The Secure Connection Trap: Why Emailing Your Credit Card Number is Never Safe

“We’ll err on the side of caution and suggest that you never trust email with confidential information.”

A surefire way to make tech-savvy people shudder is to email them your credit card number to pay a bill.

It’s not that they don’t appreciate the transfer of funds to their account, but they understand that with email, you’re not just sending it to them. Any number of people in between (or computers, called “bots” in this context) can intercept, read, store, and potentially use that data.

When you send an email directly to a person, it’s not going directly to them.

We tend to think in terms of “sender” and “recipient” but forget to consider all the points in between. When you send an email, it has to go from your computer to your Internet Service Provider, and then from there, it is passed through possibly several other servers before it reaches the sending server. Once at the sending server, it is passed through the world wide web until it arrives at the recipient’s computer. Because it happens so quickly, we’re tempted to think it’s a direct connection, but let’s think about the origins of the term “world wide web” for a moment and consider what that might look like visually: many thousands of computers all connected together, passing data amongst each other. When you send an email, it is passed through many systems before it reaches the recipient.

Email is not encrypted.

Here’s the trap: when you login to your email, be it through an installed application or webmail service (Gmail for example), you’ll likely see that they are “secure.” Email applications typically require encrypted authentication, and webmail services are actually secure sites themselves, much like online banking.

Email is transmitted in plain text, and can be read, analyzed and stored by any one of the computers it touches along the way.

With your email application, encryption happens during authentication. This means your username and password are encrypted (generally not readable by the systems it passes through), but the email itself is not (because email is not encrypted).

When you login to a webmail service, you may see the “secure connection” notifier–usually a little “lock” icon in your address bar–which may present the illusion that your email itself is secure, but it is not. Only the current browser session is secure. Your username and password are encrypted, and the data being shown on your screen is also encrypted for that session (the connection between the receiving server and your computer). However, all that email in your inbox had to be delivered to your service provider, meaning it went from the sender out to the world wide web in plain text through many computers before reaching your inbox. Similarly any email you send through that service leaves the secure session through email and enters the world wide web to be delivered to the recipient. Since your connection to the service itself is encrypted, what you see on the screen cannot be read directly by someone intercepting the data, however as soon as you hit “send,” it’s anyone’s guess how many people could potentially see it as it shoots out over the web in its unencrypted form.

Regardless of your trust for the recipient, there is no way to know whose servers the email is passing through, nor whether you can trust them. We’ll err on the side of caution and suggest that you never trust email with confidential information.

It’s not necessarily the service providers.

We like to believe service providers are honest and not skimming through emails to find people’s credit card numbers, and hopefully the bulk majority are. But the compromise doesn’t need to come from the provider themselves.

Viruses on infected servers could be monitoring email traffic passing through the server, software tools can be used by “hackers” to sniff unencrypted data as it passes through the coffee shop wifi, and shady “companies” have even been known to setup servers on the web specifically to collect this type of data as it passes through, which they may either use or sell.

The safe alternatives…

I can’t speak for all companies, but I would expect most connected companies offer some way to pay a bill electronically in a safe fashion.

Picking up the phone and calling in your card number is much safer than email, because it is a much more “direct” connection to the recipient.

For our customers, we offer a secure payment gateway at secure.positiveesolutions.com — this can be accessed via the “Pay Online” button on our web site. It is secure, encrypted, and no confidential data is transmitted or stored in an unencrypted form.

Regardless of the how or why, the simple fact remains: email is not secure.

Write your credit card number on a piece of paper and pass it around a full room of strangers. Surely, you would never do such a thing. That’s essentially what you do when you type it into an email and press “send.”

Be educated, be safe.

-Robbie