The Secure Connection Trap: Why Emailing Your Credit Card Number Without Encryption is Never Safe

A surefire way to make tech-savvy people shudder is to email them your credit card number to pay a bill.

It’s not that they don’t appreciate the transfer of funds to their account, but they understand that with email, you’re not just sending it to them. Any number of people in between (or computers, called “man in the middle,” “MITM” or just “bots” in this context) can intercept, read, store, and potentially use that data.

When you send an email directly to a person, it’s not going directly to them.

We tend to think in analogue terms, with “sender” and “recipient” being directly connected. We forget to consider all the points in between. In the digital world, when you send an email it has to go from your computer to your Internet Service Provider, and then from there, it is passed through several other servers before it reaches the sending server. That’s not a typo: it hasn’t even been sent yet. Once the email has arrived at the sending server, it is passed through the world wide web until it arrives at the recipient’s computer. Because it happens so quickly, we consider it to be a direct connection, but let’s think about the origins of the term “world wide web” for a moment and consider what that might look like visually: Many thousands of computers all connected together, passing data between one another. When you send an email, it is passed through many, many systems before it reaches the recipient.

Email, in its native form, is not encrypted.

Here’s the trap: when you login to your email, be it through an installed application or webmail service (Gmail for example), you’ll likely see that they are “secure.”  Email applications typically require encrypted authentication, and webmail services are actually secure sites themselves, much like online banking.

Email is transmitted in plain text, and can be read, analyzed and stored by any one of the computers it touches along the way.

With your email application, encryption happens during authentication. This means your username and password are encrypted (generally not readable by the systems it passes through), but the email itself is not (because email is not encrypted).

When you login to a webmail service, you may see the “secure connection” notifier–usually a little “lock” icon in your address bar–which may present the illusion that your email itself is secure, but it is not. Only the current browser session is secure. Your username and password are encrypted, and the data being shown on your screen is also encrypted for that session (the connection between the receiving server and your computer). However, all that email in your inbox had to be delivered to your service provider, meaning it went from the sender out to the world wide web in plain text through many computers before reaching your inbox. Similarly any email you send through that service leaves the secure session through email and enters the world wide web to be delivered to the recipient. Since your connection to the service itself is encrypted, what you see on the screen cannot be read directly by someone intercepting the data, however as soon as you hit “send,” it’s anyone’s guess how many people could potentially see it as it shoots out over the web in its unencrypted form.

Regardless of your trust for the recipient, there is no way to know whose servers the email is passing through, nor whether you can trust them. We’ll err on the side of caution and suggest that you never trust traditional email with confidential information.

Email can be encrypted… with the appropriate software.

There is hope for email after all.

ESET Endpoint Encryption allows the secure transmission and reception of encrypted data by email. By utilizing this product on both the sending and receiving end, it becomes possible to obscure the text from prying eyes, protecting the confidentiality of your company and customer data.

It’s not necessarily the service providers sniffing your data.

We like to believe service providers are honest and not skimming through emails to find people’s credit card numbers, and hopefully the bulk majority are. But the compromise doesn’t need to come from the provider themselves.

Viruses on infected servers could be monitoring email traffic passing through the server, software tools can be used by hackers to sniff unencrypted data as it passes through the coffee shop WiFi, and shady companies have been known to set up servers on the web specifically to collect this type of data as it passes through, which they may either use or sell to the highest bidder.

The safe alternative for payment processing.

I can’t speak for all companies, but I would expect most connected companies offer some way to pay a bill electronically in a safe fashion.

Picking up the phone and calling in your card number is much safer than email, because it is a much more “direct” connection to the recipient. Just make sure you’re the one making the call, or you know the person on the other end.

For our customers specifically, we offer a secure payment gateway at secure.positiveesolutions.com — this can be accessed via the “Pay Online” button on our web site. It is secure, encrypted, and our customer’s credit card data is never transmitted or stored in an unencrypted form.

Regardless of the how or why, the simple fact remains: email without encryption is not secure.

Write your credit card number on a piece of paper and pass it around a full room of strangers. Surely, you would never do such a thing. That’s essentially what you do when you type it into an email and press “send.”

Be educated, be safe.

I originally wrote this post on March 11, 2015. It has been edited and re-posted in 2019 with more current information.