bbs.spamgourmet.com

Ally Bank will not send email to disposable addresses. They claim that it is a security risk. The rep would not be more specific. I don't want to be a security risk, but I need to know what the reason might be before I have further discussions with them. What could be the security risk to a bank if they send email to disposable addresses?

They might say the can't truly confirm your identity.

We're going to say that generated custom addresses (disposables) allow us to uniquely identify leakers, such as TD Ameritrade, http://articles.latimes.com/2011/may/24 ... s-20110524 (Bank of America), Allegacy, and I am sure the list goes on. What I call a liability problem for them they might call a 'security' problem.

I'm not sure how they could say it was a security risk for them. They might think it's a security risk for you -- and it is I suppose it is: it's one more point of potential failure - your true email account could get hacked *or* the disposable email address server could get hacked, instead of just the one, and in either case your bank account could be in jeopardy. But it's no more risk than having, say, two email addresses with them at two different places.

Maybe they think people who run disposable address services must be less trustworthy than people who run regular email services? Speculating here...

Anyway, all that said, I have to discourage our users from using this service for banking and stuff like that - we think it's pretty secure, but our model is sort of premised on our users using the service only for junky unimportant things.

josh, I'd take a minor issue with what you said. Banks (and anyone else) should not be assuming that emails are in any way secure, unless their content is protected by decent encryption: and then you can only say the content is secure. Emails can be deleted, copied, or modified in transit. If anything, they are less secure than a message written on a postcard. (I know you know this, but it is well to point out to people occasionally.)

The banks I deal with have supposedly secure messaging systems integrated into their online/Internet Banking websites and take great pains to tell customers that common-or-garden emails are not to be used for confidential information e.g. do not send your bank card PIN in an email.

Spamgourmet is not changing the security profile of email in any meaningful way (although if people are sensitive about the NSA taking copies of emails, non-US citizens resident outside the USA may have reservations about sending their emails via your servers that are on US territory. Shrug. You do not hide the fact you are a US-based service, so if people don't like it, they don't have to use your service.)

I have been with a couple of banks a long time - since a time before they demanded that you gave them an email address to have an account with them, even an on-line account. So they don't have my email address, and they won't - not even a disposable.

Every now and then these banks notice they don't have my email address and send me a message (via their logged-on internal message system) that I should give it to them. When this happens I have replied through the same system, pointing out to them that their on-line bank already has its ....er.... own message system; . So why should they need my email address?

They are either stuck for an answer to this, or the best they can do is to say they will use my email to ask me to log on when there is an internal message waiting for me. Yet all the internal messages I have ever seen from them are non-urgent, such as bigging up new types of account they have introduced (spam you might say), or asking for my email address, which is where this story started.

I am not sure that most banks or other institutions would recognise a SG address as being a disposable anyway. I have never had one refused (I am in the UK - so UK banks). Mind you, I use "recursor" addresses more than "spamgourmet" as the word "spam" can set their alarm bells ringing.