Safe Methods for Transmitting Sensitive Data: Info Security

[ehrenfest]

Which of the following means of communications is it safe to transmit sensitive data such as a credit card number or a social security number through:

1) cell phone
2) landline phone
3) fax
4) snail mail

?
I have been trying to use google to get an answer to this question, but that did not seem to be working. I found a lot of people writing about the http://en.wikipedia.org/wiki/PCI_DSS" , but I couldn't really find any definitive answer to the question I asked above.

 

[Gokul43201]

5) email + PGP

 

[JaredJames]

Which of the following means of communications is it safe to transmit sensitive data such as a credit card number or a social security number through:

1) cell phone
2) landline phone
3) fax
4) snail mail

?
I have been trying to use google to get an answer to this question, but that did not seem to be working. I found a lot of people writing about the http://en.wikipedia.org/wiki/PCI_DSS" , but I couldn't really find any definitive answer to the question I asked above.

Well landlines can be bugged, snail mail can be intercepted. Cell phones and fax, not sure, can they have their messages intercepted?
I suppose with fax, anyone could see it when the details come out the other side. With landline, you have to trust the person you are giving the details to not to write them down for use later. Cell phones in relation to a phone call would be the same but SMS, not sure.

I suppose the key would be in something encrypted via email as pointed out above would be the best.

If you insist on using snail mail or fax, there's always an enigma machine, doubt many people keep decoders for them around. Definitely give you an advantage there.

 

[russ_watters]

Cell phones are the safest. Their signals are encrypted.

 

[junglebeast]

Which of the following means of communications is it safe to transmit sensitive data such as a credit card number or a social security number through:

1) cell phone
2) landline phone
3) fax
4) snail mail

?
I have been trying to use google to get an answer to this question, but that did not seem to be working. I found a lot of people writing about the http://en.wikipedia.org/wiki/PCI_DSS" , but I couldn't really find any definitive answer to the question I asked above.

There's nothing inherently more secure about any of these methods of communication. You can do encryption on any of them if you want...and when you do encryption, that doesn't guarantee security anyway...because there is usually possibility of man in the middle or other exploits.

When you purchase goods from a store, be it in person, online, or on the telephone, they have access to your credit card number and identity and could impersonate you if they wanted to.

 

[Moonbear]

I think people have a false sense of security if they think any method is secure. All of those methods depend on the honesty of the person at the other end receiving the information. It's also not worth being paranoid about. I had a credit card number stolen several years ago, and it wasn't too difficult sorting through the charges and getting them removed. The credit card company flagged it when it appeared I was making charges in two countries at once and locked the account before too much damage was done. That made it easy to file the reports sorting out which were legitimate charges and which were the fraudulent ones.

 

[NeoDevin]

I think people have a false sense of security if they think any method is secure. All of those methods depend on the honesty of the person at the other end receiving the information. It's also not worth being paranoid about. I had a credit card number stolen several years ago, and it wasn't too difficult sorting through the charges and getting them removed. The credit card company flagged it when it appeared I was making charges in two countries at once and locked the account before too much damage was done. That made it easy to file the reports sorting out which were legitimate charges and which were the fraudulent ones.

The bigger problems happen when someone decides to steal your identity. That can take a lot more work to sort out than just someone stealing your number.

 

[chroot]

None of the communications channels you've mentioned are inherently secure, and only one includes any form of intentional security: the cell phone.

Cell phone traffic on modern networks is unbreakable for people who do not have access to expensive cellular phone basestation equipment -- a much larger investment than a common criminal could hope to recoup via fraud. Spread-spectrum frequency hopping, channel coding, and encryption make it a pretty secure system from pretty much everyone except the people who work for the cell phone companies and the government. If your security needs are so great that you need secrecy from the government, though, cell phones will not provide that.

Fax transmissions are no more secure than ordinary land-line phone calls. There is absolutely no security involved in fax transmission, just modulation and demodulation. Anyone who can tap your land-line can snoop on your fax traffic.

The Enigma machine is so simple that any modern PC can break it in a fraction of a second. It was only secure in an era of vastly simpler computational devices.

Gokul's suggestion is probably the best one. PGP provides security that can be strong enough to provide secrecy against the world's largest governments. It produces printable (text) output, which could be read aloud over the phone, sent through snail mail, or even published in the New York Times with absolutely no loss of security.

- Warren

 

[JaredJames]

Just a note, the enigma comment I made wasn't meant as a serious one. It happened to be the only code I could think of when writing the post.

 

[Ouabache]

Gokul's suggestion is probably the best one. PGP provides security that can be strong enough to provide secrecy against the world's largest governments.

It's ironic, the inspiration for naming this software, came from a little town that time forgot and the decades cannot improve. (somewhere in Mist County I believe).

 

[TheStatutoryApe]

As already pointed out your primary worry is concerning the people on the other end. I'm fairly certain that the vast majority of personal information gained and used illegally is appropriated by the persons working for the businesses that are receiving the information. Unless you are a person of note whom others may want to target for information theft the likelihood that someone will go through the trouble of intercepting yours is incredibly slim.
I think really the biggest risk to your information comes from malware that you or the business you are dealing with may have picked up somewhere.

 

[ehrenfest]

Let's say someone gets my credit card number and uses it to make expensive purchases. If I can prove that I did not make these purchases, do I still have to pay the charges? I think I don't, but then does the credit card company have to pay the business at which the purchases where made? If the credit card thieves are caught, then they are the ones that probably have to pay, but if they are not, I am wondering who has to take the loss. Moonbear, can you say in more detail what happened in your case.

 

[JaredJames]

No you wouldn't, I would assume the CC company has insurance for those sorts of things. Makes sense.

I say this because if you book a flight with a Credit Card (not a Debit Card), and the airline goes bust or something awful like that, you can get a refund straight away from your Credit Card company and then they deal with it.

 

[coverme]

Cell phones are the safest. Their signals are encrypted.

Can i ask a question please,nowaays mobile hacking software are also available ,are they are very effective

 

[Blenton]

I wouldn't have thought mobiles were that secure either. How is it not easy to see what encryption the mobile phone actually uses and then decode it. I guess signals from the relay towers would be a different case tho.

 

[mgb_phys]

Can i ask a question please,nowaays mobile hacking software are also available ,are they are very effective

The encryption on a GSM phone can be broken by custom hardware on a PC. But not quite in real time and the phone switches frequencies regularly, the new frequency being encrypted. It is possible to reconstruct a GSM call if you were able to record the traffic for all bands and then later decrypt and stitch together the calls.This has been demonstrated in the lab but I don't know of any reports of doing it in the field.

Another method is to partly jam the base station, the GSM protocol can switch into a low signal unencrypted mode as a last resort.

A bigger risk on a modern phone is that it is really a computer running all sorts of software, viruses that cause the phone to relay all your calls to another number or allow another phone to listen in on all your calls have been demonstrated.

 

[Moonbear]

Let's say someone gets my credit card number and uses it to make expensive purchases. If I can prove that I did not make these purchases, do I still have to pay the charges? I think I don't, but then does the credit card company have to pay the business at which the purchases where made? If the credit card thieves are caught, then they are the ones that probably have to pay, but if they are not, I am wondering who has to take the loss. Moonbear, can you say in more detail what happened in your case.

No, you're not responsible for paying for fraudulent uses of your card. If you know a card is missing and didn't report it (i.e., they physically have your card rather than having counterfeited one using your number), the CC company may specify some amount you would be responsible for paying...check your CC agreement.

I don't know who takes the loss for certain, just that it wasn't me. I think it may be the retailer since the CC company would probably withhold payment from them when they are notified the purchase is fraudulent. It's basically a theft loss from whoever accepted the card number, the same as if someone had shoplifted or paid with a bad check if they use a counterfeit card.

 

[Office_Shredder]

I don't know who takes the loss for certain, just that it wasn't me. I think it may be the retailer since the CC company would probably withhold payment from them when they are notified the purchase is fraudulent. It's basically a theft loss from whoever accepted the card number, the same as if someone had shoplifted or paid with a bad check if they use a counterfeit card.

In the US the credit card company takes the hit. In the UK the retailer takes the hit. I don't know about anywhere else

 

[Hootenanny]

I wouldn't have thought mobiles were that secure either. How is it not easy to see what encryption the mobile phone actually uses and then decode it. I guess signals from the relay towers would be a different case tho.

Just because you know which encryption algorithm is in use, doesn't mean that it is easy to break it. In fact, an encryption algorithm that could be broken simply by knowing how it works wouldn't be a very good algorithm now would it?

 

[mgb_phys]

I wouldn't have thought mobiles were that secure either. How is it not easy to see what encryption the mobile phone actually uses and then decode it.

As Hootenay says the encryption technique is well known (http://en.wikipedia.org/wiki/A5/1) it also quite a weak system, partly because the last 10bits of of the 64bit key are turned off.
Part of the security comes from the way that the call continually hops frequencies, the phone and the base station agree in code which frequency to change to, so you only have a brief window of data to get a key from unless you can record all the bands.

 

[neu]

Send 1/4 of the message via each meduim

 

[Office_Shredder]

Tomorrow night, break into the NY Times printing press. Bring a floppy disk, an 8 1/2 by 11 inch manila envelope, a blue ballpoint pen and a pen that writes with invisible ink. In an envelope I have given the janitor of your workplace to leave in your desk, I've left the cell phone number of a security guard at the building. Call him at 9:12pm. He'll let you into the building. Go to office number 3 on the second floor. There will be a key in the door. Remove this key, and move to office number 12 on the fourth floor. The key will open the door here.

Enter and on the computer screen on the desk in the room will be a block of code and a space for you to type a message. Enter your message then hit re-encrypt. A string of numbers will then pop up. On the inside of the envelope with the invisible ink write down these numbers. Then go to File - Publish. This will create an electronic copy of the paper for the press to print. A USB drive has been inserted in this computer already, and has been acting as both RAM and memory storage for you. Remove the USB drive and turn the computer off. This ensures no trace of your message is left on the computer. Take a piece of official NY Times letterhead and the USB drive down to the basement, and put the USB drive into the master server. You will then be able to change the next day's paper to be sixteen hundred different encoded messages.

On the NY Times letterhead write an innocent sounding message such as 'hope you're having a good time on vacation' or some other nonsense. Address the envelope to PO Box 934, New York New York. Place the envelope in the outgoing mailbox at the NY Times. Dispose of the pen in an evidence removing manner. Nobody will know to intercept this piece of mail, and if they do somehow they will not find the real message on the inside of the envelope. Your counterpart will pick up a copy of the paper, and the mail once it is delivered, and using the key you wrote on the envelope will decrypt your message and know which of the messages in the paper is yours.

This is the most secure method

 

[Moonbear]

I see Office_Shredder is starting the campaign for funniest member early this year. *cues Mission Impossible theme music*