The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Nov
14
DigiWeb Asks for Credit Card Details via Email
Filed Under Computers & Tech on November 14, 2006 at 3:18 pm
I was horrified to receive an email from my ISP asking me to email them my updated credit card details this morning. Now, before you go saying ‘no ISP would do that, its obviously a phising scam you fool’, it isn’t. I rang them. Since my credit card had expired I gave them my new details first and then complained about the email. The person on the other end of the phone just didn’t see the problem. I proceeded to explain that email is a totally insecure transport medium. She still didn’t see a problem because they were ‘only offering customers an option to email’. DigiWeb are an ISP, people expect ISPs to know how the internet works, and if their ISP says it’s OK to email such things then regular users will probably take them at their word. After all, DigiWeb are the experts right? When it became clear that I was not being listened to I asked to be transfered to a manager or a supervisor but was told that DigiWeb don’t take complaints over the phone. What? You don’t even care enough to talk to your own customers? Yet another example of the utter uselessness of Irish ISPs! To cut a long story short I’ve contacted the Data Protection commissioners and am in the process of lodging a complaint.
Below is the email I received:
Dear Customer, Please note that the credit card we hold on file for your monthly payments is about to expire. Please contact us on 042 9393310 or email [email protected] with your new expiry date. Kind regards, Digiweb Accounts
You could argue that they only explicitly asked for the expiry date so at least it wasn’t the whole credit card but I don’t buy that. People should not be encouraged to send sensitive data over email. It sets up an ethos that email is safe and in many cases when people’s card expires they get a whole new card and not just a new expiry data (as was the case with me) and people will take the mail as a request to send the details of that new card via email. There is no warning anywhere in the email not to email sensitive data, just a request for some personal data to be emailed. I don’t think that’s acceptable. Anyhow, as well as contacting the Data Protection Commissioners I also send DigiWeb a reply by email:
Hi,
I would like to draw your attention to a very serious matter with relation to security. Below is an email I received from you which encourages me to email you my credit card details. Are you aware that credit card fraud is a serious problem? Are you aware that email is a 100% insecure medium? You are asking people to transmit sensitive financial data in a totally insecure way! What you are asking people to do is the equivalent of writing your credit card details on the back of a post-card and sending it without putting it in an envelope! Do you think this is acceptable? I certainly don’t! You are an ISP, you should know better! People with little or no computer savvy expect you to know what is best and will follow your advice.
I pointed this out when I rang to update my details and the person on the phone did not see this as a problem and would not transfer me to a supervisor or a manager. This too is not acceptable. So, since you would not talk to me I felt I had not choice but to contact the Data Protection commissioners to lodge a complaint.
Regards,
Bart Busschots.
Uh, Bart? Didn’t you write an online payment application for a major charity which emailed credit card details to them for off-line processing?
I most certainly did not!
I did write a small web-app which emailed encrypted credit-card details for off-line processing and strongly advised the client to change to on-line processing.
Ha! I have a similar story.
I tried to buy a mobile phone over the internet.
After processing my details in their secure website, and trying to pay by paypal, they had the temerity to -email- two days later and ask for a copy of my passport or drivers licence.
They suggested to send it either by fax or by email.
I was absolutely horrified. There was no way -anyone- on the internet was getting a photocopy of my passport, essentially my identity.
As in your case, the woman didn’t see email as anything less than utterly secure.
Nor did she see a problem with asking for it by email, when I had included two phone numbers as well.
Bart, nothing you just said contradicts anything I’ve said.
Dave,
I do regularly work for a major Irish charity but you can rest assured that that system does not email any credit cards in any form to anyone, and it never has. In fact it never even stores the details of the cards at all, it sends them off over SSL to be processed by a third-party who only send back a transaction ID which is then stored in an encrypted form. You can’t really get more secure than that!
There was one site I did MANY years ago that did send encrypted credit card numbers via email (but not the expiry date). I thought it was a bad idea then and I think it’s a bad idea now but sometimes you just have to do what the customer asks. It was either store the lot on a shared web-host, email the lot, or split the data so that only half went by either imperfect route. That way if an attacker hacked the site they would get only credit card expiry dates and if they intercepted the emial they would get only encrypted credit card numbers. I did strongly advise that the customer user a service like Realex or Worldpay but the reality was that the site was too low on traffic to make that financially viable.
Hope that clears things up a bit.
Whats the big deal about sending a new expriy date? I presume you had setup a direct debit to your credit card for your hosting.
Digiweb can have the credit card transaction authorised without an expiry date. Did you know that if your cc has expired and your account is closed, any direct debit will be honoured by your credit card company and you will be sent a bill (which you are legally obliged to pay)?
And as for the Data Protection Act, it only covers certain types of information, you should know that. A credit card expiry date is most definitely not regarded as protected information under the Data Protection Act (age, gender, sexual orientation, race, membership of the travelling community, religion, political ideology).
If you want to make a complaint, contact your credit card issuer. They will then make a complaint to Digiwebs CC processor, who will sort out Digiweb, in a top down fashion.