# sending credit card info by email



## Ariell (Mar 28, 2005)

Long story short. I need to send $$ fairly quickly to Nepal. Mail is too slow and PayPal not an option. Credit card would be the easiest. 

Yes I know sending credit card info by email is not a good idea. But how risky is it? And is there a way to make it less risky? Thanks.


----------



## ArtistSeries (Nov 8, 2004)

It's risky enough - can't you call?
But it you really want to sent the info by email, I recommend not to sent all on the same email - multiple emails and don't send complete information - the person on the other end should be able to fill in the blanks.


----------



## guytoronto (Jun 25, 2005)

Two words: Western Union

http://www.westernunion.ca


----------



## winwintoo (Nov 9, 2004)

I'm going to guess here. Someone you know is travelling in Nepal and ran out of money. If that person is from Canada and has a bank account in one of the big 5 banks, you can email the money though your bank and if they can pick up email in Nepal, they can deposit in their bank account and withdraw it using their own bank card.

Did that when my son was in Thailand.

Just a thought.

Margaret


----------



## Ariell (Mar 28, 2005)

ArtistSeries said:


> It's risky enough - can't you call?


Tried that. They said their bank would not accept a phone confirmation -- that they needed something in writing in order to put charges on the card.


guytoronto, thanks I did look into that. But i've never used a wire transfer and it seemed a little problematic. Besides the $30 fee that I would rather not pay, their website only gives the option of paying in Cnd funds or Nepalese rupees and I need to pay with US funds. Tried the WU phone number but could not get a real person. Is a wire transfer safe? Is it fast?

Margaret, thanks but that won't work. It's to cover the registration fee of a volunteer program that I'm doing in Nepal. I'd like to get the $$ to them sooner rather than later to hold my place and confirm details of the placement (which they can't give me without the registration fee).


----------



## MacDoc (Nov 3, 2001)

If you can call in the info then provide them with an signed fax with the last four digits that should suffice.

Sending info in the clear is to be avoided.

Western Union should be quicker than a wire.

Wire is safe but slow.

What bank is it being sent to??


----------



## krs (Mar 18, 2005)

If the CC company finds out you sent the CC info by email they cancel the card on you and issue you a new one.
That's what happened to me indirectly. I paid a fee in Brazil using a secure website they had created and then that Brazil outfit *emailed* me the confirmation information back including name, birthdate and complete CC number.
I was "dumb" enough to call my CC bank (CIBC Visa) to find out if that was OK and the next thing I knew was that they cancelled the card and issued me a new one which created all sorts of problems for me. First I had to wait a week before the new card arrived and then I had to call all the companies thatI had set up for automatic payment from that card to give them the new card information. Some wanted it in writing - what a mess...never again.
What about sending a fax with the card info - the bank found that acceptable.
Or what some people do is to send the card info in sections in three different emails.


----------



## Boji (Oct 29, 2004)

Ariell said:


> Long story short. I need to send $$ fairly quickly to Nepal. Mail is too slow and PayPal not an option. Credit card would be the easiest.
> 
> Yes I know sending credit card info by email is not a good idea. But how risky is it? And is there a way to make it less risky? Thanks.


Way too risky Ariell... try using one of the methods others have mentioned.


----------



## Ariell (Mar 28, 2005)

MacDoc said:


> If you can call in the info then provide them with an signed fax with the last four digits that should suffice.
> 
> Sending info in the clear is to be avoided.


Thanks MacDoc. That sounds like a good idea. I will see if they are ok with that.



MacDoc said:


> Western Union should be quicker than a wire.


Sorry, my misunderstanding. I thought that Western Union _was_ a wire transfer but I've since discovered that WU is in fact a _money_ transfer whereas a wire transfer = bank to bank, correct? I don't have their banking info so to do a wire transfer, I would need to get this first. Hmmm, this is becoming more and more complicated. 

They only list payment by wire transfer, cc or money order/cheque by mail as payment options so I will need to see if the money transfer with WU is even an option.

krs, that does sound like it was a bit of a mess. But sending the separate emails sounds better. Does anyone else think doing this would be ok? 

Thanks for all the suggestions.


----------



## MacDoc (Nov 3, 2001)

Wire transfer is by far and away safest and the bank at the other end can track it by an 800 number and you can send a confirmation by fax but yes it will cost a bit.


----------



## gordguide (Jan 13, 2001)

" ... But how risky is it? ..."

Sending CC info by plain, unencrypted eMail is simply a silly idea; don't do it.

You do realize that dozens, if not hundreds, of servers will have a copy of that eMail, and will store it for who-knows-how-long, including possibly forever?

That thousands of employees working for dozens, or more, of companies, in who-knows-how-many nations, will have free access to this eMail?

That anyone, between here and wherever you send it, can intercept the eMail, and read it as easily as reading this post?

That you could be the victim of CC fraud not this week, but 2 years from now, because that eMail will still be stored, somewhere, 2 years from now?

That you are trusting everyone involved with proper disposal of their drives?

Just don't do it. No matter what the cost, no matter how much of a hassle, almost any other method is superior in so many ways it's not funny.

" ... But how risky is it? And is there a way to make it less risky? Thanks. ..."

There are many options to protect eMail from prying eyes; there is really nothing stopping you from using eMail to convey your information, but ordinary unencrypted eMail is not one of them.

Secure encrypted eMail with public and private PGP keys. (Will take a while to set up, and is somewhat confusing. Works great, though).
Sending an encrypted file attachment with the data.
Using a server with password protection; store the file on the server and relay the password via phone (not eMail) etc. You can eMail the url. DotMac will work for that; delete the file as soon as they indicate they have accessed it.


----------



## Ariell (Mar 28, 2005)

gordguide said:


> Secure encrypted eMail with public and private PGP keys. (Will take a while to set up, and is somewhat confusing. Works great, though).
> Sending an encrypted file attachment with the data.
> Using a server with password protection; store the file on the server and relay the password via phone (not eMail) etc. You can eMail the url. DotMac will work for that; delete the file as soon as they indicate they have accessed it.


Thanks gordguide. Ok, so you've sufficiently convinced me not to send the info by email.

BUT, I don't really understand your work-arounds. Sorry, I don't know what 'encrypted email with public and privae PGP keys' is or a 'server with password protection'. I also don't know how to encrypt a file. That's initially what I was hoping -- that there was a way to encrypt the info. but like I said I don't really understand what I need to do. 

Could you please post more info? Thanks.


----------



## krs (Mar 18, 2005)

I think setting up an encrypted email only makes sense if you need to send repetitive payments to the same party.
If they accept credit cards, don't they have an https website set up to handle those? That would only make sense.
And if they don't, they should set it up.
The other easy and secure way to send CC info is via Fax assuming they have a fax number


----------



## Ariell (Mar 28, 2005)

krs said:


> I think setting up an encrypted email only makes sense if you need to send repetitive payments to the same party.
> If they accept credit cards, don't they have an https website set up to handle those? That would only make sense.
> And if they don't, they should set it up.
> The other easy and secure way to send CC info is via Fax assuming they have a fax number


Nope, they don't have a https site. I agree that they should. They don't require the deposit to be done online, you can just mail your cc info. or money order. Problem is, mail to Nepal is notoriously slooooooow and unreliable. And I really need to get the deposit to them so that they can confirm details of my placement and then I can let my workplace know the details.

Yes, they do have a fax number. But somehow sending my cc info. halfway around the world to some random fax machine doesn't make me feel that comfortable either.  But I may need to consider that since other options are not looking so promising.


I tried to set up encrypted email following the instructions here: http://joar.com/certificates/ Great instructions and pretty easy to do. Only problem is, it only works if the _recipient_ has also followed the same steps and set up a digital certificate. Great! Somehow I think it might be difficult to convince the organization in Nepal that they really need to do this. 

I contacted the website author and he confirmed that yes, the recipient needs to follow the steps as well. So for my present situation, it's pretty much useless. His suggestion was to use a "GSM SMS message. It's encrypted in transit, and since it would travel separately from your email conversation, it would probably be safe enough". Sounds perfect. Problem is, I have no idea what he's talking about! :yikes: I emailed back to ask if he could clarify or tell me where I could find out how to set up a GSM SMS message but I havent't heard back.

So if someone else knows, please please share your wisdom with me!! Thanks.


----------



## HowEver (Jan 11, 2005)

Do you have more than one credit card?

Send the payment with a card you hardly use. After the payment is confirmed, pay off the debt and then cancel the card.


----------



## krs (Mar 18, 2005)

Ariell said:


> His suggestion was to use a "GSM SMS message. It's encrypted in transit, and since it would travel separately from your email conversation, it would probably be safe enough". Sounds perfect. Problem is, I have no idea what he's talking about! :yikes: I emailed back to ask if he could clarify or tell me where I could find out how to set up a GSM SMS message but I havent't heard back.
> 
> So if someone else knows, please please share your wisdom with me!! Thanks.


Google came up with this:
The Short Message Service (SMS) is the ability to send and receive text messages to and from mobile telephones. The text can comprise of words or numbers or an alphanumeric combination. SMS was created when it was incorporated into the Global System for Mobiles (GSM) digital mobile phone standard.
A single short message can be up to 160 characters of text in length using default GSM alphabet coding, 140 characters when Cyrillic character set is used and 70 characters when UCS2 international character coding is used.

Sounds like a global mobile messaging system to me - no clue how that would help.
As far as using a fax is concerned - we use that in the office all the time and it's as secure as calling and giving the CC info over the phone which I do all the time when I buy something. The way I see it, a Fax is as secure (or insecure) as doing it over the phone if you don't use a public fax machine to send the information. Have you asked the party in nepal how other people provide the CC information? By email I assume......same as the people in Brazil for me - they had no qualms about putting CC info in an email.
Other than that, I would go with a wire transfer, although Canadian banks seem to have a eal problem handling those if it's not within Canada or the US.
I tried to wire some money to the Philippines once - three banks later I finally gave up, but then I remembered I had a Euro account in Germany. With that account and the recipient IBAN/BIC number, I could actually sent the payment myself right out of that Euro account in a matter of a few minutes.
In many ways, the Canadian banking system is still in the dark ages.


----------



## Ariell (Mar 28, 2005)

krs said:


> Sounds like a global mobile messaging system to me - no clue how that would help.


Me either. :yikes: 

OK, looks like I will try a combination of phone and fax and hopefully that will work fine. And just for my own peace of mind, I'll probably cancel the cc once the transaction's gone thru and I've paid it off. Good point HowEver.

Thanks everyone for your input!!


----------



## Cerebus (Sep 9, 2003)

If the person you are trying to send the CC number to has more than one email account, why not break the CC number into chunks and send a few digits to each account separately... For example, send the first 8 digits to their Hotmail, the next few to a Gmail account and the last few to a Yahoo account, with just a note at the top saying "first set", "second set" and "third set". Then they can piece it together on their end. The chances of all three emails being intercepted and made sense of my a single hacker is probably greatly reduced this way...

For extra security, you could replace a few digits with descriptions of numbers that only you and the recipient would know... ie "4200-64 followed by our mother's age this year".

Just an idea...


----------



## gordguide (Jan 13, 2001)

" ... BUT, I don't really understand your work-arounds. Sorry, I don't know what 'encrypted email with public and privae PGP keys' is or a 'server with password protection'. I also don't know how to encrypt a file. That's initially what I was hoping -- that there was a way to encrypt the info. but like I said I don't really understand what I need to do. ..."

" ... I tried to set up encrypted email following the instructions here: http://joar.com/certificates/ ..." Setting up certificates is the first step of sending encrypted eMail with public and private PGP keys. (PGP is a set of security tools for computer users, it's short for Pretty Good Privacy). It works fine, if both parties are willing to play along. So, not necessarily a solution for you, but certainly a viable option.

Nice link by the way; it does do a good job of explaining certificates. 99% of the sites that talk about this lose everyone early, and Thawte themselves are mired in Techno-Babble from the start.

The fun really starts when you have to renew your certificate, and the only language Thawte speaks, online or in eMails to you, is foreign to all but the most proficient IT professionals.

A side effect of digitally signed eMail (what a certificate does) is MS's handling of certificates in Outlook; instead of doing it the "right way", it displays certificates as an attachment with a strange file name and extension. The average, worried Windows user will usually panic, delete your mail, or otherwise misconstrue what's going on.

You can also use a compression program that supports encryption or password protection. Stuffit can password protect files, and a free Windows version to un-stuff them is available. There are also other options that use zip or some other common, x-platform compression with encryption schemes. You then send a plain text file with your CC number as an encrypted, password protected attachment.

An example of using a server with password protection would be to set up a password for file access on DotMac, placing a compressed (eg: zipped) plain text file with your CC number in your iDisk, and sending the password by phone to the recipient. Send an eMail with the url to your dotMac file, they enter the password, download the file. They contact you and tell you it's fine, and you delete the file from your iDisk.


----------



## Ariell (Mar 28, 2005)

gordguide said:


> (PGP is a set of security tools for computer users, it's short for Pretty Good Privacy). It works fine, if both parties are willing to play along. So, not necessarily a solution for you, but certainly a viable option.


Yeah, I didn't realize until after I went thru the whole process of setting up a certificate that this would only work if the recipient had done the same. Would have been nice for the site author to have included that information at the beginning of the instructions.  




gordguide said:


> You can also use a compression program that supports encryption or password protection. Stuffit can password protect files, and a free Windows version to un-stuff them is available. There are also other options that use zip or some other common, x-platform compression with encryption schemes. You then send a plain text file with your CC number as an encrypted, password protected attachment.


Great! I didn't know that. Just tried with Stuffit and it works great. So just out of curiousity, what about just sending (unecrypted) info by email in a password protected Word document? Can the info. still be interecpted and viewed? I've sent confidential client information as a password protected Word attachment by email before thinking it was safe. Is it not?

Thanks again for all your help with this.


----------



## Ariell (Mar 28, 2005)

gordguide said:


> (PGP is a set of security tools for computer users, it's short for Pretty Good Privacy). It works fine, if both parties are willing to play along. So, not necessarily a solution for you, but certainly a viable option.


Yeah, I didn't realize until after I went thru the whole process of setting up a certificate that this would only work if the recipient had done the same. Would have been nice for the site author to have included that information at the beginning of the instructions.  




gordguide said:


> You can also use a compression program that supports encryption or password protection. Stuffit can password protect files, and a free Windows version to un-stuff them is available. There are also other options that use zip or some other common, x-platform compression with encryption schemes. You then send a plain text file with your CC number as an encrypted, password protected attachment.


Great! I didn't know that. Just tried with Stuffit and it works great. So just out of curiousity, what about just sending (unecrypted) info by email in a password protected Word document? Can the info. still be interecpted and viewed? I've sent confidential client information before by email as a password protected Word attachment thinking it was safe. Is it not?

Thanks again for all your help with this.


----------



## krs (Mar 18, 2005)

Ariell said:


> Great! I didn't know that. Just tried with Stuffit and it works great. So just out of curiousity, what about just sending (unecrypted) info by email in a password protected Word document? Can the info. still be interecpted and viewed? I've sent confidential client information before by email as a password protected Word attachment thinking it was safe. Is it not?


I don't know about password protected Word documents, but when we used passwords to access confidential company FTP sites and then couldn't remember them when our software was upgraded and the autofill for the passwords was lost, our IT guy gave us a Windows program that recovered these passwords in a few seconds.
Made me wonder what the point of using a password was in the first place.


----------



## gordguide (Jan 13, 2001)

Many Windows passwords and product keys can be recovered with simple utilities, and experience teaches me to not trust Word for security under any circumstances.

However, if you go that route, compress it anyway. Files have certain "signatures" and it's easy to identify which file is moving along a network, which makes the job of finding stuff to steal simpler. Zip it (or stuffit, or whatever, but zip is common on Windows systems) and it is indistinguishable from any other compressed file, and is unlikely to attract as much attention.

None of these solutions are bullet proof by any means; which is why eMail Certificates and PGP exist in the first place, but you seem to be low on options. The people you're trying to deal with need to jump into the 21st century and make the job of secure data transmission a little easier. It sounds like it's all over their heads.

You might want to contact your CC provider and see if they will offer a temporary number (some do, although it's more common in the US). You "fill" the card with the exact amount you want to transfer, they authorize it, and once paid out, the card is not only empty of funds, but that number is never re-used again; it's essentially a "one-time use credit card". That limits the time window to one your intended recipipient can make, and after that there's no money to scam.

Perhaps give these guys a call; they might know how most people move money to Nepal;

Canadian Cooperation Office
Address: Lazimpat, Nepal 
Postal Address: P.O. Box 4574, Kathmandu, Nepal
Tel.: 977 (1) 4415-193, -389, -391, -861, 4426-885, 4425-669
Fax: 977 (1) 4410-422
E-Mail: [email protected]

The CCO is part of Foreign Affairs Canada: Consular Affairs.


----------



## Ariell (Mar 28, 2005)

gordguide said:


> A side effect of digitally signed eMail (what a certificate does) is MS's handling of certificates in Outlook; instead of doing it the "right way", it displays certificates as an attachment with a strange file name and extension. The average, worried Windows user will usually panic, delete your mail, or otherwise misconstrue what's going on.


Yes, as I discovered today. I sent myself an email from home to work (a PC) and it attached the certificate as a text file. Then the actual attachment that I did want didn't seem to work. I think I'm just going to get rid of the certificate since for my purposes it seems a little pointless and more trouble than it's worth.

I've ended up sending the info. as an encrypted password protected zip file. Also sent a link to thefreesite.com for downloading a free unzipping program in case they don't have one. Hopefully that should be fine. Thanks again for your help.


----------



## gordguide (Jan 13, 2001)

You can choose to include certificates or not, if you're using mail.app and probably most other mail clients.

Generally, I don't send signed mail but once you go through the trouble of getting it issued and enabled the option is there for when you need it; I set up mail.app so the default is no certificate. Works fine all around.

Outlook, despite it's strange handling of the certificate key, still can use it. Just send it with mail you need to be secure, and without for the rest. Outlook users who know what's going on (and recognize the file extension) won't have a problem with it.


----------

