Sending financial information via (unsecure) email: why not to do it
May 29, 2013 9:03 AM   Subscribe

How can I misuse this bank account information? No, wait, that came out wrong. I’m looking for help justifying data security measures (at my office) for banking info.

My coworkers keep sending me bank account details via email. Our Information Security department is concerned about this and I want to be able to explain to my colleagues why it’s important that we use secure channels / redact sensitive information /etc.

Everyone understands personal privacy issues, like why salary information is confidential and locked down, but my coworkers are generally very freewheeling with financial details in ways that make the InfoSec people’s eyes bug out. I admit I’m not really sure how easy it is to misuse bank account information, so I don’t have a great explanation for why I am making these apparently pointless, (mildly) cumbersome requests of my coworkers.

I process payments so I have a business need to have the information involved. I am probably more privacy-sensitive and rule-friendly than the average person, so just the directions from Information Security are enough for me to comply. It’s convincing my coworkers that’s a little trickier. My coworkers are wonderful and I have nothing but respect for them. No one is trying to flout the rules but everyone’s busy and most people don’t deal with this as much as I do, so it’s easy to forget or ignore how to do this through proper channels. My hope is that more concrete information will help convince the people who don’t know why it matters.

So I’m looking for
- Information about how damaging/likely/easy it is to misuse financial information. Could an unauthorized person access a bank account if they had routing / account / IBAN / swift / etc numbers? Even better, are there concrete examples of this I could point to?

- Information about the permeability (sorry, I don’t have the right vocabulary for this) of email. My coworkers generally seem to have a lot of faith in emails being exclusively accessible by the addressees, even in multi-recipient, multi-response threads.

- Resources accessible to general audiences about why email security and data security are important.

Thank you!
posted by Signed Sealed Delivered to Computers & Internet (9 answers total)
We make it part of rigorous compliance training and then tie disciplinary action to it. Go read Verizon's DBIR, it is broader than what you are saying but it will give you an idea of where the problems are and how information is/can be misused.
posted by iamabot at 9:12 AM on May 29, 2013

Could an unauthorized person access a bank account if they had routing / account / IBAN / swift / etc numbers?
This depends on where you are in the world (the answer is different in different countries), and precisely what "etc numbers" stands for. PIN numbers? Online Banking password?
posted by caek at 9:16 AM on May 29, 2013

It's very easy to print fake checks given a routing number and account number -- all you need is MICR ink, which is widely available. And banks seldom check signatures on checks. (Example just from today)
posted by likedoomsday at 9:23 AM on May 29, 2013

You don't even need MICR ink. Nearly all check clearing now involves sending images of checks from one bank to another (see Check 21) and obviously magnetic ink is useless for that. They're using regular OCR now. That's why you can deposit checks using your phone.

Even when checks did commonly use MICR, sometimes a check would simply not be readable; in this situation, the check would be processed by hand, so MICR was not a requirement.

Yes, it's very easy to forge checks these days.
posted by kindall at 9:46 AM on May 29, 2013

Response by poster: Just to clarify - we are based in the US but do business (and have accounts in) other countries as well. The emails with financial information will contain a variety of identifying details but never PINs or passwords, as far as I know.
posted by Signed Sealed Delivered at 9:46 AM on May 29, 2013

Whose information is it? Are the coworkers sending their own banking information so you can process expense reports (for example) or are they sending info that belongs to external customers so you can process orders?

If it's their own information, then a few warnings are sufficient, especially if they explicitly state that the company won't be liable if there is any problem. If I want to take the risk of my own information being hacked, I can do that. Really, if it's in-house company email behind firewalls, who is likely to get it? I know there have been some famous breaches in the news lately, but the likelihood of that happening is still miniscule. And if I feel like I can trust my coworkers, then I'm allowed to do that.

If it's info that belongs to external customers, then yea, hammer that shit down and fire some people.
posted by CathyG at 10:34 AM on May 29, 2013

If you're interested in other countries, there was an amusing example of this in the UK a few years back. After a data security breach revealed a load of people's bank account numbers, a TV host argued that people were worrying over nothing and published his own details in his newspaper column. Then:
The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people's personal details on two computer discs.

He wanted to prove the story was a fuss about nothing.

But Clarkson admitted he was "wrong" after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK.
posted by metaBugs at 10:48 AM on May 29, 2013

I've found that most people are not cognizant about or are lazy about the idea of email contents not being confidential. It seems that bad results don't happen often (probably credit card information is more vulnerable in a restaurant than in an email) so people continue to do it. Until there is a better solution that is convenient and simple, people will continue to do it.
posted by Dansaman at 10:51 AM on May 29, 2013

Could an unauthorized person access a bank account if they had routing / account / IBAN / swift numbers?

I have removed the "etc" and the answer is then no. This information is commonly, routinely distributed - it's on cheques, invoices, and often on company websites to facilitate payment information lookup. If you told me I had to keep this data private and never put it in an email, I'd ignore you.
posted by DarlingBri at 4:33 PM on May 29, 2013 [1 favorite]

« Older Do you know a therapist on Long Island who...   |   Oh! My Aching Head! Newer »
This thread is closed to new comments.