YAPC Pisa

[Peter Corlett]

On Thu, Jul 08, 2010 at 12:27:42PM +0100, Chris Jack wrote:
[...]
> It's a long time since I sent credit card details by email and whilst I
> think it is obviously a very bad thing...
> If you have to do it, can I suggest you try to avoid putting the whole 16
> digits in "1234 5678 1234 5678" style format as this would be a very easy
> thing to parse for. Rather think up something like:

An unencrypted credit card number sent over the Internet is highly unlikely
to be compromised while in transit. There's just too much other traffic and
it's too much effort while there is lower-hanging fruit.

The real risk here is that the hotel apparently doesn't have a clue about
security of credit card numbers. For example, they may just print out the
email, and then shuffle over to reception to enter the number into their PDQ
machine. The printout quickly gets lost in the pile of other paper clutter
there, for any passing scrote to help themselves to.

Obfuscation won't help you there.