The usual ways of contacting the bank in question is either via phone, email or Twitter. Since they don't encrypt their email traffic, and I didn't have time for waiting on their staff on the phone (who does these days, right?), I've decided to use Twitter. I had previous experience with them via this channel, and a positive one. They seemed to be on top of any problems they receive via tweets, and are quite fast to reply.
|Translation: "Hello @TelenorBanka, did you know that emails you're sending to your clients are not encrypted in transit? Info: support.google.com/mail/answer/63..."|
Just to add a bit more context to the story (or to make things even worse), the bank in question is a first ever Web based bank (at least they market themselves this way) in Serbia. You'll notice that I've included a google support link in the tweet, just to point their support in the correct direction.
Initially, the bank support just ignored me. It didn't help that I don't have many followers, and that my tweet did not get any special attention. I am guessing that the request I made was a bit too much for an average support guy, or I just overwhelmed them with an unusual request. So, three days later I made another tweet, politely asking them to turn on TLS for their outgoing emails.
|Translation: "Hello, @TelenorBanka, could you turn on TLS for outgoing emails? I am not getting emails like this from other banks"|
The translated gist of their response spanning two tweets is: "we won't do it for compatibility sake". How valid is this excuse in 2017? I'll tell you: it just isn't.
NOTE: the text above was drafted during 2017. A tweet I've seen today, shaming another major provider of services in Serbia for their lack of use of the TLS, prompted me to follow up and actually publish the post. Having a lot of time passed, I am posting a screenshot of an up to date email sent to me from the bank. As you can see from the picture below, nothing had changed:
As you can see, the email wasn't transferred via TLS; the subject line translates to "Transaction approved" - and the email lists my account balance, transaction amount as well as the vendor.
A sad state of affairs indeed.