Hacker News new | comments | show | ask | jobs | submit login
Ask HN: How bad is it to send Tax ID via plain text email?
2 points by chill1 on Dec 20, 2012 | hide | past | web | favorite | 1 comment
I recently received an email from BrainTree Payments to verify my merchant information. They need to get the correct information for tax purposes, I get it.

I was dismayed to see my Tax ID and Legal Name next to each other in a plain text email.

I am a developer, but I do not have a lot of knowledge in the area of computer networking. So I am not 100% sure of the implications of sending sensitive information via plain text email.

How bad is this?

It's bad but not tragic. If your mailserver and theirs are both set up to use TLS connections by default, it's likely that your data was not available in plaintext on a public network. However the problem with opportunistic encryption is that while most service providers do set up their systems like that, it's not guaranteed.

Still, I'm mildly surprised that Braintree is not following the 'secure administrative login' pattern that most banks use for that type of account management information; since that reduces the risk exposure.

TL;DR they should make you log in to their https website.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact