BACK

Research and Statistics

Secure, or not? Assess the risk before sending credit card info

Summary

We asked Internet security experts to rate the common methods of sending credit card information to see which pose the greatest risks.

The editorial content below is based solely on the objective assessment of our writers and is not driven by advertising dollars. However, we may receive compensation when you click on links to products from our partners. Learn more about our advertising policy.

The content on this page is accurate as of the posting date; however, some of the offers mentioned may have expired. Please see the bank’s website for the most current version of card offers; and please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

Before you send your credit card information online, over the phone or by mail, it helps to think like a hacker. Green, yellow or red? Assess the risk before sharing credit card info

The next time you’re about to share your credit card number, put on a robber’s raccoon mask and think about it: Where are the potential breach spots along the path your information will travel? What are the security loopholes, and how can you close them up so your information doesn’t fall into the wrong hands?

We asked Internet security experts to discuss some of the common methods of sending credit card information, and to rate their security risk levels for the average consumer.

Unsecured email
Risk level: High

Security experts unanimously agree a garden-variety, unencrypted email is a very unsecure way to send sensitive information. Email can be hacked, spoofed and eavesdropped.

Unsecured email offers crooks four points of exposure — your own computer, your email server, your recipient’s email server, and your recipient’s computer — making it one of the riskiest ways to send credit card information.

Even if you are submitting the message through a secure connection, if either computer is infected with a virus or other malware, it leaves the door open to hackers.

“The designers of email didn’t intend for it to provide confidentiality,” said John Ackerly, CEO of Virtru, an email privacy company.

“It’s kind of like sending a postcard, put on the side of a mail truck, as opposed to sending a (sealed) letter,” said Will Ackerly, co-founder of Virtru and a former NSA Internet security architect.

Fax
Risk level: medium
This old-school method of sending information is fairly secure — with one big asterisk, according to Gary Miliefsky, founder of SnoopWall, a spyware detection software company.

As long as both fax machines transmit and receive through the traditional method over telephone lines (as opposed to Internet faxing), the process poses minimal privacy threat. “If someone eavesdropped or bugged the line, all they would hear is the screechy noise” — the one you hear when connecting to the Internet by dial-up modem, Miliefsky said.

A big risk enters when you can’t be certain the intended recipient is the only one who will see the fax. If you’re sending your credit card or other sensitive information, Miliefsky suggests making sure that the recipient will be standing by the fax machine ready to receive it and immediately confirm its arrival. Also, make sure any confirmation printouts containing sensitive information — either on the sending or receiving end — are destroyed.

Postal mail
Risk level: medium

Though it’s becoming less necessary to send credit card information by mail, on occasion an order form or a bill will require this information. You seal up the envelope and hope for the best.

The good news is that the U.S. Postal Service provides good protection of your information. “There are extensive laws that are quite explicit about the fact that intercepting U.S. mail is a federal crime,” said John Ackerly.

However, once the mail reaches its destination, “You’re really at the mercy of the policies that that institution has,” he said.

Secure websites
Risk level: medium

You’ll know you’re at a secure website because your Web browser will display “https” in the location or URL bar. Most Web browsers feature a graphic lock you can click to examine the site’s security certificate. Secure sites help ensure that the data you send will be encrypted.

If sending sensitive information, consider using a document storage site such as Dropbox, or Oneshar.es, which allows you to send confidential information that self-destructs.

The catch involved in using these sites again is “weak endpoints,” said Miliefsky, which means you can be on the most secure site over a secure Internet connection and still have someone literally watching your keystrokes via spyware. The answer? Keep your malware protection up to date, and stay vigilant.

It boils down to “trust never; verify always,” Miliefsky said.

Text message
Risk level: low (with additional protections)

It is hard for people to hack into text messages, but the risk to security involves their long life span: They exist on your phone until you delete them. If either phone ends up in the wrong hands and the text message has not been deleted, it could pose a problem.

New technologies can make text messages more secure. Companies such as Wickr and Silent Circle have added encryption technology to text messages and also include a message self-destruct feature, so they don’t stay permanently on the recipient’s end.

Encrypted email
Risk level: low

Though unsecured email is one of the worst ways to transmit sensitive information, you can eliminate a lot of risk by adding email encryption technology. Available options inclue Virtru and Infoencrypt. Any mail plug-in that utilizes PGP (which stands for Pretty Good Privacy) will add a level of security by scrambling the information in transit until your intended recipient unlocks it with a security key. Some keys have an expiration time, providing additional protection.

Since the revelations about data snooping by the National Security Agency, Google and Yahoo have begun encrypting emails by default, but if your recipient doesn’t have encrypted email, your message is still vulnerable after it leaves the Gmail or Yahoo servers.

Additional ways to beef up your security

  • Watch out for public Wi-Fi — connecting to the Internet in a public hot spot such as a coffee shop leaves your computer and your information vulnerable to attack. Disable file sharing and use a virtual private network (VPN) if you can.
  • You can send your credit card information in pieces. For example, send the number in one encrypted email; the expiration date in another; and your billing address in a third.
  • If you’re creating a paper trail by fax or mail, obscure some of the digits of your credit card number, and instruct the recipient to call for the remaining information.
  • Be sure to keep your computer up to date on anti-virus software — and don’t be shy about asking recipients what level of protection they have on their computers, too.

See related:When you should, shouldn’t give out your Social Security number, How to avoid credit card security overkill

What’s up next?

In Research and Statistics

Card debt falls in February

Credit card users cut their balances sharply in February 2014, even as personal income rose, says the Federal Reserve’s monthly consumer credit report

Published: April 7, 2014

See more stories
Credit Card Rate Report Updated: July 17th, 2019
Business
15.61%
Airline
17.59%
Cash Back
17.68%
Reward
17.58%
Student
17.79%

Questions or comments?

Contact us

Editorial corrections policies

Learn more

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company’s business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.