Reading about plans to create private email by various companies to combat so-called phishing scams has piqued my interest: surely there must be a better way to do this than to have an email account for each service that you use? Especially if you have to visit a website to read this email; it’s as if we had to go to the local bank to collect our mail from it!
Gmail has a good solution to this where it warns you that a message may not be from who it claims to be when you open an email that looks suspicious. I’ve had a few fraudulent eBay messages flagged up by this and it is a nice, visible warning to be on your guard.
Another idea would be to introduce more digital signing of messages. One of the purposes of digital signatures is to verity that an item is from who it claims to be from. If the infrastructure was in place, the bank could sign emails that it sends to you and you can easily check the message is from the bank.
An email client is able to verify a signature is valid in much the same way as a browser checks the validity of the signature that assures you that you are buying from Amazon and not some kook who just has set up a website that looks like Amazon’s.
If I could download a PGP public key (for example, I’m not sure PGP is suitable for this kind of thing) for my bank, it would provide a means to verify that a message really did come from them. Even though it is by no means an automatic process, it is not a difficult process — copy, paste, click the Add button — and would be a great step in the right direction; rather than trying to create a walled garden that just gets in the way of customers.
Perhaps this isn’t needed at all. Maybe people just need to be smarter and not treat a computer as all knowing: people are becoming the weak link, as phishing’s continuing rise demonstrates. Some protection of this kind, however, would be very useful for those that could be bothered to use it.