Secure Email - How To?

[SSJpn]

I have made a simple form using HTML.

I want to take credit card numbers from my form, but I want it to be safe.

I am not going to use a web server for my .htm form but rather I am just going to email the form as an attachment. Users will then open the form, fill in the fields, hit submit and then I'm guessing their defaul email will send the information to the mailto address of my choice.

How can I make this safe/secure?

Thanks,

SSJpn

 

[dwarfthrower]

Whoa... I'm guessing their defaul email will send the information to the mailto address of my choice

And you want to make this safe and secure? Anything that has the word 'guessing' in it won't get my credit card number.

You can never make the process of exchanging credit card details over the net 'safe' or 'secure', only 'safer' and 'more secure'.

If you don't have the resources to set up a secure site with SSL and the works, why not use someone like paypal to handle the payment side of things for you?

 

[clarkin]

yeah - email is the easiest to spoof and least secure protocol commonly used right now. I'd steer clear of it for sending CC numbers.

Also, if you create your form(say as a word doc) and email it as an attachment - lots of people will not open it due to the chances of unknown attachments containing viruses.

Best bet is to create your form as a web page - if you don't want to or can't make a secure site, DT's suggestion of paypal seems a good workaround. I'd still have everything except payment in a form on your page though.

let us know what you decide on


Posting code? Wrap it with code tags: [ignore]

[/ignore][code]CodeHere

[ignore][/code][/ignore].

 

[SSJpn]

Hmmm, I see.

Its not like I will be sending this form to random people or potential clients. I know all of these people 'in person.' So I know they would open the attachment.

In the past, I mailed the forms out and had them fill it in with CC number) and mail it back.

This year I want something faster, and more effecient. So I was thinking of an email form.. but I see you can't make it secure enough.

I don't think they use Paypal and I don't want them to have to register. That is just making it more difficult for them when all i want is to make it faster and easier.

now that you know what i want, what can you guys suggest?

1) I know all the people 'in person' and they would be expecting these forms

2) I want it fast. So online transaction would be nice

3) I want it hassle-free for them.

 

[Wullie]

Hi mate,

I don't think you understand how insecure your suggested methods are.

If you accept any sensitive information online, you MUST use SSL, there are no workarounds. Sure, you can use Paypal or another payment gateway, but they must then be using SSL.

If you want it to be speedy and hassle free, use the telephone.

Hope this helps

Wullie

http://www.necomputers.org.uk

http://www.freshlookdesign.co.uk

http://www.freshlookdesign.com

http://www.whiland.co.uk

The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell

 

[SSJpn]

Wullie,

I do know that it is not secure, that is why I submitted this post.

I just want some suggestions on how I could do it. I wasn't sure what there was out there... you know?

So i guess i can use paypal or telephone...

thanks guys.

 

[xfsunoles]

html special character

 

[JillC]

Hi SSJpn,

You will email them a form? Maybe like an invoice with an invoice number or reference number?

Then why don't you suggest to people they go online to their own bank and do a direct debit to your account (pay anyone) and use the reference number you send them? That way, they can pay by credit card or direct from their bank accounts, it's nice and secure, and it's fast - the money is on its way immediately - although may take 3 days to get cleared depending on the bank.

Then they can send their Word document back confirming their payment if needed.

This is assuming the banks in your part of the world have online banking with pay anyone facility.

My thoughts, anyway.
JillC

 

[JillC]

Actually, on second thoughts - you give them a choice
1 - fax back the form with credit card details
2 - pay by direct debit as in previous post.

JillC

 

[ca8msm]

How about just some encryption on the credit card number? It's not perfect as someone could crack it but the idea is:

1) User submits their CC number
2) You use your own (or have a look for some known methods) function to encrypt the number
3) Decrypt the encrypted number and you have the CC number

----------------------------------------------------------------------

Need help finding an answer?

Try the search facilty (

http://www.tek-tips.com/search.cfm)

or read FAQ222-2244 on how to get better results.

 

[EdwardMartinIII]

Hm, isn't there a server-side incarnation of WinZip that you can password-protect the archive before you send it? If I had to have the server send e-mail, I'd think about doing it that way.

Cheers,


Edward

"Cut a hole in the door. Hang a flap. Criminy, why didn't I think of this earlier?!" -- inventor of the cat door

 

[clarkin]

just something for you to think about if you are still considering emailing them (because, as you said, they are expecting this form from you).

you send (example)

To: addy1@blabla, addy2@blabla, ...
From: JJimson@blabla
Subject: My fantastic secure form, pay $$ now!
Dear Friends,
Attached is my form - just fill it in and send it back with your credit card details.
Sincerely,
John J Jimson


Unfortunately, "Evil" Clarkin is one of your recipients and he hatches a nasty plan that merely involves spoofing the from: field (you can do this with many used email programs.. its something built into basic email functionality)
So, "Evil" Clarkin sends 2 hrs later..

To: addy1@blabla, addy2@blabla, ...
From: JJimson@blabla
Subject: Addendum with that form!
Dear Friends,
Sorry I forgot to mention that I am running a special half-price deal for the next 50 people to send back that form. Also note that you should send your details to my processing address: evilclarkin@blabla.
Sincerely,
John J Jimson


The moral is, of course, don't send anything like a form with space for credit card details over email - direct them to a website instead, even one without SSL. IMO its less likely for someone to be sniffing packets looking for CC numbers than to spoof a from address

Good luck


Posting code? Wrap it with code tags: [ignore]

[/ignore][code]CodeHere

[ignore][/code][/ignore].

 

[Wullie]

Bottom line here is:

If you accept payments without using SSL, you are fully accountable for any fraud that occurs using those card details.

You might only be accepting £10 from them, but when someone gets those details, they could run up thousands of pounds worth. And after you have to pay all that money out of your own pocket, you have lost those clients so have no way to make it back.

Hope this helps

Wullie

http://www.necomputers.org.uk

http://www.freshlookdesign.co.uk

http://www.freshlookdesign.com

http://www.whiland.co.uk

The pessimist complains about the wind. The optimist expects it to change.
The leader adjusts the sails. - John Maxwell

 

[SSJpn]

Hmmm,

I won't be using SSL so I will just have to have them call me with their CC number.

Some interesting ideas and pointers from you guys, thanks so much everyone.

SSJpn.