Secure, or not? Assess the risk before sending credit card info
By Cynthia Drake | Published: April 8, 2014
Before you send your credit card information online, over the phone or by mail, it helps to think like a hacker.
The next time you're about to share your credit card number, put on a robber's raccoon mask and think about it: Where are the potential breach spots along the path your information will travel? What are the security loopholes, and how can you close them up so your information doesn't fall into the wrong hands?
We asked Internet security experts to discuss some of the common methods of sending credit card information, and to rate their security risk levels for the average consumer.
Risk level: High
Security experts unanimously agree a garden-variety, unencrypted email is a very unsecure way to send sensitive information. Email can be hacked, spoofed and eavesdropped.
Unsecured email offers crooks four points of exposure -- your own computer, your email server, your recipient's email server, and your recipient's computer -- making it one of the riskiest ways to send credit card information.
Even if you are submitting the message through a secure connection, if either computer is infected with a virus or other malware, it leaves the door open to hackers.
"The designers of email didn't intend for it to provide confidentiality," said John Ackerly, CEO of Virtru, an email privacy company.
"It's kind of like sending a postcard, put on the side of a mail truck, as opposed to sending a (sealed) letter," said Will Ackerly, co-founder of Virtru and a former NSA Internet security architect.
Risk level: medium
This old-school method of sending information is fairly secure -- with one big asterisk, according to Gary Miliefsky, founder of SnoopWall, a spyware detection software company.
As long as both fax machines transmit and receive through the traditional method over telephone lines (as opposed to Internet faxing), the process poses minimal privacy threat. "If someone eavesdropped or bugged the line, all they would hear is the screechy noise" -- the one you hear when connecting to the Internet by dial-up modem, Miliefsky said.
A big risk enters when you can't be certain the intended recipient is the only one who will see the fax. If you're sending your credit card or other sensitive information, Miliefsky suggests making sure that the recipient will be standing by the fax machine ready to receive it and immediately confirm its arrival. Also, make sure any confirmation printouts containing sensitive information -- either on the sending or receiving end -- are destroyed.
Risk level: medium
Though it's becoming less necessary to send credit card information by mail, on occasion an order form or a bill will require this information. You seal up the envelope and hope for the best.
The good news is that the U.S. Postal Service provides good protection of your information. "There are extensive laws that are quite explicit about the fact that intercepting U.S. mail is a federal crime," said John Ackerly.
However, once the mail reaches its destination, "You're really at the mercy of the policies that that institution has," he said.
Risk level: medium
You'll know you're at a secure website because your Web browser will display "https" in the location or URL bar. Most Web browsers feature a graphic lock you can click to examine the site's security certificate. Secure sites help ensure that the data you send will be encrypted.
If sending sensitive information, consider using a document storage site such as Dropbox, or Oneshar.es, which allows you to send confidential information that self-destructs.
The catch involved in using these sites again is "weak endpoints," said Miliefsky, which means you can be on the most secure site over a secure Internet connection and still have someone literally watching your keystrokes via spyware. The answer? Keep your malware protection up to date, and stay vigilant.
It boils down to "trust never; verify always," Miliefsky said.
Risk level: low (with additional protections)
It is hard for people to hack into text messages, but the risk to security involves their long life span: They exist on your phone until you delete them. If either phone ends up in the wrong hands and the text message has not been deleted, it could pose a problem.
New technologies can make text messages more secure. Companies such as Wickr and Silent Circle have added encryption technology to text messages and also include a message self-destruct feature, so they don't stay permanently on the recipient's end.
Risk level: low
Though unsecured email is one of the worst ways to transmit sensitive information, you can eliminate a lot of risk by adding email encryption technology. Available options inclue Virtru and Infoencrypt. Any mail plug-in that utilizes PGP (which stands for Pretty Good Privacy) will add a level of security by scrambling the information in transit until your intended recipient unlocks it with a security key. Some keys have an expiration time, providing additional protection.
Since the revelations about data snooping by the National Security Agency, Google and Yahoo have begun encrypting emails by default, but if your recipient doesn't have encrypted email, your message is still vulnerable after it leaves the Gmail or Yahoo servers.
Additional ways to beef up your security
- Watch out for public Wi-Fi -- connecting to the Internet in a public hot spot such as a coffee shop leaves your computer and your information vulnerable to attack. Disable file sharing and use a virtual private network (VPN) if you can.
- You can send your credit card information in pieces. For example, send the number in one encrypted email; the expiration date in another; and your billing address in a third.
- If you're creating a paper trail by fax or mail, obscure some of the digits of your credit card number, and instruct the recipient to call for the remaining information.
- Be sure to keep your computer up to date on anti-virus software -- and don't be shy about asking recipients what level of protection they have on their computers, too.
- DIY credit card arbitration: You may be able to opt out – Consumers can preserve their right to go to court instead of private arbitration in many cases by going through and opt-out process ...
- CFPB rule: Consumers should be able to band together and sue – Banks, GOP oppose measure that would end "mandatory arbitration" clauses that prevented class-action suits ...
- Bluesnarfing is newest card fraud at gas pumps and ATMs – With a skimmer and Bluetooth technology, fraudsters can sit nearby and intercept your payment transaction details ...