[ic] Credit Card Info in email

Matt Clauson mec@dotorg.org
Sun, 10 Dec 2000 13:41:18 -0700

On Sun, Dec 10, 2000 at 12:40:47PM -0600, Jennifer Jones wrote: 
> I've just installed this program, so I'm still working out all the kinks
> here, but I'm getting the credit card info sent in the email to the
> store owner, but it's not out where I can get it on the website in the
> customer order section.  Isn't it unsecure to send that info through
> email?

I apologize for this being a bit off-topic, but since it's of general
interest, I'll post it here.  Please excuse me for any rambling
incoherencies.  For the record, I'm a Unix Systems Administrator and
have been for the past several years.  I also do network and data
security analysis as a bit of a side.

In general, you should never send 'sensitive data' (ie: SSN, credit
cards, etc) in the clear over the public Internet -- whether it be by
regular email, non-SSL web traffic, or telnetting into a server to
read your mail.  Packet sniffers abound over the Internet, and since
you can't guarantee the entire path your traffic will take, it stands
very much to reason that somewhere, along the path, someone can see
the traffic.  Whether it's a criminal sniffing for credit card numbers
or just some network engineer seeing when his ISP has to order more
bandwidth, numbers can be captured, and are easily stored for later

This chain, however, doesn't just end between the network interfaces
of Joe Webbrowser and VirtualStore.com.  We can't rely on the fact
that someone hasn't 'hacked' the core webserver for a site, and put
some kind of traffic sniffer on the system...  Or backdoored the
database.  Unless you run your own system, or trust the person who is,
to catch these kinds of intrusions, the card numbers still aren't
safe.  In all honesty, what I would reccomend, if you aren't running
your own system, is the order system encrypting the entire order,
credit card and all, using some kind of public-key cryptography (my
personal favorite is PGP), and emailing the data to you at a site that
you either a) trust to be secure or b) run yourself.

If emailing it with encryption offsite is not a possibility, and you
trust the system you're on, I suggest you leave the email in a local
mailbox, and login to read the mail using SSH and a Unix mailreader,
such as Mutt, Pine, or Elm.  DO NOT read the mail with a POP/IMAP
reader, such as Outlook (or the Express variant), Netscape's Mail
client, or Eudora.  Doing that transfers the data unencrypted, and
you're back where we started.  The same thing applies to using regular
telnet -- the data can easily be sniffed, as well as your login and
password.  (In fact, I reccomend not controlling, configuring, or
uploading data using a non-encrypted session, such as FTP, telnet, or
RSH.  SSH (secure shell) runs with encryption, and is somewhat more
safer.  My favorite Windows SSH client includes a zmodem transfer
option, and I move files across that way if I can use scp between two
Unix boxes.)  SSL-telnet, which is available for most Unix
distributions, does not have this issue.

If you absolutely have to control and access the data over the web,
YOU MUST use a SSL-enabled connection. (look for the https://,
people!)  Regular web browsing is just as sniffable as telnets and
unencrypted emails.  It's a bad thing, and leads to a lot of data
leaks.  A good amount of web-based email providers (hotmail and yahoo)
have this problem.  They may encrypt the login session, however, the
traffic with your email passing across it is unencrypted...  And if
you send your credit card number through one of these services, it's
pretty much as good as sniffed.

Hope this little missive helps clarify a few matters, but most likely
I've raised a few questions.  I'll be happy to answer them, on-list
(until the off-topic complaints get big) or in direct email.  Yes,
dotorg.org is a valid address for me.  I registered the domain a
couple of years ago...  However, you oughtta see some of the spam I
get with people faking emails from the domain!  *grin*

Oh, and as for you guys banging on the code, you have my undying
thanks -- you've got a good product here, and I hope to make my own
contribution at some point.