Giving Credit Card Details to Websites or by email, How Safe?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Giving Credit Card Details to Websites or by email, How Safe?

slowcoach

33 posts

Geek

#31387 16-Mar-2009 14:49

Quite often we go on websites (other than trademe) and purchase say hotel accommodation, airline tickets etc, both in NZ and overseas. We understand traffic to and from these sites are encrypted, and generally regarded as safe.

For our coming trip we have recently booked hotels. WE emailed one about their special deal, and we received an email from one of them advising us to give our credit card details. We told them we are not comfortable with this, and they told us to fax the credit card details. We faxed them the number, and gave the expiry date via email. That was all they needed to hold the booking for us (similar to taking an "imprint" of your credit card when you check in). Another hotel we booked via their website, and we gave the credit card details there, and the correct sum was deducted.

Another time we went to book air tickets for local flight in China using a local site, they claim they were having lots of problems with overseas credit cards, and they demand a long list of verifications such as photo copy of front and back of credit cards, and of passport etcs. We promptly switch to another website, and successfully did our booking without all the "authentification" of our cerdit card.

We know of friends and family who refuse to use credit card on the web, or do online banking. We have been doing online banking, and purchases on the web, for quite a while, and, touch wood, have had very little problems. HOWEVER, we do wonder how SAFE is it, to hand over your cerdit card details (number and expiry, and sometimes signature), either by phone, fax, email, filled form etc?

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#201424 16-Mar-2009 15:08

Most credit card issuers nowadays have web fraud insurance because of the amount of online transactions being done daily, and I believe that works quite well.

However, I think sending credit card details by email is probably the biggest threat of all, seeing as emails can be easily sniffed through the net.

I like your approach of faxing the card details partially and then complementing with an email.

When it comes to websites, I think it's fair to say that you should always look for SSL certificates that match, Thawte or VeriSign badges and the likes.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

chiefie

I iz your trusted friend
5877 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#201429 16-Mar-2009 15:20

alternatively, use prepaid credit card to cut down the chances of a fraud. Like Prezzy Card or Loaded (both by NZPost)

Internet is my backyard...

«Geekzone blog: Tech 'n Chips Takeaway» «Personal blog: And then...»

Please read the Geekzone's FUG

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#201477 16-Mar-2009 19:27

magu: When it comes to websites, I think it's fair to say that you should always look for SSL certificates that match, Thawte or VeriSign badges and the likes.

Agreed to a level. I could setup a website with SSL, take your order and credit card details, and then email them to myself for processing. While the first step is encrypted, your cc details would pass unencrypted and be stored encrypted in my inbox.

I think a good rule is stick with well-known, reputable companies and you shouldn't go wrong. I'd also keep an eye on your credit card statements if you aren't feeling too confident.

freitasm

BDFL - Memuneh
79295 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#201479 16-Mar-2009 19:38

nate:
magu: When it comes to websites, I think it's fair to say that you should always look for SSL certificates that match, Thawte or VeriSign badges and the likes.

Agreed to a level. I could setup a website with SSL, take your order and credit card details, and then email them to myself for processing. While the first step is encrypted, your cc details would pass unencrypted and be stored encrypted in my inbox.

I think a good rule is stick with well-known, reputable companies and you shouldn't go wrong. I'd also keep an eye on your credit card statements if you aren't feeling too confident.

Yep. While the communications between your browser and their servers is encrypted, what guarantees you have they don't have the data on a database with a blank administrator password? Or that your credit card details is not visibile to everyone in their internal network? Or that their database server is on a separate box from their webserver with proper firewall between then to prevent buffer overflow exploits? Or that their credit card validation system is not manual and people can see and copy your details?

SSL alone doesn't mean anything at the end of the day...

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#201480 16-Mar-2009 19:43

freitasm:
nate:
magu: When it comes to websites, I think it's fair to say that you should always look for SSL certificates that match, Thawte or VeriSign badges and the likes.

Agreed to a level.? I could setup a website with SSL, take your order and credit card details, and then email them to myself for processing.? While the first step is encrypted, your cc details would pass unencrypted and be stored encrypted in my inbox.

I think a good rule is stick with well-known, reputable companies and you shouldn't go wrong.? I'd also keep an eye on your credit card statements if you aren't feeling too confident.

Yep. While the communications between your browser and their servers is encrypted, what guarantees you have they don't have the data on a database with a blank administrator password? Or that your credit card details is not visibile to everyone in their internal network? Or that their database server is on a separate box from their webserver with proper firewall between then to prevent buffer overflow exploits? Or that their credit card validation system is not manual and people can see and copy your details?

SSL alone doesn't mean anything at the end of the day...

Hence why I didn't say 'just use sites that have SSL'. Proper Thawte and VeriSign validation helps a lot, but there's always the 'other side' element. Don't just take my word for it.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

zocster

1983 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#201486 16-Mar-2009 20:39

chiefie: alternatively, use prepaid credit card to cut down the chances of a fraud. Like Prezzy Card or Loaded (both by NZPost)

+1 with loaded, I use this for every online transaction I make. I never keep than what's required on there :)

Andy Ghozali Geekzone Member	E: andy@ghozali.ru M: +64 21 395 458 A: Andy's Business Services, 231 High St, Christchurch 8011, NZ
www.andy.mobi

freitasm

BDFL - Memuneh
79295 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#201489 16-Mar-2009 20:42

It would be much better if Visa and Mastercard offered those one-use credit card numbers generated just for your account. I needed to buy a couple of things and could only use an American card number - pinged a friend on MSN, transferred money to his account and he generated two virtual credit card numbers.

These are really safe because have all the original owner's details but can only be used once and online only.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

chiefie

I iz your trusted friend
5877 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#201513 16-Mar-2009 22:12

freitasm:
It would be much better if Visa and Mastercard offered those one-use credit card numbers generated just for your account. I needed to buy a couple of things and could only use an American card number - pinged a friend on MSN, transferred money to his account and he generated two virtual credit card numbers.

These are really safe because have all the original owner's details but can only be used once and online only.

That sound super awesome.. truly if-only!

Internet is my backyard...

«Geekzone blog: Tech 'n Chips Takeaway» «Personal blog: And then...»

Please read the Geekzone's FUG

richms

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#201633 17-Mar-2009 15:14

chiefie: alternatively, use prepaid credit card to cut down the chances of a fraud. Like Prezzy Card or Loaded (both by NZPost)

No way, a bank will not charge you to deal with customer service to start a chargeback, a bank will care because its their money that is at risk since you dont have to pay for charges you didnt authorize and the bank has an interest in keeping you happy as an ongoing customer.

The prepaid card companies couldnt give a toss about you, so make it as hard as possible to even query a charge on the card. They are for no hopers that cant get credit, or have no self control over their spending. Stick with a bank and you are treated like someone with a clue and respect.

Richard rich.ms

freitasm

BDFL - Memuneh
79295 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#201637 17-Mar-2009 15:17

richms: Stick with a bank and you are treated like someone with a clue and respect.

Until you need them... "A bank is a place where they lend you an umbrella in fair weather and ask for it back when it begins to rain" (Robert Frost).

Nety

2584 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#201647 17-Mar-2009 15:49

As someone who has been the victim of credit card fraud I can say that at least with ASB they were very onto it. They contacted me to tell me that a transaction had been made that looked suspicious long before it appeared on my credit card account.

What’s more they cancelled my card as soon as I confirmed that I had in fact not brought airline tickets from some airport in the middle east and got a replacement card on the way straight way (arrived a couple of days later). As soon as the charge appeared on my card they sent me the documentation to say it was not mine and it was gone again the next day.

I have also had to get a charge reversed for a company that turned out to be very dodgy (something I did not find until things started looking suspicious). This took a bit longer but still at no point was I out of pocket as such.

I would say that if you are using a online store that you are not sure about do a google for complaints about the store first. If I had done so I would not have purchased of the store that I had to then reverse charges on.

However the case where airline tickets were purchased I believe was from a popular and trusted NZ online shop.

Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64

slowcoach

33 posts

Geek

#201668 17-Mar-2009 16:59

Hi, Thanks everyone for your comments. Agree that Prepaid Cards would not be my choice.

MasterCard does offer a Side Card, which is in addition to your main card, which has a daily limit, say one thousand dollars. This way the fraudster cannot get away with all your credit limit. HOWEVER I have been caught out myself when trying to pay for something online, then exceeded the daily limit, and the transcation was then "denied"!

It is obvious from all the feedback that it is very easy for credit card fraud to be committed, especailly online. The banks seems to be unable or unwilling to be proactive about dealing with these. At least with the major banks they do promise you are not out of pocket if you are found to be the victim, and you are quick to let them know. Interesting about the ASB keeping an eye out on transactions.

Thanks again.

richms

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#201669 17-Mar-2009 17:06

One big gotcha is that if its your only card, they will not give you the CVV before the card arrives, so you are effectivly off the air as far as purchases online till the physical card arrives. For that reason multiple cards is a must. I had to let a friend use my loaded card when his card needed replacement and he was in the UK - and those currency fees on the loaded are outragous..

Richard rich.ms