Credit card by email

[Push 0]

What do you guys think about using email to send CC numbers? What is the real risk I'm running with that? I understand that the email goes through my SMTP server to the POP3 server on the receiving end. I trust the receiving end. Does the SMTP server normally archive emails? I would imagine that's an invasion of privacy, or is it?

-- Toggle Whippin' Yahoo
Skydiving is easy. All you have to do is relax while plummetting at 120 mph from 10,000' with nothing but some nylon and webbing to save you.

[Faber 0]

i dont really know but you could get the person to send an check instead if your too afraid

Stay safe
Stefan Faber

[Push 0]

There's always fax, too, but I'm lazy. Maybe I should use the dz.com email, I'm sure Sangiro wouldn't steal my CC number I need it to setup donations anyway. Hopefully after this transaction the online billing thingy will finally be updated

You know, that's a thought. Why not use the dz.com email addy? Hrm...

-- Toggle Whippin' Yahoo
Skydiving is easy. All you have to do is relax while plummetting at 120 mph from 10,000' with nothing but some nylon and webbing to save you.

[skybytch 259]

Lots of customers send me c/c info by email. A couple of ways to make it "safer" - send part of the numbers in one email and the rest of the numbers in another one, or put the credit card info in a word file and attach that to the email.

[freeflyz 0]

Let me just say it's not safe.I know!

[Push 0]

The more I think about it, the better I like the idea of using the dz.com addy. The receiving end is secure, and Sangiro would never do something like that. I'll do that and let you guys know how it goes

-- Toggle Whippin' Yahoo
Skydiving is easy. All you have to do is relax while plummetting at 120 mph from 10,000' with nothing but some nylon and webbing to save you.

[Jimbo 0]

Quote

What do you guys think about using email to send CC numbers?

That it's a Bad Idea.

Quote

What is the real risk I'm running with that?

The risk is that someone could (a) intercept the email before it arrives at its intended destination, or (b) that someone could intercept the email after it arrives at its intended destination, or (c) that one of Joe Shithead's friends could snag the email off of his computer after the email arrived.

Don't send something like your credit card info over the wire without encrypting it first.

Quote

Does the SMTP server normally archive emails?

It can. Any SMTP server between you and your final destination could be archiving emails for any number of purposes, legitimate or not. The email could be stuck on an SMTP server for any length of time depending on how successful the SMTP server is at contacting the next hop.

Quote

I would imagine that's an invasion of privacy, or is it?

Why would it be? It might be morally objectionable, but I don't think it's an invasion of privacy. After all, you'lre relying on someone elses equipment to get your message to the final destination. What they do with that message while it's on their system is their business. Make sense?

Use some form of encrypted communication to deliver your credit card info. If you can't encrypt the communication between you and the receiver then think about doing it the old fashoined way and pick up the phone.

-
Jim

"Like" - The modern day comma
Good bye, my friends. You are missed.

[Opie 0]

Quote

The more I think about it, the better I like the idea of using the dz.com addy. The receiving end is secure, and Sangiro would never do something like that. I'll do that and let you guys know how it goes

Just don't use a pm on here. We all know what HH does with them

[Skypup 0]

Credit card numbers in e-mail is definatly not safe!!!!

If you really must do it go here: http://www.pgp.com/products/freeware.html

It is free encryption software that is fairly easy to use. Both the sender and reciever need to install the software and then make a password to their randomly generated encryption. Then it is just a matter of writing the e-mail, clicking the encryption button and sending it off.

Alternativly there are services such as PayPal, which is free to start up, and charges a VERY small charge per transfer.

T.S.S # 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To dream great dreams is itself an act of daring. -Eric Shipton & Bill Tilman
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[nathaniel 0]

Using PGP for a one-time transaction doesn't give you good safety unless you can exchange keys securely (ie, not over teh intarnet).

but it's better than plaintext... If I needed to send someone I just met my CC# and all I had was the internet to do it, I would be more worried about its safety in his/her hands than in transit. If the recipient was in a public space when s/he read your email any shoulder-surfer could bogart it, etc.

If you're really paranoid I think escrow services are the way to go...gets you a margin of confidence in your goods as well as your CC#. but it costs money so maybe not worth it if your transaction is going to be small.

nathaniel

My advice is to do what your parents did; get a job, sir. The bums will always lose. Do you hear me, Lebowski?

[indyz 1]

Quote

Using PGP for a one-time transaction doesn't give you good safety unless you can exchange keys securely (ie, not over teh intarnet).

Actually, it's very secure. The whole point of public key cryptography is that you can freely disseminate your key.

[nathaniel 0]

Have you ever heard of key signing? Man-in-the-middle attack?

The point about sharing public keys is true, but anyone else can share "your" key too, and give theirs instead of yours.

An attacker doing this to both sides in a transaction can effectively read or spoof the transaction.

This is (part of) the reason key signing companies like verisign, thwate, etc came into existence.

nathaniel

My advice is to do what your parents did; get a job, sir. The bums will always lose. Do you hear me, Lebowski?

[indyz 1]

Quote

Have you ever heard of key signing? Man-in-the-middle attack?

Yes. And yes. And I consider emailing my public key to be safe enough for a low-to-medium dollar amount transaction. In that case, what I am mostly worried about is a an under-paid ISP employee reading my email or some script kiddie sniffing my packets. If we want to up the paranoia level a little bit, he can call me back and read off the checksum.

Quote

This is (part of) the reason key signing companies like verisign, thwate, etc came into existence.

There are several documented cases of impostors spoofing keys or (in at least one case) of obtaining legitimate signed keys in the name of a well known software company.

[Windwalker 0]

The analogy I always use is a postcard. Would you feel comfortable writing your credit card number on the back of a postcard and mailing it to someone?

Anything sent over the Internet, that isn't encrypted, is there to be seen by anyone who looks. The Internet is a public UNTRUSTED network! It is not private, or secure, in any way shape or form.

Long distance is cheap these days. Use the phone. Tapping phones is a pain in the ass and can't be done by a kid who downloaded some really cool software from the Internet.

-------------------------------------------------------
Windwalker
Whatever doesn't kill me, just makes me cry.