Whether you choose to deploy a 'Push' or a 'Pull solution; security and risk are key to determining a successful strategy. Today I want to address what makes a "push" eDocument delivery approach the better choice when weighing up the risk and security factors. But before I do that, let me dispel some myths about email security that I've recently heard mentioned.
Email security myths dispelled:
MYTH 1: Email can be stolen en-masse at an ISP: I've heard some winners in my 15 years in this industry but this takes first prize. Yes, email can be stolen at ISP's in the same way your money can be stolen at the bank by bank employees. I know a few ISP Executives who would take some affront at this accusation.MYTH 2: Email can be stolen en-route: Email can be stolen en-route in the same way a USPS vehicle can be hijacked and your physical mail stolen. It’s possible but incredibly difficult, expensive and most importantly, a serious crime. Unlike a USPS truck however, for a fraudster to locate a specific email would be like finding a needle in a haystack the size of Montana. On top of which they then have to brute force attack the encryption (more time & money.) The result of which is then a PDF copy of one consumer’s bill or statement. The reality is that even if one knew how, it is simply commercially unfeasible to do so (far easier to simply hijack that truck or steal your mail from your postbox.)
MYTH 3: PDF attachments trigger spam filters: Simply not true. Spam triggers spam filters. And if you send spam with PDF’s then these will also be blocked.
'Push' eDocument delivery - the better choice
Striata has delivered billions of secure electronic documents for over 11 years, in 14 countries and for over 250 major Financial Services, Telecommunication, Utilities and Corporates, including 3 of the top 8 banks in the world.From a security and risk perspective, 'Push' eDocument delivery is the better choice. As major players in this field, this is how we address it:
The Striata eDocument Delivery process has four security areas:
- Email Address Verification – Explicit knowledge that your customer email addresses on file are accurate and current. For those who aren't; we have the Striata Email Address Verification program, which uses email and mobile phone text messaging to confirm and gather email addresses.
- Striata eConsent – The process of gaining intelligent & compliant consent to go paperless, with just one click. Once the sender has an accurate and current email address, a highly personalized and Sender Authenticated eConsent email is sent to the consumer. There are two buttons in the email body, one to consent to go paperless and one to decline to do so – the recipient just clicks on one of them. There is no website to visit, no enrollment form, no choosing & remembering of usernames & passwords
- Striata Sender Authentication – The recipient has intuitive knowledge that the sender is who they purport to be. Other than the various technology elements like SPF Records. DKIM etc, Striata utilizes a multi faceted approach to creating this intuitive trust. These include:
- Actual sender’s domain: The message comes from the sender’s address: for example. This should always be the actual address and not a spoofed one (if you had to do a reverse DNS lookup you would find the sender’s verifiable domain.)
- Subject line: We include the recipient's name in the Subject line
- Salutation: A full greeting is used: Dear Mr. John Smith
- Striata Authenticated: In the body of the email is a highlighted area which contains two to five partial pieces of information about the consumer. This may include physical address, account number, primary phone number etc.
- Recipient Identification – The sender is assured that only the intended recipient has access to the secured Document content. There are two major ways (levels) that the sender is ensured that only the intended recipient can gain access to the secured information (bill, statements etc.)
- Access to the email inbox: Email accounts are very well protected by physical access to a device or in most cases through a username & password.
- Knowledge of a 'shared secret': In addition to the previous layer, Striata Secured PDF's are encrypted with a minimum of 128 bit RC4 encryption. The PDF is decrypted through recipient knowledge of a 'shared secret'. This is a partial piece of information known only to the sender and recipient. (Last 5 digits of a Social Security Number is a good example of this.)
It is very important that these two security layers are viewed hand in hand. The PDF is not in a publically accessible location and can only be decrypted by somebody who has BOTH access to the email account and who knows the 'shared secret'.
Peace of mind that the message is genuine
The combination of all of the above is what gives consumers explicit and intuitive trust (without any education) that the message is genuine.In conclusion – when executed correctly, the processes and methodologies described above result in a security landscape that is significantly more secure than a two field password protected website. Most importantly however, is that these processes are many, many times more convenient for the end consumer, and, as we all know, convenience equals customer satisfaction.
Garin Toren
Chief Operating Officer, America
striata.com
No comments:
Post a Comment