Thank you for your input. While I do agree that email is inherently not secure, in practice, we have not had a single customer complaining about a stolen code (and we have processed over a thousand deposits at the time of this writing).
If email intercept were a common practice, the interception of an MtGox code would be probably the least of my concerns. What about people resetting your password and gaining access to your MtGox account, bank account, etc. by simply requesting a "reset my password by email". How many entities use a "reset password by email" without additional check and constrains? Wouldn't you agree?
Finally, please note that we DO warn the customer (and have always done so) as seen on this example:
In any case, we have recently implemented a new membership system and will move the retrieval of codes behind a password protected area.
Once you payment is made, AurumXchange will send you the USD MtGox code within seconds.
If I understand the process correctly, that last step in the process concerns me. Mt. Gox codes are redeemable by the bearer. Is AurumXChange seriously sending the Mt. Gox code through e-mail?
E-mail messages are transmitted using the SMTP protocol. SMTP is not a secure method for communicating.
SMTP [RFC-821] servers and clients normally communicate in the clear over the Internet. In many cases, this communication goes through one or more router that is not controlled or trusted by either entity. Such an untrusted router might allow a third party to monitor or alter the communications between the server and client.
At some point, some unscrupulous network engineer or sysadmin at one of those router hops or a compromised system somewhere enroute is going to start filtering and capturing the mtgox codes and then redeem them. The chances of getting caught, if done properly, are likely extremely low -- any hop could have been the one where the sniffing occurred and even then the code, once redeemed, can get converted to bitcoin funds and withdrawn.
Has there ever been an AurumXChange customer that claimed that the code they received showed that it had already been redeemed? If so, it will be difficult for either AurumXChange or Mt. Gox to determine if it was the customer attempting to double spend that code or if it instead was the result of some cyber thief somewhere between AurumXChange and my open wi-fi connection at this coffee shop.
If e-mail will be the method or transferring the code then, at a minimum, the risks should be explained and I as the customer then be given the option for the message to be sent encrypted (using my PGP public key).