Slashdot Log In
Breach Exposes 19,000 Active US, UK Credit Cards
Posted by
timothy
on Fri Mar 20, 2009 04:12 AM
from the need-two-part-authentication dept.
from the need-two-part-authentication dept.
pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."
Related Stories
[+]
Why Are CC Numbers Still So Easy To Find? 317 comments
Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.
Submission: Breach exposes 19,000 active US, UK credit cards by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Cashless Society (Score:5, Interesting)
It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.
I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.
The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.
Re:Cashless Society (Score:5, Insightful)
Cashless society gives control to others. OK cash is under the control of others, but not so much or in the same way.
People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).
I for one sincerely hope we never have a cashless society.
Parent
Re:Cashless Society (Score:4, Insightful)
People will not give up their cash without a fight,
Oh I don't know. I think it's pretty much down to culture that one.
I see people putting their credit cards behind the bar and drinking to the limit. Seems especially common for young professional women.
Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.
Cash on delivery seems quite alien to me now, having grown up in the UK with credit cards for everything. Yet what can be a more secure way of paying online, than not paying online at all.
Parent
Re: (Score:3, Interesting)
Here in China, not only is cash on delivery very common, but also the option of debit card on delivery. Last time I ordered a wireless NIC, it was carried to my door by a postman with a frickin' mobile debit card reader. I swept the card through the reader, checked the sums, entered my password and it was done.
Debit cards are much safer -- you'll always need to enter the password to draw money from your account.
Re: (Score:3, Insightful)
Perhaps you should think about organising your money a little differently. I have 3 accounts: Savings, Dumping account (where my pay cheque gets "dumped" into) and my spending account. I pay rent and bills from my dumping account when I get paid. I then put some into my savings account and then pay myself what I need for the month into my spending account. The only debit card I use is for my spending account, ensuring that if anyone manages to commit fraud on that card, the maximum I lose is 1 month plus wh
Re: (Score:3, Informative)
The loss didn't come from VISA's wallet either, it is the merchant that got stiffed. Credit card companies are completely unaccountable, despite charging through the nose for their services. It's right there in the contract everybody has to sign to deal with them...
Re: (Score:2)
Well, the U.N. and some Russian dude recently called for a global currency, if such a thing were to happen it would likely become cashless. I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.
I remember hearing about a particular African country that had already gone cashless, that tourists basically changed money in for an ATM card at the airport, but couldn't find any references to it, just something about Nigeria moving towards a cashless society: h [africanews.com]
Re: (Score:2, Funny)
I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.
Yeah, it's in the imaginations of people who buy financial instruments like stocks and bonds.
Re: (Score:2)
Sounds like a "gold standard" argument.... The best standard of all is: absolutely anything. You can use gold, lead, or bananas if you want. And people do -- it's called a futures market.
Basing all of your wealth on bananas might sound silly, but there are doubtlessly people who have made millions doing just that. Fruit, gold, and "trust"
Re:Cashless Society (Score:5, Funny)
Parent
Re: (Score:2)
I'm pretty tired, and believe it or not, I misread "cashless" as "cacheless" anyway...
That was a joke! (Score:2)
Seriously though, caches are good. Worrying about credit card numbers being cached is as bad as promoting security through obscurity. We should be moving to a system that doesn't rely on "secret numbers," but instead makes use of multiple factors from the time-tested triumvirate of "something you have," "something you know," and "something you are." Something you know alone just isn't good enough for this day and age.
Google is just doing what Google does.
Re: (Score:2)
That would be nice.
How many times have we read passionate arguments that "nobody should be in prison for non-violent crimes!"
Remember this story the next time you see those stupid posts modded +5 insightful.
Re: (Score:2)
Hey!! I have a great Idea for that secondary verification system!
The credit card companies just need to give the credit card holders little, colourful, pieces of paper with currency amounts printed on them. When someone makes a monetary transaction with the credit card, they also have to hand over the right amount of those pieces of paper!
Ehhhhh.... Waitaminute .....
Re: (Score:3, Interesting)
Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).
Currently, credit cards are absolutely insecure.
Shoot the messenger! (Score:5, Insightful)
It's not a problem with the idiot sites that let unprotected critical information out on a public accessible net and in addition omitted to place a well placed robots.txt, no...
IT'S GOOGLE'S FAULT!!!
Re:Shoot the messenger! (Score:5, Funny)
Google should take SOME blame.
I held a robots.txt poster up at my window and google streetmap still photographed it.
Parent
Re: (Score:2)
Re: (Score:2)
I don't think that the streetview camera car is actually a robot, so of course that wouldn't work.
er what (Score:5, Insightful)
How is putting all your customer's credit card information online so it is publicly available, and crawlable, Google's fault? What is the known issue? People are stupid?
Re: (Score:3, Interesting)
For my website, I share a server with a bunch of other sites. I was poking around /tmp one day and came across dumps of credit card information. I forget the website, but apparently they thought /tmp, with global read permissions, was a safe place to generate HTML after a transaction. I reported it to the hosting service and the offending website fixed their scripts.
Luckily, credit cards have strong protections, so you aren't responsible for any fraud charges due to these leaks. Just check the charges every
Whirlpool thread (Score:3, Informative)
This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however:
http://forums.whirlpool.net.au/forum-alert.cfm?a=priv-deleted&t=1165021&v=0 [whirlpool.net.au]
Re:Whirlpool thread (Score:4, Interesting)
Ironically, the Whirlpool page is still available in the google cache [74.125.95.132] of the thread.
What I want to know is why the CVV numbers [nasa.gov] were there and for what merchants, as they are not supposed to be cached according to the Payment Application Data Security Standard (PA-DSS) [visa.com].
Parent
Who are the lucky ones? (Score:4, Insightful)
Re: (Score:3, Funny)
Re: (Score:2)
But google for it WITH quotes, or you get an heart attack when you see the "Results 1 - 10 of about 2,000,000" that get's returned when you Google without quotes.
Re: (Score:3, Funny)
Fool me seven times, shame on you. Fool me eight or more times, shame on me.
I hardly think there's an issue with Google. (Score:5, Insightful)
> The cause appears to be a known issue with the Google search engine
More like the usual issue with idiots who fail to adequately protect, secure and dispose of this sort of data in the first place. "Sensitive directories" have absolutely no business ever being readable from the web.
Company executives and IT administrators who allow this sort of security breach need to start doing hard jail time. Until this happens we'll be reading more and more of these stories by the week.
Re:I hardly think there's an issue with Google. (Score:5, Interesting)
Parent
Misplacing blame on google (Score:5, Insightful)
From both the article and the summary re:
The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone
This makes it sound like the issue is with google's search engine and makes light of the real issue which is that at some point this information was published for all the world to see (or search engines to index) and anyone to cache (or write-down, or memorize).
Insisting on search engines removing removing this information from their indexes and remove it from their caches is just sweeping the problem under the rug : you or I taking a quick peek on the internet to see if our credit-card infomation has been published anywhere would get a false sense of security if the search engines pretended it wasn't there and that security breaches had never happened.
*tin-foil-hat-time* It seems analogous to re-writing history books to cover up prior misdeeds.
Exactly (Score:2)
Internet Finance (Score:4, Interesting)
The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).
Re:Internet Finance (Score:5, Interesting)
Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.
Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...
Parent
Re: (Score:2)
See here [bbc.co.uk]
Call centres are manned by people, who can write down anything you say.
Re:Internet Finance (Score:5, Insightful)
But much easier for someone to simply make a copy of the details. I find that my credit card info is treated much more carelessly during card present transactions. Credit card is printed on a bill. Where does the business owner keep their copy? Who all can see it? I've even had my card number written on the top of my order. In some of the places I've done tech support I've seen sheets laying around with credit card numbers. It's nice to know that even the janitor can steal my credit card info.
Also larger retail stores feed your numbers into "complex automated software". Think TG max who was a huge source of stolen credit cards and guess what? As of last summer they still hadn't bothered to secure anything.
I make a ton of transactions online and only once have I had fraudulent transactions on my credit card. That once was the local pizza place
Parent
Can some American please explain to me... (Score:5, Insightful)
...why anyone would use a payment system, with no safety at all?
What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...
Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?
I'd rather go back to bartering goods, than something like that.
When I do payments, I either do it with a bag of fixed-value credits. Like real cash in a wallet, or digital cash in a digital wallet (what we in Germany call "Geldkarte"). (Both can be filled/loaded like you fill your wallet, and when it's empty, it is empty. Additionally both are detached from the bank account. Unlike a credit card.)
Or I do it with a secure system that needs what I have, what I know, and who I am. Like a cash card. Or secure online banking with a keycard. (Both use a keyfile, that you decrypt by entering a code into a secured device with its own keyboard [and display], to create a secure channel, to transmit payment instructions, that only result in payment, if the server allows payment for that account at that moment.)
Or is it, because you have not much of a choice?
Please do not see this as a rant (it isn't one), because I really am interested in understanding this.
Re:Can some American please explain to me... (Score:5, Informative)
In the UK at least, your transactions are guaranteed by the credit card company. So it's often actually recommended that you purchase things online with a credit card, because if you get ripped off, the goods are defective, or the merchant goes bankrupt etc, the card company has to refund you. This is enshrined in law under the Consumer Credit Act. On the other hand, if you pay with a debit card or other direct payment, your money is gone.
Parent
Re:Can some American please explain to me... (Score:4, Informative)
I'm not American - and I wonder about the op's premise as I thought most countries had moved (or were moving) to PIN-numbers rather than signatures to verify in-store transactions.
Regardless, credit cards are very safe for Europeans because of the extra protection they provide to consumers.
In Ireland as well as the UK - and most other European countries - there is a version of the Consumer Credit Act. It treats all purchases on the card as, unsurprisingly, a type of credit agreement. This is a very powerful and pro-Consumer thing, providing lots of protection for any who cares to look into it, e.g. chargeback.
True, a lot of these 'safeties' was introduced in an attempt to make the cards more secure - don't forget the premise of credit cards has been around for many, many decades and, during that time, the type of fraud perpetrated against credit card users has become more and more complex.
It's also well documented that Germans (culturally/in general) have an aversion to credit cards for a number of reasons; from 'all credit is borrowing - and borrowing is bad' (note the low rate of borrowing in Germany) to a series of pre-existing methods of paying for goods and services easily at a distance (e.g. in Germany, there is the long standing inter-bank transfer system; very cheap and secure to use inside the borders of Germany but, until very recently, was astronomically expensive for anyone in another country to transfer money to).
So why do I use a credit card? A large number of international traders accept credit cards, doesn't cost me any extra and I get points on my Sony card for every purchase I make. I am not liable for any fraud/misuse of my card. I suspect it's the same for Americans and most people who use credit card. Having the advantage of being European, I also have a lot of legally enforceable extra protections that I'm not sure Americans have in the Consumer Credit Act.
I also do use bank transfers to pay for stuff. Usually only to Germany because Germany is one country where their banks are pretty secure. And only in recent years - because, thanks to an EU Directive, the astronomical cost of transferring money across borders to another member state of the Eurozone has plummeted (note: UK not member of Eurozone, so a UK consumer could still face high charges).
I also have the protections of the Distance Selling Regulations when buying from Germany, but I would never transfer money via bank account outside of Europe.
As for 'reloadable' cards, for me they are slightly more expensive and don't offer me any incentive or attractiveness to use, and are not universally accepted.
Debit cards don't seem to be standarised internationally - or even across the EU - so are not really viable as a payment method.
Parent
Re: (Score:3, Informative)
In America, if your card is used fraudulently you are only liable (by Federal law) for the first $50 and even that is waived by all of the major credit card companies. Debit cards have no such protection enshrined in Federal law. Many banks have started to offer similar protections on their debit cards, but you would be dealing with bank policy as opposed to Federal law.
It's Google's fault (Score:3, Insightful)
And the Watergate was Washington Post's fault!
known issue in Google (Score:3, Insightful)
What the FUCK?
There is a "defunct web site containing sensitive directories" that exposed secret information to the public for anyone to see, and now it's Google's fault that it cached that information?
Newsflash: Security that relies on "nobody knows this URL" is NOT SECURITY.
whirlpool discussion threat (Score:5, Funny)
ITNews links to a discussion threat at whirlpool.net.au which has been deleted because it is "handeled by the authorities".
And again it is a known issue of Google which reveals the deleted thread: http://209.85.229.132/search?q=cache:uf9L_DtjAzYJ:forums.whirlpool.net.au/forum-replies-archive.cfm/1165021.html+http://forums.whirlpool.net.au/forum-replies.cfm%3Ft%3D1165021&cd=1&hl=en&ct=clnk [209.85.229.132]
- Martin ;-)
Google Fault? needs a car analogy (Score:4, Interesting)
$MORON is driving on the highway with 0 driving experience, except that $MORON good at the videogame Need for Speed: High Skates on the playstation.
$MORON suddenly crashes on $OTHER_CAR who's driving at 65 mph. This is $OTHER_CAR'S FAULT for not knowing that $MORON was completing a RACE, here.
Just like Google is doing what it's designed to do, $OTHER_CAR is doing what it's meant to do.
The only problem is that this moronic IT staff didn't do their job to secure the information, just like $MORON can't drive for shit.
Stop always blaming other people for your incompetence, please. AIG is already overstaffed for that.
Problem with google? (Score:3, Insightful)
Isn't it more a problem with websites that allow a spider to read what should be a secure directory?
CC #'s in Google Search Cache? (Score:3, Insightful)
Just out of curiosity, how was Google's Crawler allowed to FIND the information in the first place to put it in the cache?
You don't suppose that maybe the problem is in the ORIGINAL server allowing too much access, do you?
Google just "remembers" your mistake for a LONG time.
Re:PCI DSS (Score:4, Insightful)
What, now Google is meant not to index pages which have card data on them? How exactly is that even possible?
You can bet your boots that Google Checkout is PCI DSS-compliant.
Parent
Re:PCI DSS (Score:4, Insightful)
Oops, you just killed a valid webpage:
http://www.merriampark.com/anatomycc.htm [merriampark.com]
*grumble* trigger-happy regexp jockeys *grumble*
Parent
Re: (Score:2, Interesting)
Ok, by your logic all I have to do to make slashdot fail compliance is post my credit card details.
No: 5434 6625 8876 1272
CVV: 854
Exp 09/12
So how would slashdot know if that post contains valid card info or not?
Or even better, I could email this information to my competetor, then ring them and point out that they have failed compliance, as they have unsecured card information stored on their systems.
Re: (Score:2)
Cheers for the Phenom 2 :)
Re: (Score:2)
Damn you, sir! You win this round...