I have recently been careless in booking hotel accommodation without checking that the site was secure: it wasn't. My carelessness was compounded because the web host in London emailed my credit card details to the hotel in Spain, which then confirmed the booking by returning the host's original email. I have, of course, cancelled my credit card. The British company tells me: "We have never experienced a problem with this system and have no plans to change it." Am I being unduly cautious, or are they being unduly complacent? Graham Williams
It's generally safe to use a credit card on a website as long as it uses a secure connection, as indicated by a small image of a lock appearing at the bottom of the browser window. However, the internet's email system is insecure as designed, and sending an email is like sending a postcard: anyone can read it en route. This probably includes your ISP (internet service provider), the owners of servers that store and forward your email, and the IT staff who look after company mail servers. In theory, it also includes anyone who uses a "packet sniffer" -- a type of program that is widely available for free download -- either on a server or to tap into your internet connection. Either way, you should already know that all your email is probably being scanned, possibly by UK government employees at GCHQ in Cheltenham, and almost certainly by services that are attempting to eliminate spam. Scanning for things that look like credit card numbers is trivial. Under these circumstances, I would not recommend sending credit card details in unencrypted email, and I would avoid dealing with any company that does. They should at least put them in a password-protected attachment created using an "archive" program designed to compress (or zip) files -- though there are often tools designed to crack these passwords. Another simple alternative is Hushmail (www.hushmail.com).
Perhaps we should all have digital signatures and use encryption programs to secure our email. One example is PGP (Pretty Good Privacy), which is available in a free version (http://www.pgpi.org/). Email Encryption for the Lazy (http://www.dtek.chalmers.se/~d97jorn/pgp/) explains how to use it. However, PGP was written by Phil Zimmermann in 1991, and its failure to become ubiquitous suggests that either the real risk of email interception is pretty low, or that email security is not important for most people most of the time. When it comes to credit card details, however, it's better to be safe than sorry.
