, and modifies the bank statement to hide it. I suppose this could be fixed with a customer support call if it is detected.
I am aware of another large financial institution which is evaluating plans to implement a push mechanism to distribute bank statements. They’re considering using a consumer authentication-style PKI product, which would provide both the necessary authentication and message integrity to make the process relatively secure. Also, Adobe Acrobat documents can be password-protected, which can mitigate some of the risks associated with pushing bank statements via email.
What are your thoughts?

