I can already feel people immediately shouting “NO!” in response to this title, but please read the post before answering.
I am applying for some accounts at an online bank. I have good reasons for doing so as I can get a decent chunk of cash out of it which is something that’d be a good help for me at this time. No other bank is currently offering a comparable deal. My account has technically been created but the last step in this process before I can really use it is to complete my ID verification.
Unfortunately, I was unable to verify my identity through their typical means. One alternative means of verification they offer is to email them a photo of my face and an ID card which includes all sorts of personal information. I’m going to try and suggest alternatives, but I’m anticipating that they’ll only offer me the email option. I don’t think it’ll cost me anything if I walk away, but I would be leaving behind a good chunk of money that I could really use.
As I see it, this might ultimately come down to how secure email is between email services. I’m aware email isn’t safe as it isn’t end-to-end encrypted and doesn’t protect metadata, but what about email security between email services themselves? If emails are encrypted between email services when in transit, then I might not actually be taking on a whole lot of risk. I use Proton who should already be storing my sent emails with E2EE on their end and the bank receiving it is obviously going to see my face and ID unencrypted anyways. (There are some other concerns that can stem from this though. For example they might not be using their own email system and instead piggy-backing off of another provider while using their own domain name. I'd also be curious of how long they'll store that email.
I’d greatly appreciate some advice from anyone who has any insight on server-to-server email security or if anyone can foresee other realistic security risks in doing this.
Email in transit usually uses TLS and so should be just as secure as any HTTPS connection on the Internet. You can read more here. You should ask if you can blank out some details on your ID card which the bank doesn’t need. You could try to physically go to the bank to verify your identity but obviously this doesn’t seem possible in your case.
Edit: Added usually as slightly less than 100% of email traffic is TLS encrypted.
Edit 2: Email is an old protocol and should not be considered particularly secure even when TLS is used.
Can you ask whether you could send the images via a link? You could email a proton drive/ente/etc. link and they could view it with that? Adds an extra step to dtop the file being viewed by email providers.
This isnt remotely true. Email very often doesnt even use TLS and even if it did you have to trust all parties in the chain as @fria pointed out. Now you are probably right in this case with proton and the banks email (likely hosted by microsoft)
Besides that often documents live around in email systems until they eventually get breached or caught up in some other collection. You shouldn’t rely on this at any point.
Also for OP. I am well aware that banks are often far behind on It security, but this is rather extreme. I wouldn’t trust a party who even thinks this is a good way of idenifying someone. I would really discourage you from using such parties. I get your request in the OP and it is hard to judge for us as readers, so I have to at least mention, please take care of due diligence. If a deal is too good to be true it might not be real.
You should consider that if you can identify yourself at this institution with a photo and a copy of ID, so can someone else. If someone gets hold of your documentation, which is not unrealistic, they will be able to do the same.
I provided a source in my original post and according to Google, their outbound and inbound email encryption rates are 96% and 100%, respectively. Therefore, I disagree that my assertions weren’t “remotely true” and would appreciate it if you could provide a source to support your claim.
As for trusting all parties in the chain, OP seems well aware of this fact in their post and even specifically mentions that the bank is likely using a third party to host their email.
96% secure is basically the worst security garauntee i could imagine, sorry. I dont have any source like you ask but unfortunately I still commonly see at my clients that many of their vendors do not have proper email security configurations.
From my own experience in many third world countries even big companies not always have tls on their websites, that one is easy to spot for an end user. Whether your email will be sent with TLS is afaik not visible in any email client.
Okay, fair enough. I conducted research before posting but you bring up valid nuances and cases which I did not consider, although we seem to agree that in this case its likely TLS will be enabled. Regardless, it was not my intention to mislead anyone. I’ve made some edits to my original post but feel free to tell me if you feel it needs more tweaking.
This is a very good point and I think it has settled the debate for me. Luckily, they do advertise that they have a “secure messaging” thing (basically just a “secure” DM with someone at the bank on their website to share private documents) so I’ll try to suggest we use that. If they don’t budge then they just won’t get my business and I’ll have to wait and hope for better deals elsewhere.