Inconvenient Security

We are making a transaction that requires funds to be “wired” from our bank to an escrow company. You would think that the destination bank routing code, escrow company’s account number and the escrow number would be sufficient. But the sending bank wants the receiving bank’s name and address as well as the escrow company’s name and address too. So there are lots of fields to fill in on the wire transfer request. Fortunately the escrow company sent a PDF with all that information.

Inappropriate Security

But the PDF is password protected against copying. And my usual trick for getting around that by printing the document into another PDF was blocked too. I can only guess that this is a security measure of some sort. But it would only protect against someone else putting money into the escrow account which seems highly unlikely to me. By protecting against copying it means that all the information has to be retyped into my bank’s on-line form which is a recipe for errors.

How does the escrow company think that password protecting against copying is a security measure? And if not for security what other reason could there be for password protecting the PDF?

Byzantine Workflow

Now we get to my bank’s work flow. First you have to log in to their website and navigate to their forms area and select the wire transfer form and fill it out. But you can’t just click on a submit button: You are required to print it out, manually sign it and then either FAX it back to them or scan it and securely email it to them. Our FAX machine was retired many years ago so I picked the scan and email workflow.

The next weirdness is that the bank doesn’t just publish a public key so you can securely email things to them.

Instead you have log out of the bank’s web site to see the link to ”secure email” which takes you to a third party where you need to setup a separate account. With that type of redirection you would expect that you could just fill in your return email address and upload the form and click send. But no, this is a general purpose secure email setup of some sort so they don’t have the destination address filled in or available. You need to call the bank’s 800 number and get the destination email address to use as it is nowhere on the form, the bank’s website nor the secure email vendor’s site.

I guess that odd workflow is insecure enough that the bank then calls you back and using data from a credit agency (you need to give them permission to access that) they ask you a number of questions, unrelated to those you used when setting up on-line banking, to verify who your are before they will process the transaction.

I am left with the sense that everyone involved in this process is simply making things hard and that by being hard feel it is more secure.

Why not just publish a public key on their website? Why not have you supply your public key to the bank when you setup your account? Then the whole process could be done using your (modern) everyday email client by simply clicking on the little padlock icon when composing the request email?