[BreachExchange] Please Email Us Your PII

[Audrey McNeil]

https://www.riskbasedsecurity.com/2016/10/please-email-us-your-pii/

No, we are not asking you to email us your PII (Personally Identifiable
Information), but we are seeing other companies asking customers to do so
more and more often when it comes to e.g. making online purchases, and it
is a worrying trend.

We ourselves have experienced suspect requests like this a few times. A
customer support representative at the Danish branch of Lebara, a
telecommunications company based in UK, once asked us to email a copy of a
Visa credit card to validate it, when their website kept throwing errors
(we declined). One of our employees was asked by customer support at Thai
Airways to email a copy of his passport to reset an account password (also
declined). Now, just last week, we encountered it yet again when attempting
to purchase electronics equipment for our research lab fromMouser
Electronics, a major US-based company owned by TTI and thus Berkshire
Hathaway.

A few minutes after completing an online purchase, we received the
following email:

"Thank you for your order with MOUSER Electronics!

"As this is your first order placed with our company, we would like to
accurately set up your account parameters with Mouser. Your future orders
will therefore be processed timely and efficiently.

"In order to validate the credit card in regards to the billing and
shipping address, would it be possible to send us a copy of any
identification means (ID, passport, driver license etc.?) We want to make
sure to take this extra precaution in order to protect our customers from
any potential misuse of their credit card by a third party.

"Should this not be a preferred option for you, the offered alternative is
to prepay for the order. We can send the proforma invoice including the
bank details for processing the wire transfer."

Let us make it clear: Asking anyone – regardless of how legitimate the
company may be – to email a copy of their credit card information, ID,
passport, or driver license is suspect and unacceptable. Never comply!
Providing PII via email is widely considered bad practice and both agencies
like the FTC and companies like Google discourage responding to emails
asking for personal information.

At Risk Based Security we process information about data breaches every
single day. There are so many reasons why a company asking customers (or
would-be customers) to email PII is a very bad idea.

First off, email is not considered a secure method of transferring PII. In
many cases, it should be considered similar to sending a postcard in
regular mail; anyone intercepting it can read it. Email servers are also
not the best place to store it, as it is usually unencrypted and not well
secured. There is often a lack of control of where the emails may end up,
and it is easy for employees to forward the sensitive information to other
employees or external parties. We see data breaches due to compromised
email servers all the time. In fact, there have been more than 80 breaches
in 2016 arising solely from inappropriate email usage, compromising more
than 785,000 personal records. These happen not only for small companies,
but also large organizations and public institutions.

Second, PII should not be accessible to “random” employees like customer
account representatives or customer support. While the companies may have
faith in their employees, customers should not and cannot trust them with
their PII. Unfortunately, the majority of a company’s customer base do not
understand the full risk of emailing PII. That is why companies should have
strict policies in place to never ask for it. In the case of Mouser
Electronics, they offered an alternative if emailing the PII was not the
preferred option. It is good they offer an alternative, but it should be
the only option; not an alternative.

More importantly, while these companies may claim they are doing this to
protect you, like Mouser Electronics did, they are not only subjecting you
to more risk if complying, but they are also being disingenuous. Most
Western countries have legislation in place to protect consumers against
online credit card fraud. Consumers simply need to contact their bank,
inform them of the fraud, and the bank will take steps to prevent further
misuse and restore the customer’s account.

The real reason for companies asking about proof of identity is to protect
themselves, and they will apparently happily gamble with their customers’
sensitive personal information in order to do so.

Ironically, these suspect policies not only put the consumers at risk, but
also expose the companies to greater liability risk; especially if
operating in the USA and soon EU with the upcoming GDPR (General Data
Protection Regulation). Companies like Mouser Electronics are setting
themselves up for more liability and potential failure to comply with
regulations that could result in severe financial penalties if the
sensitive data is mishandled or part of a data breach.

It is quite simple: This is a worrying trend and any companies with
policies to ask for PII via email or similar unsafe manner should disband
this practice immediately. Both in their own interest and that of their
customers.

For consumers the advice is equally clear and simple: Never provide PII or
similar sensitive information via email to companies even if you’ve
validated that the request is not a phishing attack, but actually from a
legitimate company you are trying to do business with.

Update Regarding Mouser Electronics

After discussing our concerns with Mouser Electronics, they confirmed the
policy indeed was in place to protect their company against credit card
fraud and not just customers. However, they clarified that they do accept
customers sending a copy of their ID with sensitive information blackened
out. Mouser Electronics just need to see the name and optionally address on
the ID. We advised Mouser Electronics that while we still do not recommend
asking customers to email copies of their IDs, they should at minimum
clearly in their email template advice customers to redact sensitive
information before emailing it. Mouser Electronics has confirmed they will
make such a change.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161019/eaccdc8a/attachment.html>