Beware of trust. Even PEC, the theoretically super-secure Certified Electronic Mail, can be violated. And if we think that PEC is the fulcrum of our digital identity, we should be worried. We must and can take cover. By implementing a defense strategy that must take into account all the telematic means that revolve around our PEC.
The worrying scenario and the attacks that are multiplying
SPID, Electronic Identity Card (CIE) and PEC were meant to be the winning combination of our digital future. Or rather, of our Digital home, given that SPID and CIE (in the future only the latter, in the plans of the current Government) serve to recognise us and officially validate our access to public administration portals and not only, while PEC is the telematic recipient where information and documents can be exchanged in a theoretically safe and armored.
Everything on your PC (or mobile phone, or tablet), no travel, no queues, maximum security and everything immediately available. It's true, it's the future. But the present forces us to a problematic running-in. Our habits must adapt, change, modernize. But technologies and the Web have their ghosts. And the path sometimes derails. Hackers, spies, data thieves, identity thieves and – if they are lucky – our possessions. The news is full of them. The fact is that our digital home is at risk.
The news that in the last few days many Italian Spid accounts have been violated by hackers is fresh off the press and on the web. Fortunately, they only managed to steal data (which were still sensitive) on the holders and not the access credentials. Credentials that are however protected by a mandatory system for everyone. two-factor validation via our now inseparable smartphone. And only on that, specifically validated for these operations.
For PEC the matter is different, more delicate, even more insidious. For two reasons. The first: the normal PEC users that have been in force for many years are still entrusted in the majority of cases to a validation system with a single step, which must now be considered rudimentary, or simply typing the username and password. Second reason: PEC is exposed, despite some additional barriers, to many of the evils of ordinary electronic mail.
Is what we send from our regularly activated PEC rigorously certified as “equivalent” to the content of a registered letter? Yes. Is what we receive equally so? Yes, but only if we know how to meticulously check the regularity of the certifications related to the message and the related incoming documentation. It seems like a contradiction, but it is so.
Why, and how, PEC can contain a deception
Phishing (attempts to defraud sensitive data or, worse, to divert to fraudulent commercial practices), computer viruses (often to obtain what is attempted to be obtained with phishing), all of which are perhaps used to carry out real identity theft for other even more serious frauds. PEC cannot be considered immune. In fact, it can suffer from the same problems that affect ordinary electronic mail. Because it may be an ordinary email disguised as PEC that is presented to us as such in our PEC address, or because it is actually a PEC that has been activated fraudulently: this also happens.
In the first case, the deception exploits the possibility that our PEC is not limited only to receiving other PECs but is also open to receiving ordinary email messages: an option that exists in practically all PEC services, with the possibility of choosing one or the other method. In the second case, the obligations to provide the essential data of the PEC owner at the time of activation of the service may not be as rigorous as it would be mandatory despite the certification procedures of the providers. Here too, a skilled identity thief can succeed in activating an apparently normal PEC mailbox, perhaps in the name of an unsuspecting citizen, using it for fraudulent purposes.
Messages disguised as PEC are now cyclical, just to give an example. on behalf of the Revenue Agency they ask to pay into a fraudulent account, perhaps a disposable account located abroad (in this case, be careful with the non-Italian IBAN) sums that are in most cases relatively small, such as to induce us to pay immediately "and not think about it anymore".
It is no coincidence that the new procedures for making the “European” PEC, that is, compliant with community rules and interoperable, thus allowing the exchange of certified email messages throughout Europe, provide for much more rigorous and additional security measures compared to those of normal PEC.
To make our PEC European, two-factor authentication becomes mandatory with a new rigorous recognition of the owner's identity, with a procedure to be activated through SPID or CIE. The same in other countries. Is everything solved? Not at all. The transformation of the PEC into "European" will in fact be mandatory only in the next few months and if the Italian procedures for the “Europeanization” of PEC seem sufficiently rigorous, are we sure that in the multitude of other countries it will be like this? Then there remains the problem of receiving normal emails perhaps disguised as PEC in the header, from the tampering that can be obvious to an expert eye but that can escape the less attentive.
How to raise the barriers of our Certified Mail
A good PEC defense strategy includes a series of combined actions, to be added to the now well-known precautions for protect our Internet browsing and our emails from pirates computer scientists.
First we deactivate in the configuration of our PEC mailbox the reception of ordinary email messages. It is true that all Italian PEC services provide a specific alert message if the incoming mail does not in turn come from a PEC, but in the confusion of incoming messages the stop sign can escape. Disabling the reception of ordinary emails is the best solution. On the other hand, what use is there in receiving an ordinary email on the PEC when we have one or more "normal" email addresses that we provide to all our interlocutors? The PEC is used for messages that are in some way "official" and it is best to limit its use to those only.
To recognize the possible fraud of an apparently authentic PEC first of all let's examine it carefully the address of origin. If we have even the slightest suspicion of irregularity, we first verify that it is a real address, which actually corresponds to the sender. To do this, we in turn send a PEC with the confirmation request to the same address and wait for the response. At that point we do a further check by inserting the sender's PEC address into a search engine to verify the real correspondence to a real owner (private, company, institution, public administration) who carries out the activity with which it is presented. In this case we do a cross-check by telephone.
Of course, our providential verification is sometimes easy, sometimes less so. A so-called traffic fine may not be easy to scan, a suspected rigging of the payment request in the name of the Revenue Agency may be revealed with ease: this is a good opportunity to activate our service comfortably from your PC Tax drawer, if we haven't already done so, following one of the tutorials proposed by FIRSTonline.