Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

The security of the transmission of credit card numbers

The security of the transmission of credit card numbers

  • Comments 2

Long time readers of this blog will know that two of my past overseas trips – China and Peru – have resulted in me being attacked by a spammer, trying to kill me.  Both times I fended off his evil intentions, but it’d be nice to go someplace where I wouldn’t need to worry about it.  To that end, convinced by my girlfriend, we shall be taking a trip later on this year to Belize.  As far as I know, Belize is not really a big spamming operation.  During the first half of this year, it sent us about a million messages (after IP filtering) of which 99% were marked as spam.  However, compared to the 100 other countries ahead of it on my list, this is small potatoes.

One of the things about traveling, especially to the developing world, is that while they have web sites describing their tours and services, they don’t always have online processing of payment information.  So, I might read about a nice sailing tour down there, but there’s no way to pay for it online.  Or rather, there’s no way to pay for it online without having a human in the middle.

By this, I mean that I got a question from my girlfriend this past week – is it a good idea to send your credit card information by email?  The background behind this is that there’s a tour she’d like to book after having seen the web site for it, as well as reviews on TripAdvisor.  However, they all require deposits.  How do you normally make a deposit?  With your credit card, of course.  Except that there is no way to book the trip online.  To do so, my girlfriend would have to do one of the following:

  1. Send the tour operators an email containing her credit card information (number and expiration date)
  2. Send the tour operators a fax (a what?) containing her credit card information

What should we do in this case?  If we don’t do it, we could potentially miss out on the booking of the trip.  But if we did do it, this is insecure.

Why is this insecure?  If you send an email or fax containing credit card information:

  • The email is sent in unencrypted clear text.  This means that anyone could intercept the message in transit and steal her information.  I would estimate that the likelihood of this actually occurring is quite low since someone would need to be deliberately looking for this information.  On the other hand, perhaps someone is just sniffing the line looking for any mail going to a particular email address and intercepting it that way, not necessarily caring who the sender of the email is, only the recipient.  In that case, any email going to this particular alias is interesting because some of it is likely to contain financial information.

  • Secondly, the credit card information is sitting in someone’s email inbox indefinitely.  Weeks to months later, this person’s email inbox could get compromised, or the email printed out, and then they could lose track of it.  Someone could use her financial information to add charges to her credit card without her information.

  • The situation is similar to faxing information.  I don’t know quite as well the communication protocols for faxing.  However, on the other end, the information is printed out in clear text.  If it is just lying around, or put into a filing cabinet somewhere, it is only as reliable as the person receiving it and how well they store sensitive information.  Since Belize is in the developing world, I’m betting that there’s not much.  What’s stopping someone from having it lying on their desk and another party walking into the tour shop, taking a quick glance, writing down the information and then walking away?

Members of my family sometimes ask me if it is safe to buy things online as opposed to over the phone. The answer I give them is that I feel more secure ordering online as opposed to over the phone.  The reason is that so long as you do it from a respected site like Amazon or eBay, and it is one that uses encryption (you’ll see a little lock on the browser), you will be okay.  Your credit card information is not transmitted in clear text, it is in cipher text.  If someone intercepts it, it will not be useful to them.  If you give someone your credit card information over the phone, what is stopping them from writing it down and using it weeks later?  It would be difficult to trace that back.  When you order online, there is no human processing and the order is done in an automated fashion.  While electronic data theft is a problem, it is smaller in instances than human, low tech theft.

That leads me back to the issue of booking a trip to Belize.  I’m not sure what to say at this point.  If there’s no other options we might have to give out credit card information over the phone using a card with a low balance and anti-theft protection.  But I am not too thrilled about doing that.

Leave a Comment
  • Please add 5 and 1 and type the answer here:
  • Post
  • Many credit card issuers can now give you a "one time use" number for transactions against your account.  Might be ideal for this case (for email or fax).

  • You could split the information: send all details in an email, apart from the number, which you'll fax. My unscientific guess is that the chances of someone intercepting both their email and their fax traffic AND linking the two aren't significantly bigger than someone breaking into your house and stealing your card.

Page 1 of 1 (2 items)