Welcome to WebmasterWorld Guest from 18.208.211.150

Forum Moderators: LifeinAsia

Message Too Old, No Replies

Client giving away credit card details by email

How naive can people get?

     
6:38 pm on Apr 2, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 8, 2002
posts:1157
votes: 0


I have a prospective client who has sent across his credit card details (including the name, number, expiry date) by email! Is this day and age, isn't this a bit naive? What should I do now -

Send the credit card sign up page back to the prospect and ask him to enter the details? Or do I just go ahead and enter the details myself?

Also, do you think it is wise for me to "educate" this guy on the dangers of sending the credit card details by email? Or do I just forget about it?

7:02 pm on Apr 2, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member mivox is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 6, 2000
posts:3928
votes: 0


Most internet credit card theft occurs when CC details are stored on a merchant's server, which is then hacked into or compromised from within the company (who knows which in most cases)... IMO, it would be incredibly time-consuming to find CC info in email transmissions, to the point where I doubt many people would bother putting the time into it.

First you'd have to gain access to an email server (it seems you would either need intercept the emails en-route or gain access to all the accounts on the server... not sure on that point), and then find some efficient way of scanning through the messages looking for 16 digit numbers, and if and when you found a message with a CC number in it, you'd only have one number to show for your efforts.

If you compromise a company's ecommerce system, and can get their online database of client CC numbers, you may spend slightly more time getting in (assuming the company has secured their ecom servers better than the ISP has done with the mail server), but you'll have a huge collection of numbers to show for it if you succeed.

I think the biggest danger of sending CC info by mail is that someone at the receiving end might be snooping on your intended recipient's computer...

But, to actually answer your question -- hehehe -- I'd just input the info he sent you into your processing page yourself.

6:06 pm on Apr 3, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Dec 19, 2001
posts:285
votes: 0



Call me naive, well maybe not, I have sent these details by e-mail but have:

* broken the number over three e-mails
* spelt out several of the numbers (2 becomes two)

Unless someone was monitoring a mail box I think it would be hard to get to.

..... Shane

7:03 pm on Apr 3, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member mivox is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 6, 2000
posts:3928
votes: 0


I will generally send the number in one message, the expiration date in another, and the billing address/name in the third. However a great deal of credit card mis-use problems can be blamed squarely on merchants.

I recently had a credit card number used fraudulently, when the person only had the card number, and made their purchase over the phone. I also had a big hassle with a phone bill, when I accidentally entered my boss' visa number with my own billing address on the phone co's online payment form.

The store where my number was used fraudulently did not check the number against any billing info, and neither did the phone company (as my billing address definitely does NOT match my boss' card number)... so ALWAYS use some kind of verification system to check if a CC number actually matches the address/cardholder information given for it.

7:11 pm on Apr 3, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 19, 2000
posts:2501
votes: 27


My customers send credit card info by e:mail all the time. Usually split in two e:mails. Never had a problem or any reports of a problem after the fact. As Mivox said, this sort of theft is usually a result of hacking into server files.
7:18 pm on Apr 3, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 4, 2001
posts:997
votes: 0


Yes, it is generally not going to be a problem. Unfortunately, by assumming it isn't a problem or by doing fancy tricks to make things harder (like sending multiple messages) is called security through obfuscation, and isnt real security.

If you send an email unencrypted, anyone on your local network(university, company, cable modem line), anyone at your ISP(including the intern there for the summer), anyone at the ISP of the company that hosts the recipients mail server, anyone who has access to that mail server, and anyone on your recipients local network or ISP can potentially snoop that data depending on how the network is set up. Thats a potentially long list.

If you've already recieved such an email, fine, use it. On the other hand, using email for credit card transactions is potentially dangerous.

7:26 pm on Apr 3, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 8, 2002
posts:1157
votes: 0


Hmm.. So this means lots of customers TRUST their online merchants/service providers. Now all I need to do now is setup a bogus "company" with non-existant dirt cheap products and wait for my customers to send their credit card info by email...
7:35 pm on Apr 3, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member mivox is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 6, 2000
posts:3928
votes: 0


Sure anyone on the network can read my email... but, my point is that very few people are going to bother. I'm more worried about things like this [computerworld.com]... which are much more common, and account for virtually ALL internet-related stolen card number problems.

Nothing you can do about that sort of thing except not use any CCs online.

At my company, we had a fradulent telephone transaction where the guy apparently got the CC number off a discarded receipt at a business convention in New York... that woman might never have shopped for anything online in her life, much less emailed her CC info to anyone, but she still got scammed.

Nothing you can do about that sort of thing, except not use any CCs anywhere.

But, as a cardholder, it is a piece of cake to get fraudulent transactions removed from your account, so there's no real benefit in being paranoid. Check your accounts online once a week, and you'll be able to report them even before you get your paper statement. And as a business owner (since they're the ones who get stuck with the losses in most fraudulent transactions) you can check and double check any suspicious orders you receive.

7:41 pm on Apr 3, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 5, 2001
posts:2732
votes: 11


Confidential information such as credit card numbers should not be distributed via e-mail by any means. E-mail is NOT encrypted, it is sent out in plain text and as it travels it way across the internet there are many many points for people to sniff the connection and obtain the information.

You should be scared if someone's doing this. Normally all they will disclose is the last 4 digits if even that. I would not do business with a company e-mailing out credit card numbers over the internet. I dont email mine out to people I dont accept them from people.

I see all the time clients just emailing me saying 'Charge my card my # is ......' oOoo I tell them stories upon stories. :)

3:14 pm on Apr 4, 2003 (gmt 0)

New User

10+ Year Member

joined:Feb 18, 2003
posts:25
votes: 0


If you have a merchant account then accepting credit card numbers by email is a violation of your merchant agreement. All the cards have minimum security requirements. American Express seems to be the most agressive at reminding merchants about the rules.

The VISA site includes The Digital Dozen [usa.visa.com] where #4 is "Encrypt data sent across public networks"

If they catch you using email for CCs they will shut off your merchant account.

3:22 pm on Apr 4, 2003 (gmt 0)

Senior Member

joined:Jan 27, 2003
posts:2534
votes: 0


Yeah, I've had a few of these. The funny thing is that i'm not even working for the company they want to contact half the time, so they're sending their details to a total unknown quantity. Some people are just clueless in this regard.

>>Also, do you think it is wise for me to "educate" this guy on the dangers of sending the credit card details by email? Or do I just forget about it?

C'mon, do the guy a favour :)
I send a terse email explaining that this is incredibly dumb and pointing them at a fraud info page.