How is email intercepted? How do hackers get Credit card Numbers from email between the server and client?

I don't need a how to, just an explaination so I better explain to a client that we need to get his host to install pgp, spend the money for the shopping cart or find another host.

TIA

Thanks Rich,

That is what I wanted. You explained much better than I did.

Terra can probably provide a much better technical description of how this is done but I'll point out a couple "high-level" descriptions.

First, it should be noted that most credit card theft is perfomed by "insiders" that sell the obtained card numbers on the black market. For example, just this past week, an incident at Bloomingdale's in New York made the headlines when an employee was "double scanning" card numbers--once for the purchase and again into her Pilot with attached reader. This is not an isolated case, just one that was worthy enough for the news. This happens everyday in restaurants, hotels, retail stores, and yes, on the Internet.

One method to obtain information is to listen to traffic on the network using a network "sniffer". Another way, and perhaps easier way, is to just monitor the files that sit on servers as they wait to be processed. Since nearly all messaging between servers, including email, is queued, there are many servers where the email may "sit" during its transmission to its intended recipient.

Finally, there is the PC where the user stores his or her email. If the information is not encrypted, it is accessible by employees who might have access.

For your client and anyone else that has a merchant account:
Although the liability for CONSUMERS regarding credit card fraud is limited to $50 this is NOT the case for merchants. The question you should ask yourself is: if you do not take ALL reasonable and prudent measures to protect the credit card information you receive and it is determined that your "system" was the source of the fraudulent card use, might Visa, MasterCard, etc. try to hold you liable? Could you prove that you were not negligent? I would strongly encourage anyone who is currently using a system or plans to use a system that does not encrypt card numbers, to consult an attorney regarding the liabilities that they might incur. I'm sure the discussion will be very enlightening!

Hope this helps.
Rich




[This message has been edited by Rich (edited 11-29-99)]