Log In
Register
Home
Topic RSS
Facebook
Twitter
Email this1:51 pm
January 3, 2013
Offline
Voonex - You can believe whatever you'd like to but to simplify if you think a bank doesn't use TLS for their email communication, then you should not trust them with your money. Plaintext would be only if the receiptens don't have TLS enabled.
By default, Microsoft (Hotmail, Outlook, Exchange), Gmail, and Yahoo use TLS on port 587 rather than than the unencrypted port 25.
And your wireshark can't encrypt any good / useful packets unless it is not encrypted or you have the ability to decrypt a Sha256 with RSA-2048 encryption. Well if you can, then you are a genius and should be making at least couple millions dollars a year. That's why everyone should be ONLY using TLS / HTTPS based traffic when using public networks (Coffee shops, Airport, etc).
I still believe email is more secure than mail. I totally panic when I see a credit card statement sent by mail having full name, address, CC number, etc. It is just stupid to send any credit card statement with full CC number. Amazon Visa Chase was like that.
7:42 am
December 11, 2018
Offline
A quick DNS lookup of eqbank.ca shows that they are using Office 365 as their mail provider, and Microsoft does indeed support TLS, as others have pointed out.
In my previous posts, I may not have accounted for TLS, though others here should not confuse the SSL that their browser tells them about with the TLS that is implemented by some e-mail services.
Regardless, is still strikes me as irresponsible for a major financial institution to indirectly imply that credit card statements are something that should be e-mailed around. Especially considering that there is little visibility to the end user to know if the content is secured or not. Moreover, as Alexandre pointed out, even honest mistakes like typos in an e-mail field can result in a security breach. In my own personal e-mail address, I've received tax returns, flight itineraries with full transaction details, and other similar documents for several people with a similar name.
On a side note, as a result of this conversation, I did come across this excellent resource: https://starttls-everywhere.org/. It's an EFF resource that will tell you if a particular domain supports TLS or not, saving the hassle of doing the DNS lookup and telnetting.
Rick, you said if I'm not happy with their business practices, then take my business elsewhere - well, that's that's a rather blunt and obvious comment. I've already done just that. I came to the forum to see if anyone else was as surprised as I was by their request. It seems that I have my answer.
8:02 am
December 17, 2016
Offline
Save2Retire@55 said
I totally panic when I see a credit card statement sent by mail having full name, address, CC number, etc. It is just stupid to send any credit card statement with full CC number. Amazon Visa Chase was like that.
YEAH, I wouldn't get too worked up about stuff like that - this is going back to the mailman stealing your statement or someone stealing from your mailbox on the exact day of statement delivery BESIDES they still need a physical card and/or a PIN and/or a CVV to do any damage PLUS it has to get past your personal scrutiny of your monthly billing.
NEXT!
8:19 am
April 6, 2013
Offline
Voonex said
…
Regardless, is still strikes me as irresponsible for a major financial institution to indirectly imply that credit card statements are something that should be e-mailed around. Especially considering that there is little visibility to the end user to know if the content is secured or not. Moreover, as Alexandre pointed out, even honest mistakes like typos in an e-mail field can result in a security breach. In my own personal e-mail address, I've received tax returns, flight itineraries with full transaction details, and other similar documents for several people with a similar name.On a side note, as a result of this conversation, I did come across this excellent resource: https://starttls-everywhere.org/. It's an EFF resource that will tell you if a particular domain supports TLS or not, saving the hassle of doing the DNS lookup and telnetting.
…
The situation is better than it was before, when all e-mail was transferred by SMTP unencrypted. But, there is still lots to be desired.
As the recipient of a message, I can ascertain whether the message was transferred by unencrypted SMTP or by SMTP over TLS/SSL. The challenge is that, as the sender of a message, I can't tell or require SMTP over TLS/SSL. Perhaps, the port for SMTP over TLS was down temporarily and, as a fallback, the message got transferred by just SMTP.
2:22 pm
February 17, 2013
Offline
Voonex said
Rick, you said if I'm not happy with their business practices, then take my business elsewhere - well, that's that's a rather blunt and obvious comment. I've already done just that. I came to the forum to see if anyone else was as surprised as I was by their request. It seems that I have my answer.
Didn't mean to direct the comment at you specifically. Just an all around solution that applies to almost any relationship. Yep...rather obvious.
5:22 pm
January 3, 2013
Offline
Top It Up said
YEAH, I wouldn't get too worked up about stuff like that - this is going back to the mailman stealing your statement or someone stealing from your mailbox on the exact day of statement delivery BESIDES they still need a physical card and/or a PIN and/or a CVV to do any damage PLUS it has to get past your personal scrutiny of your monthly billing.
NEXT!
Are you okay? (I wanted to reply but the capital BESIDES - PLUS along the NEXT made your comment so .....).
5:27 pm
January 3, 2013
Offline
Voonex - Totally agree. If you don't trust their way of doing business, you shouldn't consider it. However, I am sure they all have to follow protocols and government policies and guidelines.
For EQ, I have been their customer for couple years and so far no issues.
Good luck and thanks for https://starttls-everywhere.org/ It might come handy 🙂 I also always double check the certification of the sites before putting any information.
8:20 am
December 17, 2016
Offline
Save2Retire@55 said
Are you okay?
I forgot to mention, the credit card statement DOESN'T include the Expiry Date of the card, either.
5:17 pm
December 26, 2018
Offline
3 weeks ago I open my account with EQ. I was not asked about such information. 
6:18 pm
January 12, 2018
Offline
Hi. I am in the process of opening an account at EQ. To do so, I must provide them with the banking details from another bank. Should I be concerned about sharing this information with them?
6:58 pm
October 27, 2013
Offline
No, you should not be concerned. That is how EQ is verifying your identity without using ID and a signed cheque from another bank.
It is also how you establish me2me transfers between EQ and the banks you want to EFT funds to/from.
Please write your comments in the forum.