Storing Credit Card Information Online or in Password Managers? How to Keep Your Information Safe
Whenever Internet users make purchases online using credit cards, the online shopping sites or payment providers suggest to save the card information.
For the user, it is a convenience feature, as future purchases do not require typing the full credit card number and other requested data anymore. For sites, it also binds the customer, which means that they are more likely to use their services in the future. Information about Internet users is also of importance to many companies.
But the shopping sites and payment providers are not the only ones that may suggest to save the credit card information. The web browser or a password manager may also recommend that. It depends on whether the feature is supported in the browser, the password managers integration and functionality.
At least some Internet users may wonder whether it is a good idea to store credit card information in a password manager, browser or online.
The case for saving credit card information
The main argument for saving credit card numbers and data is convenience. Users do not have to have their credit cards with them to make purchases, once the number is saved. While some sites may request the three digit security code as verification, it is still more convenient than before.
Password managers and browsers encrypt the data and may support additional security features, such as two-factor authentication, to protect the data. These may be favorable over physical use of a credit card in some situations.
The case against saving Credit Card numbers
One strong argument against saving credit card information online, in browsers or in password managers, is that these add another attack vector. Sites may get hacked, and depending on how the information is saved, it may fall into the hands of malicious actors.
Password managers too are not offering 100% security. Last year's LastPass hack showed that high security sites may get hacked, sometimes using indirect ways, and that important user data may fall into the hands of criminals.
Browsers share the issue with online password managers, especially if they sync data to the cloud. Even local password managers are affected, even though it may be less exploitable because data is not stored online.
Apart from security concerns, there are additional reasons for skipping the "save card online" prompts when they are encountered.
The first is often found when companies offer trials of applications or services. Users who sign-up for a free trial may need to provide credit card information before the trial starts. The main issue here is that companies will charge the card automatically, if the user does not end the trial actively. Some may like the service, but some may forget about it and subscribe for a month, year or even longer to a service that they do not want to use.
Sometimes, users may pick different payment options to have better control over the processing of payments.
A second reason is that saved payment information paves the way for impulse purchases. A study in the United States from 2019 suggests that 83% of U.S. adults have already made impulse purchases.
Lastly, a case can also be made that someone with access to the computer, smartphone or tablet may make purchases using the stored payment information.
Closing Words
It is recommended to avoid saving payment information only. Even though that makes purchases online a tad less convenient, it is improving security, reducing the likelihood of erroneous payments and impulse purchases.
I definitely do not store Credit Card data online nor in a password manager, Bitwarden in my case.
Neither Credit Card data neither what I consider as highly confidential, i.e. online bank credentials.
Data considered as sufficiently confidential to be located anywhere but locally, encrypted, concerns relatively few topics, I have that data in mind and always accessible locally, encrypted (that decryption key itself, sort of ‘local master key’ is in my mind only).
I handle likewise @Tom, never trust the internet with very valuable information!
So true @ard. and as always the ultimate way of dealing with reality is not (or very seldom) in extremes (never/always) but within nuances (sometimes, depends) which moreover obliges to deeper analyze the contexts, the schemes, the situations.
By the way you will certainly have corrected by yourself in my above comment :
“Data considered as sufficiently confidential to be located nowhere but locally,”, “nowhere” and not “anywhere”.
+100
Article makes a VG point. Had a situation with online retailer (LLBean). Had an account with stored CC details.Eventuall deleted the card. Months later used the CC at a retail outlet. That buy showed up in the secure online purchases acct. Called, they confirmed the CC was deleted, yet they had the store buy in the online acct. How’s that I asked, their reply… opps! They also had 25 years of email and street addresses. Try getting off their mailing list.
Or try ordering at Amazon w/o a CC attached to an account. Fact, they all want your CC. If they mess up, and they all do, you have to clean it up. And they all fight you all the way. Refunds? Thats a whole other story.
PS. Am a victim of ID theft from the 90’s. Still dealing with it 24 years later.
What about the cookies my bank and paypal want to store on my pc?
Every single time I log onto my online banking site I must complete 2FA by punching in a code texted to me even though 2FA is disabled in my account settings.
You can’t contact them by email, voice only, so I have no proof, but they swear it’s not because I’m not allowing them to leave cookies and cache data behind on my PC. Bullshit!
Paypal: Every single f’ckn time I make a purchase with paypal, I’m automatically set to “Stay logged in on this device”. They email me telling me it was turned on yet again.
To turn it back off I must click a link in an email. I can’t just go to the site on my own and login to my account and do this, I must “click the link in the email” which is on the top of the list of things not to do for security reasons.
Just activate the option to auto delete them, nowadays browsers have that option without installing extension or just use incognito mode.. I think it’s not hard?
After you are done with your session go into your browser and delete those related to your concern.
And clear the ‘cache’.
For just about all browsers I’ve worked with, hold down the Shift and Ctrl keys and tap the Delete key to bring up a some sort of a “clear all” dialogue.
In Firefox there are five history and two data data items to toggle and five time ranges to select from.
it better not to but we all do it. When we sing up for streaming services like Netflix or Amazon. Some wont even let you delete your card like Amazon does. I only use a Credit Card online to minimize the loss in case of theft accrues, never a Debit card.
If someone hacks my account and steals credit card details, the bank covers any losses. I don’t lose the family fortune.
One thing about banks and any other large business is they do not absorb losses. Costs associated with covering people against fraud are passed on to other customers. In other words, everybody except the bank pays.
My bank offers a dynamic check number (CVC, CVV…). You access that via a handy phone app. Your handy phone app requires 4-digit PIN access to save you the inconvenience of memorizing your password that looks like “N%Q&Ft$fXCa&dp3sfZE!Swc6”! We all know PINs are uncrackable.
So, you use your dynamic CVC. It remains valid for 24 hours. The hacker who gains access doesn’t need to use details quickly and always waits for ages?
My bank has 2FA but only for some transactions such as adding a new payee or change your daily withdrawal limit. There is no 2FA available for an online card spend. You do get a notification after the fact. “Look, my money just went.”
https://images.mysafetysign.com/img/lg/S/open-holes-osha-danger-sign-s2-2053.png
Never save any financial account number info anywhere.
Your financial account info is already saved online by the banks themselves. Not much you can do.
It’s an obvious case, typical in this abusive industry, of a tiny convenience benefit coming with large drawbacks.
One of the real motivations is probably even pettier, to make us buy more while on the web, which shouldn’t be the concern of a browser developer, especially the fake ethical ones following Google on that.
As mentioned in the articles this seems like an invitation to have those numbers stolen by malicious web sites or even unintentionally as a result of browser bugs, not to mention local malware.
But there is also the question of who else gets those numbers considering that Chrome users tend to have all their data sent to Google’s servers often without even knowing so, typically through (often unsolicited) profile syncing for instance. And it’s not clear that Google would even end-to-end encrypt them, so they would have a database of those numbers in clear for a large part of the users.
It’s interesting that once again the “Google bad” problem was completely omitted from the article in spite of its obviousness in that field: it looks like they would be well-intentioned but just not very smart about balancing security vs convenience here. No, Google isn’t well-intentioned, and it’s apparently not repeated enough.
Question
What is the issue with saving details in locally stored keepassXC?
Why the fuss? Every CC you hold is currently being stored online by the financial institution that provides your credit card now. Even worse, your Social Security number, bank account, date of birth, are all stored online, right now!
Do we trust their (banking and financial institutions holding our online info), over online Password managers like Bitwarden or 1Password?
How many times do we see T-Mobile hacked, student loan companies hacked, and so on and so forth? Compare that to how many times Bitwarden or 1Password has been hacked.