S3D Re: CC & e-mail

[Brian Reynolds <reynolds@xxxxxxxxx>]

Bob Wier wrote:
> >In general, it's a bad idea to send credit card info by e-mail anyway, even
> >if you address it only the right person.  E-mail is not a very secure
> >communication channel.  Messages potentially get routed through dozens of
> >machines on the Internet before they reach their destination.  Anyone along
> >the way could be getting credit card numbers (not to mention e-mail
> >addresses) along the way.
> >
> >-pd
> 
> I've had to do it a couple of times, although not recently. Probably
> the most nervous was sending a CC number to England. What I did
> that time was to break the number up into 3 pieces, sending them
> out of order, 1 day apart on each. 
> 

The safest way to send credit card information via email is to use
some form of public key encryption.  PGP is the most popular email
method.  Unfortunately the US government doesn't really want people to
be able to use strong encryption, but that's a debate for a different
mailing list.

> I *much* prefer secure web links now, though.
> 

Just remember that you still have to worry about the security of the
remote server.  Hopefully no one can crack SSL (yet) if they sniff
your packets, but once the data reaches the remote server it is
decrypted and vulnerable to attack.  A good system would immediately
send the data (probably via a one way serial link) to a machine not on
any network so that it doesn't remain exposed to attack.

-- 
Brian Reynolds                  | "Dee Dee!  Don't touch that button!"
reynolds@xxxxxxxxx              | "Oooh!"
http://www.panix.com/~reynolds  |    -- Dexter and Dee Dee
NAR# 54438                      |       "Dexter's Laboratory"