Why don't banks sign their email using S/MIME?

It's usually a costs vs. benefits decision.

Costs:

  • Create your own CA infrastructure or buy a public certificate for each sender
  • Teach employees how to use it
  • Teach employees how not to use it, especially how to make sure that the secret key is really kept secret
  • Teach the customers what this strange stuff in the mail means
  • Properly deal with certificate expiration, revocation and all this stuff
  • ...

Benefits:

  • Usually the argumentation goes like this: nobody else is using this so there cannot be lots of benefits

Thus unless the benefits are higher than the costs or some regulations require the use of signed mails it will not be implemented.

Apart from that correctly using S/MIME is not that simple for the recipient too. While there might be indicators which show if a mail is signed or not few understand how these indicators look like, what kind of different indicators there are and that you should not trust any indicators which are included in the mail itself and try make the user believe that everything is secure: i.e. something like trust seals, "scanned by whatever antivirus" messages etc. Thus there is also the cost of teaching all the users.


My bank never sends e-mails. Instead, there's a messaging service inside my online banking interface I can use. Furthermore, it is stated on both the bank's site and the printed materials I receive by mail that my bank NEVER uses e-mail for communications.

I understand this solution is good for the bank, because they are saving costs by not having secure e-mail infrastructure. Not contacting me by e-mail also seems like a fair compromise between accessibility and security. Should my bank decide to communicate with me via mail, my first question would be: how do you tell which e-mail I have genuinely written, and which was send to you in my name with fraudulent intent?

If I have to obtain my own certificate and somehow validate it with the bank, only to be able to get their messages in my e-mail client, I'd personally prefer to stick with the existing solution.