Secure, or not? Assess the risk before sending credit card info


Before you send your credit card information online, over the phone or by mail, it helps to think like a hacker. Green, yellow or red? Assess the risk before sharing credit card info

The next time you're about to share your credit card number, put on a robber's raccoon mask and think about it: Where are the potential breach spots along the path your information will travel? What are the security loopholes, and how can you close them up so your information doesn't fall into the wrong hands?

We asked Internet security experts to discuss some of the common methods of sending credit card information, and to rate their security risk levels for the average consumer.

Unsecured email
Risk level: High

Security experts unanimously agree a garden-variety, unencrypted email is a very unsecure way to send sensitive information. Email can be hacked, spoofed and eavesdropped.

Unsecured email offers crooks four points of exposure -- your own computer, your email server, your recipient's email server, and your recipient's computer -- making it one of the riskiest ways to send credit card information.

Even if you are submitting the message through a secure connection, if either computer is infected with a virus or other malware, it leaves the door open to hackers.

"The designers of email didn't intend for it to provide confidentiality," said John Ackerly, CEO of Virtru, an email privacy company.

"It's kind of like sending a postcard, put on the side of a mail truck, as opposed to sending a (sealed) letter," said Will Ackerly, co-founder of Virtru and a former NSA Internet security architect.

Risk level: medium
This old-school method of sending information is fairly secure -- with one big asterisk, according to Gary Miliefsky, founder of SnoopWall, a spyware detection software company.

As long as both fax machines transmit and receive through the traditional method over telephone lines (as opposed to Internet faxing), the process poses minimal privacy threat. "If someone eavesdropped or bugged the line, all they would hear is the screechy noise" -- the one you hear when connecting to the Internet by dial-up modem, Miliefsky said.

A big risk enters when you can't be certain the intended recipient is the only one who will see the fax. If you're sending your credit card or other sensitive information, Miliefsky suggests making sure that the recipient will be standing by the fax machine ready to receive it and immediately confirm its arrival. Also, make sure any confirmation printouts containing sensitive information -- either on the sending or receiving end -- are destroyed.

Postal mail
Risk level: medium

Though it's becoming less necessary to send credit card information by mail, on occasion an order form or a bill will require this information. You seal up the envelope and hope for the best.

The good news is that the U.S. Postal Service provides good protection of your information. "There are extensive laws that are quite explicit about the fact that intercepting U.S. mail is a federal crime," said John Ackerly.

However, once the mail reaches its destination, "You're really at the mercy of the policies that that institution has," he said.

Secure websites
Risk level: medium

You'll know you're at a secure website because your Web browser will display "https" in the location or URL bar. Most Web browsers feature a graphic lock you can click to examine the site's security certificate. Secure sites help ensure that the data you send will be encrypted.

If sending sensitive information, consider using a document storage site such as Dropbox, or, which allows you to send confidential information that self-destructs.

The catch involved in using these sites again is "weak endpoints," said Miliefsky, which means you can be on the most secure site over a secure Internet connection and still have someone literally watching your keystrokes via spyware. The answer? Keep your malware protection up to date, and stay vigilant.

It boils down to "trust never; verify always," Miliefsky said.

Text message
Risk level: low (with additional protections)

It is hard for people to hack into text messages, but the risk to security involves their long life span: They exist on your phone until you delete them. If either phone ends up in the wrong hands and the text message has not been deleted, it could pose a problem.

New technologies can make text messages more secure. Companies such as Wickr and Silent Circle have added encryption technology to text messages and also include a message self-destruct feature, so they don't stay permanently on the recipient's end.

Encrypted email
Risk level: low

Though unsecured email is one of the worst ways to transmit sensitive information, you can eliminate a lot of risk by adding email encryption technology. Available options inclue Virtru and Infoencrypt. Any mail plug-in that utilizes PGP (which stands for Pretty Good Privacy) will add a level of security by scrambling the information in transit until your intended recipient unlocks it with a security key. Some keys have an expiration time, providing additional protection.

Since the revelations about data snooping by the National Security Agency, Google and Yahoo have begun encrypting emails by default, but if your recipient doesn't have encrypted email, your message is still vulnerable after it leaves the Gmail or Yahoo servers.

Additional ways to beef up your security

  • Watch out for public Wi-Fi -- connecting to the Internet in a public hot spot such as a coffee shop leaves your computer and your information vulnerable to attack. Disable file sharing and use a virtual private network (VPN) if you can.
  • You can send your credit card information in pieces. For example, send the number in one encrypted email; the expiration date in another; and your billing address in a third.
  • If you're creating a paper trail by fax or mail, obscure some of the digits of your credit card number, and instruct the recipient to call for the remaining information.
  • Be sure to keep your computer up to date on anti-virus software -- and don't be shy about asking recipients what level of protection they have on their computers, too.

See related: When you should, shouldn't give out your Social Security number, How to avoid credit card security overkill

Published: April 8, 2014

Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Follow Us

Updated: 10-23-2016

Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.