What Is The Most Secure Ways to Email Identity Documents to a Credit Reporting Company?

Lurker on 12/09/2020 - 08:37
Last edited 27/09/2020 - 08:36 by 1 other user

Hello,

I do not trust the credit reporting company's email system because it does not seem to encourage emailing ID using zip file attachment.

They gave me no option to send by post nor fax nor drop off in person.

The best answer I have found so far is covered here.
https://forums.whirlpool.net.au/thread/9nkvlq73?p=-1#bottom

It says I could invoke
CDR Privacy Safeguard Guidelines
https://www.oaic.gov.au/consumer-data-right/cdr-privacy-safe…
12.16 A designated gateway of CDR data is required to put in place information security measures to protect that CDR data from misuse, interference and loss, as well as unauthorised access, modification and disclosure.

To compel the credit reporting company to provide a secure mean of submission.

Any other idea?

Thank you very much.

……….Added these thoughts and advice for others on 27/9/2020:

I will use WisrCredit to check my credit scores (as opposed to credit reports) for both Equifax and Experian continously throughout the year without requesting the free once a year credit report from both Equifax and Experian.

Experian makes it dicey to order my free annual credit report from them because they require me to email my ID documents to them. They do not have a secured portal for me to upload my ID documents.

For illion , I will sign up for the free NAB Credit Health Report { https://www.nab.com.au/personal/calculators-and-financial-to… , administered by https://www.creditsimple.com.au/) from NAB bank to monitor my credit score and credit report continuously. I will also continue to ask illion directly each year for my free annual credit report.

Financial

Comments

  • Muzeeb on 12/09/2020 - 09:06
    +12

    Any other idea?

    Remove tin foil hat.

    • Lurker on 12/09/2020 - 09:10

      Not very funny.

      But thanks for trying.

    • brendanm on 12/09/2020 - 10:16
      +3

      This. Email the documents and get th credit card, it don't, and don't get the card. Or I suppose you could use another company.

  • kale chips suck on 12/09/2020 - 09:11

    Can you describe what you mean by "credit card company's email system"? Do you need to login to their site to use it?

    • Lurker on 12/09/2020 - 09:16

      Sorry I voted wrongly.

      This is a great question.

      They asked me to email them my ID documents.

      I zip them and email to them and they refuse to call me to ask for password to unzip.

  • jimbobaus on 12/09/2020 - 09:13
    +1

    End of the day you have to submit the documents.
    If it is a major bank with branches you could probably take them in.
    if its not then you will need to choose one of their options or get a different cc

    • Lurker on 12/09/2020 - 09:17

      There is no other option to send in my ID documents.

      They are one of the 3 credit card history reporting companies in Australia.

      I am trying to get my free annual credit report from all of them and this particular company is a pain in the arse to deal with.

      Seems to me they try to make it a hassle and full of risks so that fewer people will request their free annual credit reports from them.

      • jimbobaus on 12/09/2020 - 09:24
        +1

        OH YES!
        I know exactly what you are doing and who you are doing it with.
        Sadly email is the only option from memory.
        I did it that way in the end when i did mine.
        The other 2 companies at least let you directly upload your docs.

      • Zachary on 17/09/2020 - 20:55

        why r u being so secretive with the name??

  • kale chips suck on 12/09/2020 - 09:57
    +2

    Well, I would just not do it.

    Email, even SSL email, is not secured when the email is in transit between servers [https://www.youtube.com/watch?v=GY3eRvO4mKw] - and last I checked (which, granted, was years ago…) zip files were trivially easy to crack. Password protected RAR files had no known weaknesses (again, at the time)

    • reddwarf on 18/09/2020 - 11:48

      no longer true as most email servers encrypt transit email using TLS.

      while ZIP had issues in the past if using an older library and 5+ files, those have been long patched,
      its only vulnerability is that to Bruteforce, especially if knowing the target format (date of birth)

  • brokenglish on 12/09/2020 - 12:34
    +2

    Hiya, your concern is not at the right place.

    Even if you find a secure mean of transmission, it wouldn’t mean the way they access and store your information is secure.
    They’ll probably keep your files forever and during that time data leak can occur anytime that’s outside your control.

    Whenever a corporate email receives a ZIP, it’s 99% a virus from scammers/phishing. ZIP is a no no.

    Are you sure you want to disclose your details to these people? Even I was sceptical sending my info to banks/gov orgs, but I had no choice.

    That’s why it’s free, your details are the payment.

    • Lurker on 12/09/2020 - 15:07

      Well, if you want to know your own credit score in Australia , then you have no choice .

      https://www.choice.com.au/money/credit-cards-and-loans/home-…

      This is not like social media where you are the product . This is your legal right to have 1 free annual credit report from the 3 major credit reporting agencies.

      And one of them is making it a hassle for people to find out their own credit score.

      • El-Rhi on 19/09/2020 - 17:32

        If you want to know your Experian credit score then sign up to creditsavvy

        • Lurker on 19/09/2020 - 19:11

          Experian is the source.

          What is the advantage of going to a 3rd party website like creditsavvy?

          Seriously curious.

          • kale chips suck on 20/09/2020 - 09:15
            +1

            @Lurker: Monthly updates, you can see your historical score and compare to others in your area, your age, state, etc.

            I have a Credit Savvy account, I didn't even realise it was Experian-based. There's not a lot to it to be honest.

          • El-Rhi on 20/09/2020 - 13:04
            +1

            @Lurker: The third party websites get the information directly from one of the bureaus.

            Creditsavvy is Experian, Getcreditscore is Equifax and Creditsimple is illion

  • [Deactivated] on 12/09/2020 - 13:28
    -2

    Youre not that special, just send it

    • bumblebeetuna on 12/09/2020 - 23:31
      +6

      You don't have to be special to have your identity stolen. People shouldn't be mocked for thinking about their data security.

      • [Deactivated] on 13/09/2020 - 08:22
        -2

        Sadly im professionally involved with data security 🤦‍♂️

        • Lurker on 13/09/2020 - 08:54
          -1

          Sounds like you are in the wrong profession.

          Perhaps you work for this credit reporting company I am complaining about because they do not take data security seriously enough?

          • [Deactivated] on 13/09/2020 - 09:23
            -2

            @Lurker: If you want to buy a complex, lengthy and mostly unneeded security package, thats always an option 👍

            • Lurker on 13/09/2020 - 09:54
              -1

              @[Deactivated]: If you are in the data security business , perhaps you can share your wisdom with us about how to deal with emails in transit security?

              Rather than making snide remarks and proving nothing except being a useless troll and a waste of space here?

      • Zachary on 17/09/2020 - 20:56

        i think his point was that this sort of thing never or if it does, rarely happens and that your not interesting enough or rich enough to waste time on…

        • Lurker on 18/09/2020 - 01:05

          If one claims to be in the data security business , then one should be even more aware of the risks of identity theft and the insecurity of emails in transit.

          Nobody is uninteresting enough to avoid becoming a victim of identity theft.

          Even dead people's identity have their own uses.

          Have a lot at these depressing statistics.

          https://www.identityforce.com/blog/identity-theft-odds-ident…

          I asked a serious question on Ozbargain for help and I don't appreciate useless trolls making snide remarks or making dismissive one liners they think are sassy or cool.

          • reddwarf on 18/09/2020 - 12:00

            @Lurker: you seem to be focusing on "insecurity of emails in transit"

            most of emails in transit are encrypted with TLS - I don't think this should be a concern for you.

            gmail, office365, outlook.com, yahoo all do this..
            you should be able to check if the other party is using in transit encryption…
            gmail article here: https://support.google.com/mail/answer/6330403?hl=en

            • Lurker on 18/09/2020 - 16:57

              @reddwarf: Thanks for your reply.

              I shall research more about the point your have just made.

              My main concern is the laissez-faire attitude displayed by Experian (a major credit reporting agency in Australia) towards data security.

              Unlike the other 2 major companies (Equifax and illion) , Experian does not have a secured portal for their customers to upload sensitive documents.

              Now email in transit technology may well be secure these days , but I am not holding my breadth that it will be secure in 100% of the cases.

              Can anybody guarantee 100% secure email in transit ?

            • kale chips suck on 20/09/2020 - 09:11
              +1

              @reddwarf: Gmail by default does NOT do this, sorry - it's even on the page you've linked.

              You need to turn on S/MIME if you have G Suite - and you can only do that on non-free versions. Most personal users don't have G Suite accounts, they have Gmail accounts.

              Even then, it only works if the recipient has the right set up too. Which most won't.

              The default is to transit in clear text.

              • reddwarf on 22/09/2020 - 11:49

                @kale chips suck: assuming the sender is using gmail and the remote server supports STARTTLS,
                the default behaviour is to initiate TLS

                debug logs from a properly configured system when receiving emails from gmail:
                postfix/smtpd[20176]: Anonymous TLS connection established from mail-qk1-f177.google.com[209.85.222.177]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

  • No Username on 12/09/2020 - 20:04

    Whenever I'm sending any sensitive business documents to new people or partners I just use Adobe Acrobat DC. That way you can set special permissions like no printing and download and audit each interaction via the share link.

    • Lurker on 12/09/2020 - 20:29

      The problem is any ID documents I email is viewable . Hackers can just take screenshots if they cannot download.

      • No Username on 12/09/2020 - 20:47
        -1

        So use a PIN number on the file and disclose via a phone call.

        The probability of an email account getting hacked is very low. 2FA are a thing and email access can be locked down to an IP and Geo Location. Most services also actively scan for emails and passwords on the black market and data dumps. So there's nothing really to be concerned about.

        Unless your an important person that has access to sensitive data or have certain permissions for a big company then you can be assured that nothing will happen because I don't think they will have the time to target you.

        If a hacker wanted to get your details there are easier ways like gaining access through IoT devices like CCTV, Smart Plugs, Jail Broken & Rooted Phones, Printers and even Smart Light Bulbs. Even a freaking smart tooth brush can act as a point of entry.

        • Lurker on 12/09/2020 - 22:07

          I have tried to offer them what you suggested (about pin/password) but they will not entertain that idea.

          If I was a hacker I would hack the hell out of this company because they do not seem to take cyber security seriously.

        • Lurker on 12/09/2020 - 22:09

          This guy has some videos about email hacks.

          https://www.youtube.com/c/BraxMe/videos

          You be the judge about how easy it is to hack emails.

          • No Username on 12/09/2020 - 23:15
            +1

            @Lurker: Do you have a link to the video? I don't know what I'm looking for. I do a lot of pen testing and CTF so it would be interesting to see his methodology. If email hacking was this easy then what is stopping hackers from logging into Jeff Bezos email and doing malicious activity.

              • No Username on 13/09/2020 - 08:56

                @Lurker: What do those two video have to do with hacking? All he is trying to do is get a public IP. Most email trackers already have an audit feature to see what IP viewed the email.

                • Lurker on 13/09/2020 - 09:05
                  -1

                  @No Username: To be honest with you , I haven't watched the videos.

                  Perhaps this video recommended by somebody else earlier might be more helpful?

                  https://www.youtube.com/watch?v=GY3eRvO4mKw

                  You sound like an intelligent person. If none of his videos convinced you email hacking is possible, then your best friend Google can help you find more about email hacking and data security.

                  • No Username on 13/09/2020 - 09:12

                    @Lurker: I'm not saying email hacking is not impossible just very very difficult with large corporations. There are lots of protection and safeguards in place to prevent this like having IP restricted accounts for administrator uses so if an admin get hacked the hacker can't just go to their AD server and reset the user password to view their stuff. Their are also social engineering attacks but most big companies are trained in this another attack method is MITM but this is useless in big corporations.

                    • Lurker on 13/09/2020 - 09:18

                      @No Username: Thanks for the clarification.

                      My thread is about data security not being taken seriously by a large credit reporting company , particularly with regard to emails in transit security.

                      And they should know better.

                      Because I am sure you have come across this infamous list before.

                      https://haveibeenpwned.com/PwnedWebsites

                  • Lurker on 14/09/2020 - 06:15

                    @Lurker: Added:

                    I thought the subtitles of the videos clearly demonstrated the insecurity of using email and the fact that email can be hacked.

                    • reddwarf on 28/09/2020 - 12:26

                      @Lurker: nothing clear about it..

                      1/ communication between sender and sender's mail server
                      he chose to use telnet, bypassing STARTTLS
                      he could have chosen to use openssl to simulate STARTTLS on an encrypted channel
                      but it either isn't setup properly on his home server or goes against his sensational video headline

                      2/ communication between sender's and receiver's mail servers
                      most of enterprise servers will communicate using encrypted channel

                      3/ communication between receiver's mail servers and the receiver
                      O365 is behind HTTPS and IMAP/POP can be secured with SSL certs

              • Lurker on 14/09/2020 - 06:14

                @Lurker: Added:
                Added these subtitles:

                Email Hackathon - Part 2 - Showing How I can Find Your Location from Your Email
                Feb 2, 2019
                https://www.youtube.com/watch?v=I5gHkM49C8o&feature=youtu.be
                Live streamed in April 2017 - Hackathon demonstrating vulnerabilities of email which affect your Internet privacy and Internet security..

                Email Hackathon - Part 3 - Hacking Email with a Beacon
                Feb 2, 2019
                https://www.youtube.com/watch?v=KH-VT0V4bwk&feature=youtu.be
                Live streamed in April 2017 - Hackathon demonstrating vulnerabilities of email which affect your Internet privacy and Internet security..

  • crashloaded on 12/09/2020 - 21:22

    I'd just use a passworded pdf or zip archive, give the password over the phone. Or set the password as a detail on your account they will have access to, such as d.o.b.

    • Lurker on 12/09/2020 - 22:07

      I have tried to offer them what you suggested (about pin/password) but they will not entertain that idea.

      If I was a hacker I would hack the hell out of this company because they do not seem to take cyber security seriously.

  • fishing on 13/09/2020 - 08:02
    +1

    You could use social / media to compel them.

    Otherwise use one of the other two to get the free report

    Uploading ID documents to an insecure company is just asking for trouble

    After the latest Services NSW identification hack, cyber security is back in the main media (thank goodness)… The media may be interested in your experience

    I imagine Choice magazine may also be curious and investigate

    Identify theft is a huge problem people don't know about until it happens to them and hence why they deride you… Please ignore the trolls.

    • Lurker on 13/09/2020 - 08:48

      The problem with credit reports is you want them from all 3 major companies , and if you live in Tasmania there is a 4th you have to deal with.

      All of them track credit history differently. One may give you a high score while the other give you a much lower score.

      When you go for loans and such you want to know your credit scores from all 3 or 4 companies in order to avoid surprises.

      Thanks for the advice and support about the trolls.

      I do view trolls as ignorant people who seem to think having counter opinions is cool or they are not sheep. When one's knee jerk reaction is to voice different opinion without thinking through or with adequate research as backup, that is sheep behaviour because sheep don't think , don't do adequate research and don't have a robust ego to change as situations change.

  • Misplaced on 13/09/2020 - 10:05
    +1

    PCloud Send:

    https://transfer.pcloud.com/

    • Lurker on 13/09/2020 - 11:00
      +1

      Thanks for the suggestion.

      Could consider.

  • djk on 13/09/2020 - 20:20
    +1

    You could always try asking the question to the Consumer Action Law Centre, The Australian Financial Complaints Authority or the Commonwealth Ombudsman and see what kind of response you receive. Forcing people to submit information in a certain way can often be construed as indirect discrimination.

  • Friendly Troll on 14/09/2020 - 09:54

    You could use this https://protonmail.com/support/knowledge-base/encrypt-for-ou…

    And write the password hint in the description. Will they entertain this idea? It's easier than unzipping an encrypted file…

    • Lurker on 14/09/2020 - 20:20

      Good suggestion.

      I can ask them.

      Does it require clicking on a link in the email I sent them?

      If that is the case , I have my doubts they are allowed to click on links in email.

      And password hints may not work that well for strangers.

      For people who know me well, yes.
      e.g.
      the last time we took a stroll on the beach.

  • Bob81 on 15/09/2020 - 13:58
    +2

    Hello Lurker,

    If you are going to send them a copy of your ID's, use the crappiest scanning that'll be accepted. Think black and white at 300dpi.

    You can also add a couple of diagonal lines across the pages, with the wording similar to: 'For [name of credit check company] use only" in between.

    The idea is that if there was a data breach, criminals would be looking for high-quality ID scans to exploit. Your 'tainted' ones would be of little value.

    Hope it help.

    • Lurker on 16/09/2020 - 08:59

      Great idea.

      Worth trying.

      Thank you for dropping by.

  • [Deactivated] on 19/09/2020 - 19:16
    +1

    Well for a start, the Consumer Data Right doesn't apply. That's only applicable to specific designated categories of company - currently only banks. What are you trying to do? Get a copy of your credit report?

    • Lurker on 20/09/2020 - 13:48

      Yes, get a copy of my credit report from one of the big 3 , i.e. Experian , which unfortunately wants me to EMAIL my ID documents to them.

      There is no secured portal to upload my ID , unlike the other big 2.

      Meaning Experian does not take data security seriously.

      • [Deactivated] on 20/09/2020 - 17:31

        Normally they have a postal option. Currently they do not as they aren't checking their post box. In the absence of that, I do not believe there is another option.

Login or Join to leave a comment
Login Join