Email Security

Posted on 1997-06-27
Last Modified: 2013-12-25
I am in the process of setting up online ordering. I have a user submit credit card information for orders over the web through a secure server connection. I have been told that I can then mail it to myself as long as it is not being sent to/through another mail server.  Is this accurate, or do I have to go about retrieving the information from the web server another way.  If so, how would I do it? Thanks.
Question by:tluxon
1 Comment

Accepted Solution

mkornell earned 50 total points
ID: 1828611
The basic idea is that you don't want to have a credit card number going over any sort of network transmission (including the Internet) w/o being encrypted.

Having the user submit the cc# via a secure connection is fine, as the communication between his browser and the web server is encrypted.

However, if you then go and email a message to yourself containing the cc#, without encryption, what's the point of using a secure web server?  Someone snooping your network packets could pick up that version of the cc# just as easy as snooping on an unsecure web transaction.

You could have the web server email a message to an account on the same server, in which case it may not go off that machine.  No network packets to snoop on there, right?  Well... maybe.  Depends on the server's mail setup.  Some sites are set up to have all sent mail go to a central mail server for delivery, even if the destination machine is the same as the originating machine.  Bingo - network transmission of that sacred cc#.

You can encrypt them and email them, no problem, using something like PGP.  (You also could use DES, but that's probably not strong enough anymore.)

You could write the orders to a file on the web server, then go get them every so often.  But how are you going to do that?  FTP the file?  Oops.  You just put plaintext cc#s over the wire. Bummer.

Maybe telnet to the machine, read the file and copy the orders down by hand? Bzzzt. You lose. Telnet's over the network, too.

The basic problem is that if you want to keep those cc#s really secure, you can't ever, _ever_ have that information go from one computer (over a network) to another w/o encrypting the communication.  Somebody could be listening.  It might not be at the point where the user sends his or her #, but somewhere down the processing line, too.

So, how are you going to do it?  That really depends on what you do to process the orders, and how the cc# information must flow.  Encrypted email is not a bad way to move things around; you can also move around encrypted files (say, via FTP) w/o security problems.  (Provided, of course, that: a) the encryption is strong enough. b) you keep your keys in a secure place.)

It is not a bad idea to encrypt the cc#s even when not being transmitted.  Computer systems being as vulnerable as they are, it wouldn't take much for a malevolent hacker to just break into your system and snag a file full of cc#s.  Don't forget to close the back door, too.

Caveat:  I'm no security expert, and I can't give you specific advise on what kind of system you need to install.  If your security needs are complex, please consult with someone who really does know this stuff and can build you a system that is secure.


Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Recently I have been answering a lot of questions like this in IT forums that I frequent. The question posed is usually something along the lines of "We have software X installed and need to uninstall it for reason Y" or some other variant of the sa…
In this tutorial I will show you how to make a simple HTML bar chart with the usage of WhizBase, If you want more information about WhizBase please read my previous articles at (http://www.experts-ex…
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now