Yeah I think someone’s misunderstood a training course there!
1 Like
Yes. Or intentionally misunderstood. Money laundering is a big scary crime no one wants to be accused of, so they might have found the accusation breeds compliance.
I’d point out they’re the ones transferring money, and ask them if they consider themselves to be suspect.
3 Likes
Jeez, sounds like there are some annoying HR departments around.
I got mine updated by sending a PGP signed email to HR with nothing other than the new sort code/account number. No fuss at all and they were satisfied it was a legitimate request from me.
With all my accounts I’d willingly have online down loadable statements. More often than not proper paper statements are requested to check authenticity etc. At the very least I’d quite like to see downloadable pdfs for monthly statements for a rolling 6 years.
See both times I’ve done our mortgage they have accepted what we wrote down on the assement and never looked for any evidence of said fact but yes I’ve heard some ask it’s a shame all these processes haven’t moved along and won’t accept an exporter CSV file for example
It wouldn’t be hard to take the CSV and make convincing looking statements… after all, that’s basically how the other banks do it.
With so many accounts being paperless now asking for paper statements seems rather quaint & something a lot of people would have trouble with. I just printed out the PDF downloads from my FD account, when asked for that - it’s what FD would have done anyway if I’d asked them.
1 Like
Just seen another thread, from someone else who had the same issue.
Your HR department has a PGP supporting email client!?
It’s sad but this is how most people I know verify PGP signed message at least.
I’ve taken to replacing it with --- BEGIN PHP SIGNED MESSAGE--- just to see who notices. 
6 Likes
Lol I would put more trust in a plain text unsigned email than a PHP signed one. 
2 Likes
Ouch. I’m a PHP developer 
1 Like
I’m so sorry for you. There’s still hope though, it’s never too late.
1 Like
Ugh. Well at least you didn’t suggest Node 
2 Likes
Yup! Everyone in the company uses PGP and there’s an internal keyserver. As for clients, I think there’s an Outlook plugin that the folks on Windoze use that verifies signatures etc but I avoid anything other than Linux, so not familiar with it myself. I’ll admit this isn’t the norm, I’ve never seen traditional software engineering organisations have something like this deployed so I imagine it comes with working in security.
With that said, I think it’s something a lot of companies should look at deploying. It’s pretty handy, especially with how little trust I place in email normally.
Haha, I’d take PHP over JS any day. I mostly write C# when I actually do development now (which isn’t so often nowadays) but I find myself missing Composer and Laravel on occasion.
3 Likes
Besides PGP there is also S/MIME which is based on X.509 certificates and has the advantage of being more supported in the proprietary world (once configured it’s pretty much seamless on Outlook and even iOS/Mac Mail). Key management is obviously still a pain but that might get more buy-in from users than PGP… even me I’ll take it any day over PGP just because of the better user experience.
Yeah as much as I hate PHP I would take it over JS too… thankfully I don’t have to use either. 
Meh, that’s still overdoing it. ROT13 is all the security I’ll ever need 
/s
1 Like
ROT26 is even better though.
2 Likes
True. I guess for some ultra-high security applications ROT3744 might be justified, too.
S/MIME is neat and I must agree on the client support, though I’ve not seen any decent CAs offering free id-kp-emailProtection certs for all (including commercial) purposes which makes deployment a bit of a pain without forking over cash to someone like Comodo. Would be nice if Let’s Encrypt started issuing certs for it.
Yes paid certs are a pain for users but for companies it should be a no-brainer. The nice thing about S/MIME is that being CA-based, there is no opt-in required for the recipients of the emails - their client will automatically tell them whether the cert is valid. I’m surprised most banks don’t do this - a few certs is all it will take and all their users will have a robust way of checking whether the email is legitimate or phishing.
2 Likes