Not-so-encrypted email attachments

And here we go again. Continuing the theme of a previous article I received an email from an accounting firm this morning, with the attention-grabbing subject line "2017 Tax Return Information." After an initial "Ibegyourpardon?" moment my astute powers of observation noticed that 1) the accounting firm in question was across the country in North Carolina, 2) I've never used an accounting firm to do my taxes, and 3) the name in the attachment wasn't mine. Wonderful. Yet another mistaken use of my personal email address. But the rest of the message was, frankly, upsetting. Here's a screenshot of the message, with the boilerplate "This email contains privileged and confidential information" paragraph snipped.

Those of you with any cryptography background are cringing already. In a nutshell, the accounting firm in question just handed over Joe Smith's identity information on a plate, AND they made it attractive in the process. I spent a few minutes composing a reply for the accounting firm in question, telling them why this was a HORRIBLE way to send sensitive data. I included my phone number if they wanted more information.

First, they made it attractive by liberally sprinkling the message with descriptions of what it contained. The subject line, the content, and the attachment name all scream "LOOK! HERE'S IDENTITY THEFT MATERIAL FOR YOU!" I just heard somebody say "But that's not really that big of a deal. I mean, the attachment is encrypted, right?" Well, yes. Sort of.

Let's assume for the moment that the encryption key for an attachment like this, intended to be opened and read by a human, would be something manageable; relatively easy to type and about 8-20 characters long. Assuming a random assortment of upper- and lower-case characters, digits, and special characters this gives a HUGE number of possible keys (passwords, if you will) to decrypt the file. I mean HUGE, on the order of 2 x 10³⁹ possible keys for a 20-character password. Or, if you prefer, around 2,000,000,000,000,000,000,000,000,000,000,000,000,000 different possibilities. Without some shortcut using brute force to acquire the key would be successful just in time for the heat death of the universe. Okay, that's a BIT of hyperbole, but you get the idea.

In this particular case, though, the accounting firm made the job easier. MUCH easier. The email states "The password is the first 4 characters of your last name (lowercase with no spaces) followed by the last 5 digits of your SSN." That statement cut the number of possibilities down to 456,976,000,000 - which may seem a large number but which could five years ago be brute-forced in 90 seconds or less. But it gets even better, since the "first 4 characters of your last name" were ever-so-helpfully provided in the name of the attachment, reducing the number of possibilities to a mere 100,000. They might as well have sent those tax return documents in the clear.

The analogy I drew for the accounting firm was sending an incredibly strong lockbox full of valuables through the mail, and including the key for the lockbox in the shipping crate.

I was somewhat surprised, though, when less than 20 minutes after I hit "Send" my phone rang with a call from the accounting firm. The caller (call her "Alice") apologized for sending me the email. Apparently my email address is similar to whatever one they were provided (see that previous article to see how shocked I was...). But when I asked Alice if she had read the rest of my message she responded that she hadn't, so I told her the TL;DR version of what I've just told you here. Alice's next statement floored me: She said "we use a multi-million dollar tax software package, and that's the way that it always sends out these emails."

I came away with another example of why identity theft is rampant.

So, if you happen to be an employee of a company supporting a "multi-million dollar tax software" package that sends out tax forms as encrypted attachments then I've a couple of suggestions for you. Heck, if you happen to be sending ANY encrypted attachments these suggestions might apply to you, too.

First, don't make your messages so attractive. Don't include a tempting phrase like "Tax Return Information" in the subject, the body, or the attachment names. While some good strides have been made email is still far from secure, and you've got little to no control over the systems that your message passes through on its way to the recipient. A subject like "The file you requested" will do.

Next, PLEASE don't use a common format for your encryption keys. ANYTHING like "the first 4 characters of your last name (lowercase with no spaces) followed by the last 5 digits of your SSN" cuts the search space to an infinitesimal fraction of what it could be. 8 or more characters, randomly selected from upper- and lower-case characters and digits does the job much more securely. Sure, it's less convenient for the recipient. Do it anyway.

And finally, please, PLEASE for the love of all that's holy, if you MUST send a description about the format of the key (or even the key itself!) then DON'T send it using the same channel that you used to send the encrypted file. Use SMS, call the recipient on the phone, or even use a carrier pigeon (see RFC 1149 and its updates) instead.

Managing and distributing keys for secret-key cryptography is hard. Mistakes like these don't help.