The company I work for receives documents and order from other competing companies that provide the same services we do. This cooperation is mandated by our government. Currently, these documents are recieved via a buggy process involving 1200 baud modems. Yes, that’s right, 1200 baud. At any rate, I decided that it was high time that this be changed and looked for another method of delivery. E-mail seemed to be the most agreed upon choice.
After working with the other companies developers I found out that they already have a process in place to distribute these documents via email. Since we don’t want to change the way our users see the documents on our end, the receipt of this email needs to be automated.
Concerns are immediately raised by me regarding the security of the data crossing the public network. It is determined by our legal department that the data found in these orders does classify as “sensitive” and therefore needs to be encrypted. The developers of the other company state that they are also prepared to do this using the IDEA encryption scheme and PGP.
Wow. I was shocked. I was amazed. I was excited.
As I began working on the project, however, my excitement died down as I became more and more aware of the truth. Yes the documents are encrypted. Yes they are encrypted with PGP. However, a Public/Private key pair is never used. Instead, they are one-way encrypted with a passphrase. That’s a lot less secure, but still good enough, I think. Then I find out that the passphrase will never change, at it takes editing every rule for every location that we wish to receive these orders for, and that that is just too much work. That’s even more less secure, but still, it’ll pass.
I continue preparing my end and am finally ready for a test document. Of course, in order to test, I’ll need the passphrase. I call and ask them for it and almost spit out my morning coffee when I hear their response. The passphrase is simply my company’s name. Nothing more, nothing less.
I’m not sure what’s worse: the fact that they are using such insecure “security”, or the fact that I don’t even care enough to complain.