2

I am buying some products and have mostly communicated with the store via email. I am planning on paying by credit card, but the store doesn't have online billing. Normally, I would just phone the store and provide my credit card info but they are out of country and I can't make calls there. Is it safe to SMS my credit card info?

More generally, is SMS a secure method to send sensitive information?

Similar to Is it still unsafe to email credit card number nowadays?.

Community
  • 1
sixtyfootersdude
  • 530
  • 3
  • 11
  • 1
    http://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication ( the answer is pretty indepth about GSM encrpytion ) – DotNetRussell May 27 '15 at 17:56
  • There's more to worth about than encryption tho – Neil Smithline May 27 '15 at 18:14
  • 1
    I would worry more about the store's owner being malicious than an attacker intercepting an SMS. Nothing guarantees the store's owner won't misuse the card number nor store it in a .txt file on his compromised machine. –  May 27 '15 at 20:58
  • @andre - how is this different than any other store? – sixtyfootersdude May 27 '15 at 21:16
  • @sixtyfootersdude most stores out there (excluding the big players like Amazon, etc) redirect you to a payment provider (Stripe, Paypal, etc) and thus never see the card data itself, only a reference that allows them to claim the payment. –  May 27 '15 at 21:30

2 Answers2

5

Via virtual Phone Services like Google Voice, SMS can be delivered to someone's email, SMS can be no safer than email. There are also many Services that clone SMS messages from your phone to your computer or email. So, like the question you referenced, even if the receiver is trustworthy, you're relying on an awful lot of infrastructure staying secure. Sounds pretty risky to me.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
4

No it's not secure.

The government and your mobile carrier can easily read it(so forget about sending sensitive information or not so legal SMS).

While i find it difficult to SMS be intercept while in traffic remember that both you and the receiver will have this SMS until you deleted it and this introduce some risks like you having your phone stolen and don't use password on it or the receiver handing over his phone to a third person and even forward it to more people.

Now that i have answered the SMS part i must say about the bigger picture you are not seeing:

How do you know if the owner of the store is really who they say they are? How do you know this store is even real? I find pretty weird that you are communicating with them via email and even more weird they say they don't support credit card payment via some website...even more weird if their sites don't use https:// at all.

Not supporting https:// is a red flag at first sight a certificate is pretty cheap nowadays and if they want to accept credit cards without even caring to use TLS shows they lack good security practices...

They could in theory accept credit card payments without using TLS if they don't host the checkout or store credit card details in any way and there are many third party payment processors like PayPal or Stripe, and most banks provide some ready-to-use solutions for e-commerce but not using https:// still a red flag.

This really seems like a scam to me and you should never by any way SMS your credit card info to anyone no decent and reputable store would ask you to do it.

Freedo
  • 2,253
  • 5
  • 18
  • 28
  • Agreed, typically this would raise red flags for me as well. The store in question has a normal online checkout, but for non-USA shipping you have to contact them directly. The ship larger items, so shipping can be tricky. – sixtyfootersdude May 28 '15 at 03:14
  • Are you sure you can't pay them with a international credit card or something like PayPal? I may understand the need to contact them directly for shipping out of USA, but that's not really a excuse to not accept credit cards payments you have many ways to accept international credit cards regardless to where you are shipping – Freedo May 28 '15 at 03:22
  • I am paying with a normal (international?) visa card. They are processing the card directly, in the same way that a waiter would if he took your card at a restaurant. – sixtyfootersdude May 28 '15 at 19:50