Archive for April 2011

Sending credit card information by email

April 7, 2011

There’s a lot of discussion on the web on this subject. Most writers recoil in horror from the very thought with the attitude of, “Better to be paranoid than sorry.”

Yeah, I can see it, but only to a point.

Let’s pretend that I’m going to send my credit card info in not one, but three emails: the first email gets the first half, second email the second half, and the third gets the CCV number. In each email I’m going to place the numbers inside blocks of random text. I will assume that the merchant I’m contacting already has my billing address.

I contend that this as safe as sending all that information in a webpage form over an SSL connection.

Let’s examine some points.

According to Verisign in a document published in 2005, approximately 2.25 billion emails are sent per day. Since that document doesn’t track domains such as .edu, we can assume that the number is much, MUCH higher. Let’s say, conservatively, 5 billion. That was six years ago. Assuming a growth rate of 10% (a ridiculously low number), we land on approximately¬†8.9 billion emails. Each. Day. It is safe to assume that number is much higher.

Let’s say there are one million hackers in the world whose sole purpose in life is to watch emails for credit card numbers. Each hacker gets 8900 emails to deal with: with 86,400 seconds in a day, he has about 9 seconds to process each one. Any good programmer can write a program to do this automatically. We’re not done, yet, though.

Now, the average email takes an average of ten to fourteen steps through various servers before it lands in your inbox. It is extremely rare for two consecutive emails to take the same path. Thus, our hacker will in all likelyhood, not see all three of the emails. That’s okay, though, because some other hacker has the other missing pieces.

Maybe. And even if so, which one (or two) of the million hackers has the other pieces?

Can you see how hopelessly complex this problem is? Working on the theory of diminishing returns, the amount of effort required to harvest one credit card number this way just isn’t worth the effort.

Now, another scenario:

Tonight, I will go out to dinner with my family. When the meal is done, I will hand my credit card to the waiter. He or she will disappear with my card for as long as ten minutes. During that time, that card is out of my control: the waiter can do whatever he or she wants with it. If I’m not otherwise careful online, Facebook or some blog somewhere will divulge my home address – all the information anyone would ever need to steal my identity.

I do this at least once a week without a second thought.

One wonders if the paranoia isn’t a little misplaced.