trail wrote:
wimsey wrote:
Sorry, No legit reason to send an unsolicited email with a link. There are better ways.
OK.
Quote:
I'll take my two decades of experience as a software lawyer elsewhere with my input on this and defer to your expertise.
I agree on the unsolicited part. IT cybersecurity best-practices to treat customers with some respect would be to:
1) Only send a message notification email for a system the user already has an account on. The messaging system account creation should be an independent step from the first actual message. This account setup should detail the important URLs, how the messaging system (if 3rd party) was contractually authorized, and what privacy protections are in place. And it should require 2FA.
2) Don't include any links in a message notification email. Tell the user to log into the system they already know about. If necessary as a reminder, include a link in raw text (vs embedded hyperlink) to the main login for the system.
3) Include a phone # for verification. Have this phone # also be available on a public Web site so it can be at least partially validated as being unlikely to lead to a "phisher" on the other end.
I generally agree with your input.
I would not characterize an email from a state revenue authority as 'unsolicited'. I am mandated by law to have a relationship with the revenue authority where I live, and they are mandated to have a relationship with me. That has been true since I started having a money-generating job.
Communications in today's world are overwhelmingly digital. Most people prefer to have communications be digitally mediated in some form. For sensitive communications, many people would prefer those communications to be wrapped in additional layers of security, and in some cases it's required to happen that way.
Those realties are going to end up requiring some interim steps sometimes. That both provides additional security; provides additional opportunities for bad actors; and makes it more likely that the messages don't get through.
For example, to "include a link in raw text (vs embedded hyperlink) to the main login for the system" - yes, that's good practice. It's also something that suggests the sender doesn't have their act together, may not be tech savvy and/or generally not legit. (How many times have people griped in the LR about other posters not being able to properly post a hyperlink?) It also will almost certainly reduce the engagement with & effectiveness of the initial message if you add in an additional required step for the recipients.
None of that means your 3 steps are inaccurate or not appropriate. But it does mean that DavHamm's all caps declaratory statements that no legit entity should ever do it this way - that's simply not true.
Cyber security is a huge pain in the ass, and communications on important matters can suffer because of that. To state that there's only one right way to do things that both provide meaningful security and also achieve the ultimate purpose is pretty reductive.