G/F e-mailed me all her Credit Card info, shoud she cancel card?

[Neilk]

I told my G/F to buy herself a wireless router online. Apparently she was having trouble accessing the site from her office, so she e-mailed me ALL her credit card info except for the 3 digit security code. How dangersous is it to e-mail that info?

I am somewhat paranoid and my initial instinct is for her to call her CC issuer and have the number changed.

Agree or disagree?

[widebody911]

Post the complete email message here, complete with headers, and I can analyze it for you

The risk of a single email with the info is small, based on security thru obscurity. Unless someone has a network analyzer somewhere between you two, specifically filtering for CC info, and/or they had access to the intermediary email queue's, the exposure is tiny.

Where people were having problems was the old model of emailing your CC info to an online retailer to make a purchase, and someone on the inside would steal the data; the other common exploit was in the pre-SSL days to sniff plaintext traffic and filter on credit card # patterns.

[ubiquity0]

Yep- in reality its probably riskier using a credit card in a restaurant.

[David]

I don't think the risk outweighs the hassle of getting a new card, but I would watch the card's online statement every few days for the next few weeks.

This brings me to another thought. My wife thinks I'm stupid for online banking and online credit card statements (actually she thinks I'm stupid for a lot of reasons). I think I'm safer because I review my account every week or two. She only sees hers once a month.

[cstreit]

Damn straight ubiquity. With all the net traffic out there it's unlikely that someones looking at her connection or area for CC info... It's those places that still use carbon imprints that you really have to watch out for.

Many years ago I knew a guy who made a habit out of grabbing those from retail dumpsters and stocking up on mail-order bits... I think he did eventually get caught...

[Joeaksa]

She is actually riskier tossing an old receipt in the trash, which lots of people do. Someone then finds it and goes on a shopping spree.

Next time have her send half the card info in one email, and follow it up with the rest in a second email. Phone the security code number. That way its almost impossible to have a problem.

JoeA

[Porsche-O-Phile]

Not true. If someone can intercept one e-mail, they can certainly intercept two.

[widebody911]

Start using PGP - then you can send all the CC #'s and hot chat you want.

[Z-man]

Quote:

Originally posted by 125shifter
This brings me to another thought. My wife thinks I'm stupid for online banking and online credit card statements (actually she thinks I'm stupid for a lot of reasons). I think I'm safer because I review my account every week or two. She only sees hers once a month.

Actually, my wife thinks I'm stupid because I DON'T do any onilne money transactions. She so much wants to hit that 'Add to Cart' button, but I really don't feel comfortable with the whole online money thing.

Needless to say, I don't do online banking, or Ebay or paypal, or any of that stuff. I have, however, had success in securing a bank note for a large sum of money from a fellow in Nigeria who was interested in purchasing my 1981 Plymouth Turismo TC-3. But I digress...

I work in IT. There are just way too many ways around security. I don't care how many firewalls, VPN's, SSH's you have in place - where there's a will, there's a way. My goal is to minimize the chances of my numbers getting out, and keeping them off the interweb is a big step to do this, IMHO.

Oh yeah, I'd request the card number be changed - it's a very simple, straightforward process. All it takes is a quick phone call, and they can probably email you the new number. (Just kidding!)

-Z-man.

[legion]

Z-Man, you are 100% right.

I view online theft much like real-world theft though. What's a thief going to go for though? An unlocked car with the windows down and the keys in the ignition, or a locked car in a locked garage? On-line thiefs are going to try to break into places where they know valuable information exists, or try to "phish" for it. SSL, firewall's and such work because so many people don't use them and make for easier targets.

[widebody911]

Quote:

Originally posted by Z-man
I work in IT. There are just way too many ways around security. I don't care how many firewalls, VPN's, SSH's you have in place - where there's a will, there's a way.

Most exploits now occur at the carbon layer. Why go thru the hassle and math of decrypting SSH when you can just call the guy up and ask him for his credit card #?

[claptrap]

Just because the email reached it's destination doesn't mean no copies were kept en-route on both sending and recieving smtp servers. Who knows who has access to the mail queues on those servers.

Practically speaking, the likelyhood is low that the information will be misused, but don't think of email as a transient thing that disappears once it's delivered and deleted. Companies keep copies for a variety of reasons and, if you have access, searching through the mail queues for information is an easy thing to do and not subject to auditability. Treat email as a permanent record.

Without being paranoid about information security, just consider the risk of theft vs. the inconvienence of reissuing a new credit card.

Scott

[FrayAdjacent911]

Yeah, that was a not-so-smart thing for her to do. Emails are transmitted in plain text, so if anyone was sniffing... they have her stuff. Have her call her credit card company posthaste.

[HardDrive]

What a bunch of wackos.

Ummmm..yeah, there is a really remote chance that her card could be compromised. I handle network security for my company, and the entire e-mail system is my baby (I am the local 'Exchange Hoe' ). If my wife emailed me her card number, I would not cancel the card.

If you won't be able to sleep at night, then cancel it.

[claptrap]

Just call her and give her the number.

The Wacko.

[Z-man]

I don't understand what the fuss is about asking for a new card number. I've done it a couple of times - once when my # was stolen (at a gas station) and once before that. It is no problem - they close the old number, issue a new card, and transfer all the charges to the new card. No additional costs are incurred, and the CC company will gladly do it, especially if you tell them the card number may have been compromised.

Obviously you are worried about the number being lifted - otherwise you wouldn't have posted here. Just do it and be done with it - no harm in being safe.

-Z-man.

[notmytarga]

To change your credit card number will require you to contact and inform any/all companies that use it for billing monthly charges for cellphone etc. And online retailers (like Pelican) that hold the number under lock and key ...hmmm.... need to be updated. I'm sure there are plenty that think that registering credit info is risky. So it's not really a simple thing for many people. You do have to go throught the same thing whenever a new card is issued with a new expiration date.

Checking the online statement info, downloading to Quicken etc. is both a convenience and a safeguard against questionable charges - all of which are made by my wife!

[widebody911]

With my CC provider, it's a PITA to change the #; they want to cancel the old # immediately, so you're without the card for 1-3 weeks while they coax the elves into making a new one. It's a pain for me because I don't have a wallet full of them.

OTOH, changing once a year or so is a good idea, although some vendors are very aggressive and can get the new # without your intervention.

[dhoward]

Most CC companies nowadays will give you one-shot numbers for all of you on-line paranoia guys...