Shocking cryptography ignorance

Ok, so I haven't been blogging much lately - it all just seemed a bit pointless. But this is something that I felt I had to share with the world!

My cellular provided sends out invoices via e-mail, and recently they've been including a line at the bottom of the e-mail, as follows:

"For your safety we have encrypted the statement. For information on how to decrypt your statement please see the instructions below."

The instructions below go on to explain how to download Adobe Acrobat. So I sent them the following e-mail:

  I notice that you say you are now encrypting my Nashua Mobile monthly
  statement.  The e-mail states that information on how to decrypt the
  statement is given below, but there don't seem to be any such
  instructions - the only information given below is on how to download
  Adobe Acrobat.  And indeed, all I seem to need to do to view my
  statement is open it in Acrobat.

  So what I'd really like is some information how the statement is
  encrypted and decrypted, and what the aim of the encryption is.  It
  would seem to me that either it isn't actually being encrypted, or
  else it is being encrypted but using some known key embedded in
  Acrobat, which makes the encryption somewhat useless as any copy of
  Acrobat can be used to view it.

  Feel free to go into technical detail - I'm a cryptographer, so I
  should be able to follow your explanation.

After a couple of days, I got this in reply:

 Kindly note that we use Adobe 128 bit standard encryption on all our PDF
 statements.  Only Adobe Acrobat reader 5.0 and higer can decrypt the PDF
 file.

 You will notice that there is a little key at the bottom left of the PDF
 document.  This means that the document is encrypted.

 As per SARS this is sufficient .

Hmm. So as long as it's "128 bit", and there's a little key on the bottom left, everything's okay and I shouldn't worry about it. After all, SARS (our Revenue Service) is happy!

I don't think so. I sent them this in reply, and am now awaiting an answer:

  Thanks for the reply.

  Using 128-bit encryption is fine, but quoting "128-bit" is meaningless
  without specifying the algorithm.  128 bit DES is fine, 128 bit with a
  public key algorithm is pretty bad.

  Besides that, though, encrypting something is useless if everyone has
  the key to decrypt it.  Anyone intercepting my statement can open it,
  as long as they are using Acrobat 5 or higher.  Doesn't that rather
  defeat the purpose of encrypting it?  Surely, the point of encrypting
  it is to make sure that only I can read it?

I'm not terribly hopeful, but it should be interesting to see if they reply at all, never mind with something a little more intelligent.

And this is one of the problems with security - if you throw in the words "encrypt", and maybe "key" (even if you're talking about an icon rather than a cryptographic key), and oooh, "128 bit", everyone will think they're safe even when they're very clearly not.