PSA: Don't email your credit card information

[kristof65 26966]

ARRRRRRRRRRRRRRRRRRRRRRRGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:

 

So the company I contract to has a service department email address. One person in the organization is responsible for responding to these emails, but this particular email address is copied to six different people (including myself, an independent contractor for them) so that we all know what's going on if needed, and so that one of us can take over if the primary guy is out.

 

So a customer sends an email to our service department requesting parts, and to pay for those parts, he provided his credit card info in the email - full number, name, billing address, CVC, expiration date, etc. So immediately, six of us now have his CC information. Fortunately for him, we're all honest sorts, and are not going to steal his CC info (though we can't speak for anyone on the servers in between him and us).

 

But that's not the worst part - our guy needed more information, and replied back to the customer without stripping the CC info from the reply email. By the time I saw the email and caught that, and admonished our guy, the conversation chain had been back and forth a half dozen times, and our customer had extended it to two other people in his organization, while our guy added two more on our side.

 

This guy's credit card information has now been spread directly to at least 8 different individuals by name, and traveled multiple times through an unknown number of intermediary servers. While I'm pretty sure no one in our organization will knick the info for personal gain, I won't be the least bit surprised if his credit card ends up being compromised at some point.

 

DON'T SEND YOUR CREDIT CARD INFO THROUGH EMAIL.

 

While some of the path your emails take may be encrypted from server to server, you can't guarantee that, plus most standard email clients do not store their emails in an encrypted format. And once it hits your recipients email box, you have to trust them to remove it from their computers. If they don't, and just one of them has or later gets a virus looking for that sort of stuff - boom, your number is compromised.

[dsmiles 35885]

[BLZeebub 2533]

But if you don't email your credit card information and email passwords, how can you pay someone for cleaning the nasty virus your computer is infected with?!

Edited January 15, 2016 by BLZeebub

[Kheprera 36862]

There is not enough facepalm for this.

 

Have you sent a separate, confidential email (or better, called) the customer and informed him of the compromise to his data so he can cancel the card and protect himself?

[Erifnogard 58596]

I kind of view this as a form of Darwinism in action.

[TGP 74284]

There is not enough facepalm for this.

 

 

[Crowley 104294]

This person clearly needs to cancel that card NOW and request a new number. Also some head smacking for all involved... 

[Arc 724 18318]

"WHEN THE DEPOSED PRINCE OF NIGERIA CONTACTS ME PERSONALLY.... "

 

LOL

[ShadowRaven 55968]

If you are going to send you CC info by email, send it to me. I'm honest enough to not empty your account, but you may find some odd purchases appearing

[EvilJames 8075]

I would like to thank Kristof65's customer for his contribution to Obvious Oblivious Day. May the rest of your day be not quite as dumb as that.

Edited January 15, 2016 by EvilJames

[kristof65 26966]

There is not enough facepalm for this.

 

Have you sent a separate, confidential email (or better, called) the customer and informed him of the compromise to his data so he can cancel the card and protect himself?

Yes.

 

And I'm sure that if he does actually cancel it, he'll do it right before we try to run his credit cards for the parts we're shipping him, and thus we wont' send the parts, and he'll be all mad at us like it's our fault.

 

This is the same guy that's demanding warranty on a point of sale system that was purchased and installed at the business in 2003. Even though he didn't buy the business from the original owner until 2010, his justification is that he had to buy a few parts and pay for a system upgrade to make it fully operational again after he bought it. It's the equivalent of buying a used high mileage car from a private seller, putting new rims and tires on it and a new stereo in it, and then demanding that the dealership warranty everything else on the car just because you bought the rims, tires and stereo from them.

[Kheprera 36862]

Sounds like this is a Special kind of guy... Stephen Lynch kinda special...

[kristof65 26966]

If you are going to send you CC info by email, send it to me. I'm honest enough to not empty your account, but you may find some odd purchases appearing

Man, I can't tell you how tempting that is to do some days. This is not the first guy that has emailed me his credit card number, nor will it be the last, I'm sure. The ones that really kill me are the ones who do it when I send them an email with a final price tally of the parts they're ordering, along with a message to call the phone number into our main office and give them the credit card number. I have boilerplate text for this that says in all caps "DO NOT EMAIL YOUR CREDIT CARD INFO"

 

And they do it anyway.

 

Some days I just want to penalize those people with a small Profantasy or Reaper mini purchase...

 

...but, alas, that would be wrong, and therefore I don't do it.

[The Gamer of C-ville 205]

I can't help but feel that this should have been at the end of an episode of GI JOE back in the 80s.  I'm an adult now and I still remember to get out of the water when it's starts to lightning.

[OneBoot 77670]

I would expand that to "think twice before sending any sensitive information by email, ESPECIALLY IF IT ISN'T YOURS."

 

I am currently the secretary for the local women's organization in my church, and one of my jobs is to take attendance during the ladies-only Sunday meetings and get those numbers to the clerk who handles such things. Twice now, he's emailed me a handy Excel spreadsheet with all the ladies' names on it so I can mark off who attended at least once a month. The problem is, that spreadsheet also included the full birthday and age of everyone on that list (including me). So here's a tidy list of over a hundred ladies with their full names, ages and birthdays.

 

Needless to say, the first time this happened, I totally freaked out, having had proper handling of sensitive info hammered into me in my speech-language pathology program. I asked him not to ever do that again (I also made sure to strip that info out before sending it back). Three months later (he sends me the spreadsheet once a quarter), he forgot to remove those columns before sending it.

 

I am going to ask him again, in a more strongly worded email, to stop doing that, and also remind him that email is not a secure way to transfer information. If it happens a third time, I will talk to the next person up the line (whom I believe would be our bishop). It's not that he's doing this out of malice, I really do think he just forgot. It's still a major concern, though. :/

 

Huzzah!

--OneBoot :D

Edited January 15, 2016 by OneBoot