Please don't email your credit card number!
Post categories
This article was originally published as part of the Pobox blog. Pobox was acquired by Fastmail in 2015.
When someone is hatching a secret plan in a movie, you might see them ask, “Is this a secure line???” The average telephone call is transmitted as-is, which means, as it travels through the many lines and machines necessary to tranmit the call around the world or down the street, someone with the right equipment could listen in.
Email works the same way.
You might have the impression, given how fast email works, when you send an email that it just goes from your computer to the recipient’s mailbox. In fact, even simple setups usually pass your email through 4 or more computers.
Email is like a postcard; for the most part, people aren’t interested enough in what you’re saying to bother looking at it. But credit card numbers are an obviously-identifiable string, making them easy to look for in a stream of content going by.
How do you prevent your credit card number from being picked up? Encryption. That’s why you’re never supposed to type in your password or credit card number to a web browser that doesn’t show a secured lock or key. That lock indicates that your data is scrambled while in transmission; the website then has the information necessary to unscramble it on the other end.
Ok, then, why don’t we just encrypt email, too? Well, it’s not that simple. Companies pay a security provider for that encryption service. The security provider generates the information, and verifies that it’s accurate, and provides the key to you that’s necessary to scramble your data. And, over the years, the security provider has made sure that all the web browsers out there work with their service, so you never have to think about it.
For email, you would need a similar scrambling key for everyone who emails you, and you’d need to distribute your key to everyone you email. And you need a secure way to do that. And most people don’t want that way to cost a lot of money. There are ways, and they work, and they’ve been around for a long time. They just aren’t used by most people.
Think of email as a conversation you might have walking down the street. Generally, no one would bother to listen in. But if you started saying your credit card number repeatedly, well… it only takes one nasty person to cause a problem. So, please don’t email your credit card number.