Are Boards.ie Private Messages Encrypted ?

garrettod

Hi,

I think the concept of being able to speak with various service providers here on Boards.ie is an excellent one.

That said, I notice a couple of them are asking for personal data, much of which would be very sensitive and could aid identidy theft if there was ever a data breach (no offence Boards, but it can happen to any site as we all know), which begs the question -

Are the Private Messages used on Boards.ie encrypted, much like we see various websites have encrypted sections for things like credit card payments or other personal communications ?

If they PM facility is not encrypted, then should the various third parties be asking for confidential details to be sent via PM ... I would think not ?

Many thanks.

28064212

I believe they're technically retrievable by a dev, but I understand that the access controls around it are pretty tight.

The bigger concern is that they're sent to boards over HTTP, which means that it is absolutely trivial for anyone on your network to capture the information: http://www.boards.ie/vbulletin/showthread.php?t=2057282369

4zn76tysfajdxp

Is that right? That should be amended to prevent any non-trivial personal information being leaked.

28064212

Bryant Brave Rambler wrote: »

Is that right? That should be amended to prevent any non-trivial personal information being leaked.

They've been considering it for at least 5 years: http://www.boards.ie/vbulletin/showthread.php?p=69087737

garrettod

Hello,

Thank you for the responses.

If that is the case, then no one should be providing their personal information over the site.

No offense to Boards (I'm a fan !), but personal data security has to come first here and the likes of Sky, Three, Vodafone etc. should also respect that, so they should not be asking for such information via personal messages here on the site under any circumstances.

Nody

garrettod wrote: »

No offense to Boards (I'm a fan !), but personal data security has to come first here and the likes of Sky, Three, Vodafone etc. should also respect that, so they should not be asking for such information via personal messages here on the site under any circumstances.

How do you expect them to verify who you are though? By your word alone? It's like everything else on the internet a risk but let's be honest if this is the biggest risk someone takes then that's quite mild...

garrettod

Nody wrote: »

How do you expect them to verify who you are though? By your word alone? It's like everything else on the internet a risk but let's be honest if this is the biggest risk someone takes then that's quite mild...

Hi,

Take the example of a mobile phone operator, working on Boards through the "talk to...." service, they ask people to send them a PM with their name, address and date of birth.

Here's an extract from one of the staff members autosignature, to evidence the request btw:

If you're sending me a PM (private message) make sure to include your name, address and date of birth for verification.
We can only discuss accounts with account holders and/or authorised contacts.

Passing that information over an unsecure connection is taking a risk with personal data, as I see it.

Take a couple of minutes and research the topic of identity theft online...

I am not trying to be unfair to Boards here, but the simple fact of the matter is that there is a risk and as such, we should not be asked by the various service providers to provide significant personal data via PMs


Here's a hypothetical situation....

I give my name, address and date of birth to a service provider via PM here on Boards, for example. The information gets stolen. The thief then contacts the service provider with my personal information and tells them to change my correspondent address (giving some plausible reason), so they do it. The next bill arrives fom the service provider in due course, at the new address.

The thief next contacts my bank (who I have also been communicating with here on Boards, via PM) and asks them to change the correspondent address, providing the recently obtained utility bill as evidence of the new address. The Bank changes the address. The theif then asks for a new card to be issued, as he's lost his or it's broken or something, so out comes a new card.... I'm sure you can see where this is going....

28064212

To be fair to Boards, this is a failing of the companies involved. If a company requested you to send your personal data on a postcard (i.e. no envelope), you wouldn't complain to An Post that their system was insecure.

Boards.ie: Niamh

garrettod wrote: »

Hi,

I think the concept of being able to speak with various service providers here on Boards.ie is an excellent one.

That said, I notice a couple of them are asking for personal data, much of which would be very sensitive and could aid identidy theft if there was ever a data breach (no offence Boards, but it can happen to any site as we all know), which begs the question -

Are the Private Messages used on Boards.ie encrypted, much like we see various websites have encrypted sections for things like credit card payments or other personal communications ?

If they PM facility is not encrypted, then should the various third parties be asking for confidential details to be sent via PM ... I would think not ?

Many thanks.

To answer your question - no, PMs are not currently encrypted. This has been a concern for both ourselves and for members for a while and is one of many reasons we've spent a significant amount of time building the new version of the site that, amongst other things, addresses this issue.

We are moving to this new version of the site which is currently live and available to all our members. Try the 'Turn Beta On' link at the footer of any page on the touch or full site to see and use it. This new version of the site uses encryption by default for sending of Private Messages. We'd encourage all users who have concerns around sending private information to service providers using Boards.ie to switch to the new site.

Regarding the current system of PMs, as far as I am aware (slightly before my time) the Data Protection Commissioner reviewed these when we were going live with our first Talk To forums and was happy for them to proceed knowing how and with whom private data would be shared.

garrettod

28064212 wrote: »

To be fair to Boards, this is a failing of the companies involved. If a company requested you to send your personal data on a postcard (i.e. no envelope), you wouldn't complain to An Post that their system was insecure.

Absolutely correct.

Sorry, I thought I was clear on this throughout, that I am not trying to "have a go" at Boards here. As I said above, I am a fan !

There is simply a risk here that needs to be recognised and by extension, the various parties should not be asking for personal data to be transmitted over unsecure PMs. It's that simple and down to the service providers, who are in the wrong here imho.

Boards.ie: Niamh wrote: »

To answer your question - no, PMs are not currently encrypted. This has been a concern for both ourselves and for members for a while and is one of many reasons we've spent a significant amount of time building the new version of the site that, amongst other things, addresses this issue.

We are moving to this new version of the site which is currently live and available to all our members. Try the 'Turn Beta On' link at the footer of any page on the touch or full site to see and use it. This new version of the site uses encryption by default for sending of Private Messages. We'd encourage all users who have concerns around sending private information to service providers using Boards.ie to switch to the new site.

Regarding the current system of PMs, as far as I am aware (slightly before my time) the Data Protection Commissioner reviewed these when we were going live with our first Talk To forums and was happy for them to proceed knowing how and with whom private data would be shared.

Niamh,

Thank you for the reply.

Any idea when the Beta version will formally "go live", complete with secure PMs and replace the current version of the site ?

Appreciate you were not involved in the discussions between Boards and the Data Protection Commissioner, so you can't speak on the detail.. but I cannot see how the Data Protection Commissioner's office would be comfortable with whats happening here - perhaps because the third party service providers are asking for more personal information than was originally envisaged, or perhaps because Data Protection and Identity Theft are more serious concerns now, with far more awareness, then there was a few years ago (sorry don't know when Boards & DPC would have been in contact).

At the minimum, everyone here on the site should be made clearly aware that there is a potential risk (albeit, we would all like to consider it unlikely to occur) and also all service providers should be told they cannot insist on people providing this information via PM at the current time, before engaging. If they need to verify an identity, then can do it through a phonecall etc.

My concerns are that:

1. Criminals have become more sophisticated and technically capable, so the risk is higher than perhaps it once was.

2. The volume of information passing through Boards PM system daily is now so significant, that it would make an attempted theft of such data worthwhile.

3. The level of understanding that the general public have about this risk is so low, that most are simply unaware and hence in their innocence, are taking an unnecessary risk.

4. Some of the staff working as customer service or support for some of the companies using the Talk to us facility here on Boards, are not well enough trained or up to date to even consider the risk when asking for detailed information. Yet, the insist on it being provided, before being willing to speak with someone here - when they could simply say that we would like to telephone you (on the telephone number they already hold on file), to confirm the persons identity, when they need to.

Steve

In fairness, it's as encrypted as sending them an email with the same info.. If you don't feel secure then request a face to face meeting with bits of paper (that you printed off the internet..) in your hand.

KERSPLAT!

Steve wrote: »

In fairness, it's as encrypted as sending them an email with the same info.. If you don't feel secure then request a face to face meeting with bits of paper (that you printed off the internet..) in your hand.

Gmail uses https, as does outlook.com and others I'm sure.

seamus

KERSPLAT! wrote: »

Gmail uses https, as does outlook.com and others I'm sure.

That's grand when you're looking at your own mail, but once it goes to the other company you don't know where it's going and who may be listening on the line.

There may or may not be TLS encryption on both ends, there may or may not be fifty people with access to that mailbox, the mails may or may not be stored unencrypted on the agent's individual machines, or on local backups.

With boards you kind of know where you are, and if both sender and receiver use HTTPS, then you also know that the only way your info can be compromised is if someone else gets direct access to the boards database.

The current PM system is at worst, no worse than email. At best it's slightly more secure.

I guess one thing which boards should be doing right now and which is very straightforward is to enforce HTTPS when accessing PMs. Then at the very least you're guaranteed transport security.

Exactly. I used to work for a now defunct online store. The end-to-end connection was HTTPS encrypted and the website would send an e-mail confirming the order. These e-mails were retrieved over an unsecured POP3 connection! So you can't ever be sure that any data sent over the internet is encrypted throughout.

garrettod

Boards.ie: Niamh wrote: »

To answer your question - no, PMs are not currently encrypted. This has been a concern for both ourselves and for members for a while and is one of many reasons we've spent a significant amount of time building the new version of the site that, amongst other things, addresses this issue.

We are moving to this new version of the site which is currently live and available to all our members. Try the 'Turn Beta On' link at the footer of any page on the touch or full site to see and use it. This new version of the site uses encryption by default for sending of Private Messages. We'd encourage all users who have concerns around sending private information to service providers using Boards.ie to switch to the new site.

Regarding the current system of PMs, as far as I am aware (slightly before my time) the Data Protection Commissioner reviewed these when we were going live with our first Talk To forums and was happy for them to proceed knowing how and with whom private data would be shared.

Hi Niamh,

Has the new version of Boards.ie that you referred to in your post above since gone live and if so, are all PMs now encrypted ?

Sorry if I've missed an announcement over recent months btw.

Thanks,

Steve

garrettod wrote: »

Hi Niamh,

Has the new version of Boards.ie that you referred to in your post above since gone live and if so, are all PMs now encrypted ?

Sorry if I've missed an announcement over recent months btw.

Thanks,

I would guess not, why would they?

Your login and password is secure salted and hashed, PM's are a database record.

If you are worried about being found out for cybersexting or worse then... stop doing it.

28064212

Steve wrote: »

Your login and password is secure salted and hashed, PM's are a database record.

None of which prevents someone on the same network accessing any PMs while they are being sent or received.

Steve

28064212 wrote: »

None of which prevents someone on the same network accessing any PMs while they are being sent or received.

Yes.


To go back to common sense: don't post anything on the internet that you wouldn't paint in big letters on the front of your house.

28064212

Steve wrote: »

To go back to common sense: don't post anything on the internet that you wouldn't paint in big letters on the front of your house.

And when TalkTo reps ask for personal and account information, tell them "No, Boards.ie's PM system isn't a secure method"? Won't do much for Boards' reputation as a potential support channel

Steve

28064212 wrote: »

And when TalkTo reps ask for personal and account information, tell them "No, Boards.ie's PM system isn't a secure method"? Won't do much for Boards' reputation as a potential support channel

It's as secure as a facebook message or private tweet. At the end of the day someone somewhere can read it.

When you go into a bank and tell the cashier your account number and the guy in the queue behind you memorizes it.. is it the banks fault?

28064212

Steve wrote: »

It's as secure as a facebook message or private tweet.

No, it's not. Facebook and twitter use HTTPS. Someone on your network can not monitor your messages. The same is not true of Boards, it's an absolutely trivial attack to perform

Steve

Fair enough.

My point stands, don't post stuff you are not happy with.

IITYWYBMAD

Steve wrote: »

Fair enough.

My point stands, don't post stuff you are not happy with.

Surely users should be informed of this when sending PMs? Secondly, if this is the case, why are paying reps on boards asking for personal account information via PM, when boards know that it's an insecure way of sending personal and identifiable information?

I won't comment on your strawman with regards to a bank as we all know of insecure systems, and the list is as long as a long thing.

seamus

Email and the postal system is just as insecure and companies routinely use them for sending personal information.

While boards should be using HTTPS for the PM interface at least, they're not doing anything out of the ordinary vis-a-vis security.

edit: The paranoia about people on the same network as you spying on your boards PM traffic also reminds me of this;



If someone is on the same network as you and trying to find out information about you, you can be pretty sure they already know a lot more about than your name and Virgin Media account number.

El Weirdo

seamus wrote: »

If someone is on the same network as you and trying to find out information about you, you can be pretty sure they already know a lot more about than your name and Virgin Media account number.

28064212

seamus wrote: »

edit: The paranoia about people on the same network as you spying on your boards PM traffic also reminds me of this;

So nobody should ever connect to any network that they don't have total control over? No hotels, no libraries, no webcafes. Every student in a bedsit should have their own router.

I'm curious, how many sites do you use involving private information that don't have HTTPS enabled?

seamus

28064212 wrote: »

So nobody should ever connect to any network that they don't have total control over? No hotels, no libraries, no webcafes. Every student in a bedsit should have their own router.

Isn't that exactly what the super-paranoid recommend?

Like I say, boards should have HTTPS enabled, but they're hardly misleading people or being negligent by not doing so.

Boards should inform people that PMs aren't secure just as soon as the service providers warn their customers that post, email and telephone support aren't secure either.

Note I'm not disagreeing about the fact that HTTPS should be there and it's a trivial thing to do. But it's also not even remotely a big deal.

I just tried visiting the responsive site and when I open my PM inbox, it switches to HTTPS.

Boards.ie: Niamh

garrettod wrote: »

Hi Niamh,

Has the new version of Boards.ie that you referred to in your post above since gone live and if so, are all PMs now encrypted ?

Sorry if I've missed an announcement over recent months btw.

Thanks,

The new responsive site has been live for quite some time - you can switch to it at any time by clicking on 'responsive site' in the footer. HTTPS is enabled for PMs there - as pointed out by Karsini, thank you

If you wish to switch back, click on Legacy Site on top right or in the footer of any page.

Wigglepuppy

28064212 wrote: »

To be fair to Boards, this is a failing of the companies involved.

But how are the companies supposed to assist people with a query on their account without their customer account details? Private message is the only way. Otherwise they would have to direct them to ringing or emailing the company, and what is the point of a "Talk To xyz company" forum then? If the private message system is not secure, then the failing is not on the part of the companies, in my opinion.

garrettod

Steve wrote: »

....If you are worried about being found out for cybersexting or worse then... stop doing it.

Another possibility is that I'm concerned about the amount of personal confidential information that could be stolen, given a number of the companies operating on the "Talk to" forums here keep asking people to transfer their personal details over the PM system :rolleyes:

Wigglepuppy wrote: »

But how are the companies supposed to assist people with a query on their account without their customer account details? Private message is the only way. Otherwise they would have to direct them to ringing or emailing the company, and what is the point of a "Talk To xyz company" forum then? If the private message system is not secure, then the failing is not on the part of the companies, in my opinion.

I don't see why the Reps from the various companies can't just work from one peice of data, such as an account number. The Reps have access to their own employers systems, so they can easily check the contact details of the person behind each account number and then telephone them. No big deal and not rocket science, but it removes the need for several pieces of personal information to be sent by PM and by extension, the risk that if the data falls into the wrong hands, it will facilitate potential identity theft.

Boards.ie: Niamh wrote: »

The new responsive site has been live for quite some time - you can switch to it at any time by clicking on 'responsive site' in the footer. HTTPS is enabled for PMs there - as pointed out by Karsini, thank you

If you wish to switch back, click on Legacy Site on top right or in the footer of any page.

Hello Niamh,

Thank you for the reply.

Why is there two versions of the site (i.e. the new "responsive" version and the "legacy" version) .. it seems odd to have two versions, unless I'm missing something obvious here ? If there is a section on this to deal with FAQs etc perhaps you might please provide a link (sorry, have had a quick look but can't find it).

Many thanks.