
Ask HN: Is it safe to send credit card details via email (as WireX does)? - FabHK
I recently signed up to WireX, a digital wallet&#x2F;banking platform, based in London, that offers debit cards (virtual and plastic). They sent me the complete credit card details for my virtual VISA card (name, number, expiry, CCV) via normal unencrypted email (at my domain, not gmail to gmail or so), which I would still think to be somewhat of a no-no.<p>I understand that password resets often go to your email. But is it really considered best practice (or even just defensible) to send credit card details by email?<p>Edit to add: Website: https:&#x2F;&#x2F;wirexapp.com
======
conorgil145
An email is like a postcard and every server which traffics it can read the
full contents. The CC details are static and will not change once you receive
them, so it is in effect sending the CC details to all MX servers that traffic
the email and anyone that reads it can use your CC for anything they want. I
would consider it an enormous glaring security issue.

------
mattbgates
If I was personally in charge of the app, I wouldn't deem it safe at all. I
would have written an area to either be copied once, or a password-protected
area, so it can be retrieved it via the website. I had a client.. I asked her
for her Paypal email address so I could link her website and Paypal together
so she can start making money on her products. She sent me all of her bank
information. I warned her that she should not do that. Should my email or hers
ever be hacked, or if I was someone who happened to be a scammer, she could
have been out her entire savings. I have since deleted the email. There are
just some things you don't do. And the last thing I want is her bank account
information in my email. I've never had issues with my email being hacked, but
I wouldn't want to be responsible IF anything ever did happen.

It reminds me of those websites that send you your password directly without
encryption or anything. I also make it a point to send a user, who forgot
their password, an actual link to reset their password through the website. If
they forgot their old password, they must have not wanted to remember it, and
it is technically not our responsibility to remember their exact password. Of
course, I could probably get the system to send them their unencrypted
password, but I think it is unsafe practice. Instead, I just send a link that
takes them to a page where they can change it completely.

As far as personal information, that stays within my https website, either in
invoices stored on the website or a single printable page that shows the
transaction occurred. A person can easily save it or email it to themselves
[at a later time], but that is an option I provide in which they are
responsible for the information in their email now, because they personally
had to click a button to have it sent there, rather than me automating
important personal information to their email.

My responsibility is to provide the product and make sure it works for my
clients. As far as payments go, I put that on a payment processor and I never
save that information, so in essence, the most information I have is: account
information and the fact that a transaction took place. That is the best way
to increase your security is by keeping minimal information and simply not
having to be the one fully responsible for it at all.

------
galdosdi
Password resets are not as bad because the reset code is only useful very
briefly, and then becomes useless.

Don't use this startup's products, not now, not ever. They've already revealed
their true colors as obviously not just not caring, but not even really having
the capacity thinking about security, which is even worse. And they're a
financial/banking startup! Geez.

~~~
catdog
In itself it's probably not that catastrophic because the likelihood of that
mail actually falling in the wrong hands may still be small enough to fit
inside the risk model of credit cards which regularly puts convenience over
security. Though it's easy to do it better without trading much convenience so
I agree this is a sign that they probably don't do much better where it
absolutely matters, stay away.

------
jaclaz
The card is issued by a "licensed electronic money institution" in Gibraltar:

>© 2016 Wirex Limited (CRN 09334596) 25 Old Broad Street, London, EC2N 1HN,
UK.

The card is issued by Wave Crest Holdings Limited, a licensed electronic money
institution by the Financial Services Commission, Gibraltar.

Site:

[http://www.wavecrest.gi/](http://www.wavecrest.gi/)

More info here:

[http://www.wavecrest.gi/about-2/](http://www.wavecrest.gi/about-2/)

[http://www.wavecrest.gi/platform/fraudrisk-
management/](http://www.wavecrest.gi/platform/fraudrisk-management/)

Maybe the mail was pass-through?

~~~
donalhunt
[https://help.wirexapp.com/hc/en-us/articles/211943665-Is-
Wir...](https://help.wirexapp.com/hc/en-us/articles/211943665-Is-Wirex-card-
Visa-or-MasterCard-)

Wirex card is Visa.

Please mind that:

\- All cards ordered prior Dec 22, 2015 are Visa (both virtual and plastic).

\- All cards ordered in the period from Dec 22, 2015 to Feb 10, 2016 are
MasterCard (both virtual and plastic).

\- Cards ordered between Feb 10, 2016 and Apr 15, 2017 are Visa for virtual
and MasterCard for plastic.

\- All cards ordered after Apr 15, 2017 are Visa (both virtual and plastic).

------
fgrimes
Same old story. I worked on a project last year for a company with a startup
client that aggregated buying from name-brand retailers for consumers.

The personal shoppers were sending customer purchase data--credit card, name
and address details--through email, and those emails were being stored
(somewhat unconventionally) in a major customer support platform.

------
afarrell
Does this fall afowl of any regulations from the UK's Financial Conduct
Authority? [https://www.fca.org.uk/firms/financial-crime/data-
security](https://www.fca.org.uk/firms/financial-crime/data-security)

------
smt88
No.

------
tinus_hn
They are not supposed to even store the ccv and certainly can't send it
anywhere without encryption. Report them to your issuer.

~~~
stephenr
I believe they _are_ the issuer in this situation.

------
partisan
Cancel that card.

------
gtirloni
I think you know the answer :)

