Jump to content
Sign in to follow this  
kristof65

PSA: Don't email your credit card information

Recommended Posts

ARRRRRRRRRRRRRRRRRRRRRRRGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:

 

So the company I contract to has a service department email address. One person in the organization is responsible for responding to these emails, but this particular email address is copied to six different people (including myself, an independent contractor for them) so that we all know what's going on if needed, and so that one of us can take over if the primary guy is out.

 

So a customer sends an email to our service department requesting parts, and to pay for those parts, he provided his credit card info in the email - full number, name, billing address, CVC, expiration date, etc. So immediately, six of us now have his CC information. Fortunately for him, we're all honest sorts, and are not going to steal his CC info (though we can't speak for anyone on the servers in between him and us).

 

But that's not the worst part - our guy needed more information, and replied back to the customer without stripping the CC info from the reply email. By the time I saw the email and caught that, and admonished our guy, the conversation chain had been back and forth a half dozen times, and our customer had extended it to two other people in his organization, while our guy added two more on our side.

 

This guy's credit card information has now been spread directly to at least 8 different individuals by name, and traveled multiple times through an unknown number of intermediary servers. While I'm pretty sure no one in our organization will knick the info for personal gain, I won't be the least bit surprised if his credit card ends up being compromised at some point.

 

DON'T SEND YOUR CREDIT CARD INFO THROUGH EMAIL.

 

While some of the path your emails take may be encrypted from server to server, you can't guarantee that, plus most standard email clients do not store their emails in an encrypted format. And once it hits your recipients email box, you have to trust them to remove it from their computers. If they don't, and just one of them has or later gets a virus looking for that sort of stuff - boom, your number is compromised.

  • Like 13

Share this post


Link to post
Share on other sites

But if you don't email your credit card information and email passwords, how can you pay someone for cleaning the nasty virus your computer is infected with?!

Edited by BLZeebub
  • Like 11

Share this post


Link to post
Share on other sites

There is not enough facepalm for this.

 

Have you sent a separate, confidential email (or better, called) the customer and informed him of the compromise to his data so he can cancel the card and protect himself?

  • Like 2

Share this post


Link to post
Share on other sites

This person clearly needs to cancel that card NOW and request a new number. Also some head smacking for all involved... 

  • Like 3

Share this post


Link to post
Share on other sites

If you are going to send you CC info by email, send it to me. I'm honest enough to not empty your account, but you may find some odd purchases appearing

  • Like 3

Share this post


Link to post
Share on other sites

I would like to thank Kristof65's customer for his contribution to Obvious Oblivious Day. May the rest of your day be not quite as dumb as that.

Edited by EvilJames
  • Like 3

Share this post


Link to post
Share on other sites

There is not enough facepalm for this.

 

Have you sent a separate, confidential email (or better, called) the customer and informed him of the compromise to his data so he can cancel the card and protect himself?

Yes.

 

And I'm sure that if he does actually cancel it, he'll do it right before we try to run his credit cards for the parts we're shipping him, and thus we wont' send the parts, and he'll be all mad at us like it's our fault.

 

This is the same guy that's demanding warranty on a point of sale system that was purchased and installed at the business in 2003. Even though he didn't buy the business from the original owner until 2010, his justification is that he had to buy a few parts and pay for a system upgrade to make it fully operational again after he bought it. It's the equivalent of buying a used high mileage car from a private seller, putting new rims and tires on it and a new stereo in it, and then demanding that the dealership warranty everything else on the car just because you bought the rims, tires and stereo from them.

  • Like 5

Share this post


Link to post
Share on other sites

If you are going to send you CC info by email, send it to me. I'm honest enough to not empty your account, but you may find some odd purchases appearing

Man, I can't tell you how tempting that is to do some days. This is not the first guy that has emailed me his credit card number, nor will it be the last, I'm sure. The ones that really kill me are the ones who do it when I send them an email with a final price tally of the parts they're ordering, along with a message to call the phone number into our main office and give them the credit card number. I have boilerplate text for this that says in all caps "DO NOT EMAIL YOUR CREDIT CARD INFO"

 

And they do it anyway.

 

Some days I just want to penalize those people with a small Profantasy or Reaper mini purchase...

 

...but, alas, that would be wrong, and therefore I don't do it.

  • Like 3

Share this post


Link to post
Share on other sites

I would expand that to "think twice before sending any sensitive information by email, ESPECIALLY IF IT ISN'T YOURS."

 

I am currently the secretary for the local women's organization in my church, and one of my jobs is to take attendance during the ladies-only Sunday meetings and get those numbers to the clerk who handles such things. Twice now, he's emailed me a handy Excel spreadsheet with all the ladies' names on it so I can mark off who attended at least once a month. The problem is, that spreadsheet also included the full birthday and age of everyone on that list (including me). So here's a tidy list of over a hundred ladies with their full names, ages and birthdays. :zombie:

 

Needless to say, the first time this happened, I totally freaked out, having had proper handling of sensitive info hammered into me in my speech-language pathology program. I asked him not to ever do that again (I also made sure to strip that info out before sending it back). Three months later (he sends me the spreadsheet once a quarter), he forgot to remove those columns before sending it.

 

I am going to ask him again, in a more strongly worded email, to stop doing that, and also remind him that email is not a secure way to transfer information. If it happens a third time, I will talk to the next person up the line (whom I believe would be our bishop). It's not that he's doing this out of malice, I really do think he just forgot. It's still a major concern, though. :/

 

Huzzah!

--OneBoot :D

Edited by OneBoot
  • Like 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By terminalmancer
      I've always kept up with the forum by email, but as of the past few months, I'm just not getting any of the notification emails. It started, really, with the launch of the latest version of the forum software but it's been getting worse since then. Is there anything I can do to get the emails running again? I haven't really been visiting as much since I don't have something hitting my email telling me to. =/
    • By Bonwirn
      So, Charter has decided to go all digital in my area. So, EVERY tv in the house now needs a set top box, even the one with digital tuners. We had two HD boxes in the house, so I had to go get four more boxes for the rest of the tvs. One box went in smoothly, and the tech at the store said I could hook all four up at the same time. So the other three got hooked up as fast as I could go room to room. Guess what? Yup, none of those three work. The first one gets no channels, the second one get some channels, but it's hit or miss. The third one? Actually gives an error message that the tech did not recognize... Ref 0915?
       
      Wish Shabang lived closer to come fix this crap... Why did they have to change?
       
      Oh, and each additional box is &5 a month.... Should I get a discount because I am now getting fewer channels than I was before?
    • By Zedwimer
      When I registered in the forums here, I intended to use the same email address I used with my Kickstarter account (not that I needed to, but in case you wanted to tie my forum account to my Kickstarter backer account, as other Kickstarters have done). However, the Reaper forums apparently do NOT accept email addresses with the ".us" TLD. So I had to use another email address to register here. Is there any reason these forums don't allow the ".us" TLD for account registration?
  • Who's Online   18 Members, 2 Anonymous, 33 Guests (See full list)

×
×
  • Create New...