Advice for securing a PDF being emailed

Hi,
I’ve had to raise a support ticket with my utility company about a billing issue and they’ve responded via email requesting a bank statement showing my full name, address and bank account number. I’ve generated a PDF statement from my bank with these details and the utilility company already knows these details themselves - sharing it with them is not the issue. It’s sending it back to their support via email and the unknown of how that PDF is then handled is what concerns me.

Does anyone have any recommendations for securing the PDF before I send it? Ideally I’d like to be able to put an expiration on it, however from my brief research that doesn’t seem possible.

Not really possible as they can always copy/screenshot/transform into a different filetype etc.

Consider going the “classic” route of printing out the PDF and sending it in via snail mail.
But then again the first thing they might do is scan it as a PDF …

tresorit will let you send it via a link secured with a password. Since someone probably isn’t monitoring such things in real time you can probably use whatever service you prefer for cloud storage as long as they have the ability to expire the link within 24 hours then if they are saving a copy and someone tries to open it or they are hacked in the future they got a worthless link

2 Likes

You are at the utter mercy of the requesting party and their capacity to withstand the resistance of the privacy community.

Maybe you can ask for alternative ways to confirm your identity? We don’t know how the support person will react to that, it may be best to be polite and courteous so that they will have more patience to put up with our “non-sense”.

One way would be to save a screenshot of the PDF and reembed it as an image. They may have to copy manually or have it pass through an OCR software. IIRC having a password protected PDF (that you make yourself) can disable the “copy” ability of PDF, but again, it can be simply be defeated by Printscreen → OCR and even print as PDF.

If they allow, send over whatsapp then delete the message after verification is done?

Also I don’t exactly understand the question, these people nees to keep the doc on file afaik.

Here’s my advice.

STEP 1: Add a watermark to the PDF document

Add a watermark to the PDF document that includes the following:

CONFIDENTIAL: DO NOT DISTRIBUTE
FOR ID VERIFICATION ONLY
NAME OF RECIPIENT / UTILITY COMPANY
DATE

This is a security measure I have only recently learned about, and that I have not yet had the opportunity to use, but I intend to with all the documents I send to companies from now on.

I don’t know which PDF app/website to recommend, but I recommend using one that allows you to tile the watermark so that it is repeated all across the entire page.

It would be nice if Firefox has this feature. Watermarkly seems to have it, but I have no idea if it’s safe to use.

Note: I just found about dynamic watermarks, which apparently change every time someone opens or prints the document, so that, for eg, the time, date, and name of the computer user who opened it appear on the document. I’ve never used dynamic watermarks, though.

STEP 2: Password Protect your PDF File

Use a long passphrase like:

Dynamic king gets rid of 92 heavy fork$

STEP 3: Send the PDF via a secure file host.

I recommend Tresorit Send as someone else suggested.

Tresorit is end-to-end encrypted and gives you the option to password protect your download link, which I would do.

THE NEXT STEPS ARE NOT MANDATORY, AND PERHAPS OVERKILL, BUT I WOULD GO THROUGH THEM.

STEP 4: Do not write the password to the PDF document in the e-mail.

Instead, use Note Rip to write it in a secure note that expires and include the link to that secure note in the email.

In the advance options, Note Rip give you the options to choose when the note expires, limit the number of views, and of course password protect the note. All for free. I would personally password protect the note.

STEP 5: Write the password(s) to your secure links in the e-mail

Your e-mail should only contain the passwords for the Tresorit Send link and the Note Rip link. To make it simpler, they should be one and the same.

Your e-mail could look like this:

Hello John from Utility Company,

I understand you need to verify my identity, and I am more than happy to oblige by providing you with my most recent bank statement that you can download in PDF in the link below:

https : // send . tresorit . com

Because I highly value my privacy and the security of my personal documents, you will need a password to open the PDF file. You will find that password in the secure note linked below:

https : // www . noterip . com

Make sure you write down that password because the secure note will expire in 3 days and can only be viewed ONCE.

Moreover, both links to the secure note and my PDF bank statement require a password to open. That password is:

Dynamic king gets rid of heavy 92 fork$

Keep in mind that all the links I shared with you will expire within 3 days, so please open them as soon as you’ve read this e-mail, and send me confirmation that you were able to download and open my PDF bank statement.

Thank you,

Kind regards,

Hope this helps!

2 Likes

Idk why you recommended a proprietary service when https://privatebin.info/ exists.

3 Likes

I’m a newbie. I’m here to learn. I didn’t know Note Rip was proprietary, but I’ve been using it for quite a while. Never heard of Paste Bin. What is it? How does it work? Does it allow users to send protected notes too?

Was my advice to OP terrible?

Encrypted Pastebin, like a Pastebin, Yes.
image

Forgive me. As I said, I’m a newbie. I don’t know what a paste bin is. Care to explain?

Thanks everyone for the feedback. I ended up settling on parts of PurpleDime’s recommendation.

I didn’t have tools to redact a couple items from the PDF so I ended up opening it in MS word, removing the items and republishing it. I then opened it on my Iphone and was able to put a password on it. I used Bitwarden Send to store that password with a 7 day expiry and attached the PDF to the email I sent them a long with the a link to the Bitwarden password.

Great ideas in this thread!

I know it’s super late, but I’m glad you were able to sort it out!