My Bank Showcases A Dangerous Misconception Undermining Cybersecurity

Alex Panagides
3 min readJul 24, 2020

--

Many organizations still suffer from the misconception that it is safer to receive files through email than through best-of-breed cloud storage services. A misconception that benefits no-one except the cybercriminals.

Me with the oldest phone I could find. It’s from the 1980s. It’s a little more modern than the technology behind your email attachments, but you’ll figure it out. :)

The other day my bank asked me for personal financial information in response to my request to explore mortgage refinancing. Fair enough. I dutifully uploaded my information to my Box storage account and generated a secure share link for which I opted for a seven-day auto-expiration. In other words, the share link to my private documents would expire in 7 days. I thought that would give my bank more than enough time to access the files and ensure that my data wasn’t forever accessible in an email as a standard email attachment.

See, part of what I do for a living is to follow the daily cybersecurity news and research. I am painfully aware of the immense and persistent threat of email attachments on data security. So obviously I wasn’t about to send an email attachment, that would be crazy!

So I was dumbfounded when I got a reply from my bank saying,

Screenshot from my bank's email telling me that they could not accept my personal files from secure cloud storage links because of their security policy. Better to send them my personal data through insecure email attachments.

What? For security reasons, they couldn’t use secure links?! I could only shake my head. Here we are in 2020 with a full-on cybersecurity crisis (source) and my wonderful bank (it's a credit union with excellent service and rates) was still living the dangerous misconception that email attachments are safer than cloud storage links! Given the mountain of data in my computer, studies on the Internet, breaches in the news, and on my principles, I couldn’t comply.

So I responded with the following email …

Dear Sirs,

As much as I would like you to have the information you need to review my options for mortgage refinancing, I cannot send you my private information as an email attachment. Please forward the following reasons to your cybersecurity team …

Email attachments are a dangerous 50-year-old file-sharing technology developed back when color television was beginning to overtake black and white. Email attachments are woefully unprepared for the cybersecurity realities of today. File sharing technologies, like cloud storage, are the solution being adopted en mass by organizations globally.

Although both hyperlinks and email attachments are a common infection vector, hyperlinks have several critical advantages over standard email attachments from a security point of view:

  1. Hyperlinks to best of breed cloud storage services provide detailed audit trails of the origin of files and are avoided by attackers. Email attachments offer no trace and are anonymous and thus are a favorite of attackers.
  2. You can easily white list trusted cloud services to allow download. Nothing to do for email attachments, they are already inside your firewall.
  3. Enterprise cloud storage, like Box, scan for viruses upon upload. Further limiting even accidental distribution of viral content.
  4. Email attachments can be completely self-contained, and once inside the organization, can wreak havoc without external support. In contrast, the delivery of a hyperlink isn’t the delivery of the virus. The link still needs to be clicked and reach out through firewalls.
  5. Once an attachment is inside someone’s inbox, it is a persistent threat that can not be shut down by adjusting border defenses. Even if the recipient is disconnected (e.g., on an airplane), a malicious email attachment can infect the user’s device. A malicious hyperlink is disabled.

Further reading:

I was told that the email had been forwarded internally. I haven’t heard anything back yet. It’s been a while. I am still hoping!

--

--