Breach Exposes 19,000 Active US, UK Credit Cards 232
pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."
Shoot the messenger! (Score:5, Insightful)
It's not a problem with the idiot sites that let unprotected critical information out on a public accessible net and in addition omitted to place a well placed robots.txt, no...
IT'S GOOGLE'S FAULT!!!
er what (Score:5, Insightful)
How is putting all your customer's credit card information online so it is publicly available, and crawlable, Google's fault? What is the known issue? People are stupid?
Who are the lucky ones? (Score:4, Insightful)
Re:Cashless Society (Score:5, Insightful)
Cashless society gives control to others. OK cash is under the control of others, but not so much or in the same way.
People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).
I for one sincerely hope we never have a cashless society.
I hardly think there's an issue with Google. (Score:5, Insightful)
> The cause appears to be a known issue with the Google search engine
More like the usual issue with idiots who fail to adequately protect, secure and dispose of this sort of data in the first place. "Sensitive directories" have absolutely no business ever being readable from the web.
Company executives and IT administrators who allow this sort of security breach need to start doing hard jail time. Until this happens we'll be reading more and more of these stories by the week.
Re:PCI DSS (Score:4, Insightful)
What, now Google is meant not to index pages which have card data on them? How exactly is that even possible?
You can bet your boots that Google Checkout is PCI DSS-compliant.
Re:Cashless Society (Score:4, Insightful)
People will not give up their cash without a fight,
Oh I don't know. I think it's pretty much down to culture that one.
I see people putting their credit cards behind the bar and drinking to the limit. Seems especially common for young professional women.
Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.
Cash on delivery seems quite alien to me now, having grown up in the UK with credit cards for everything. Yet what can be a more secure way of paying online, than not paying online at all.
Misplacing blame on google (Score:5, Insightful)
From both the article and the summary re:
The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone
This makes it sound like the issue is with google's search engine and makes light of the real issue which is that at some point this information was published for all the world to see (or search engines to index) and anyone to cache (or write-down, or memorize).
Insisting on search engines removing removing this information from their indexes and remove it from their caches is just sweeping the problem under the rug : you or I taking a quick peek on the internet to see if our credit-card infomation has been published anywhere would get a false sense of security if the search engines pretended it wasn't there and that security breaches had never happened.
*tin-foil-hat-time* It seems analogous to re-writing history books to cover up prior misdeeds.
Can some American please explain to me... (Score:5, Insightful)
...why anyone would use a payment system, with no safety at all?
What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...
Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?
I'd rather go back to bartering goods, than something like that.
When I do payments, I either do it with a bag of fixed-value credits. Like real cash in a wallet, or digital cash in a digital wallet (what we in Germany call "Geldkarte"). (Both can be filled/loaded like you fill your wallet, and when it's empty, it is empty. Additionally both are detached from the bank account. Unlike a credit card.)
Or I do it with a secure system that needs what I have, what I know, and who I am. Like a cash card. Or secure online banking with a keycard. (Both use a keyfile, that you decrypt by entering a code into a secured device with its own keyboard [and display], to create a secure channel, to transmit payment instructions, that only result in payment, if the server allows payment for that account at that moment.)
Or is it, because you have not much of a choice?
Please do not see this as a rant (it isn't one), because I really am interested in understanding this.
It's Google's fault (Score:3, Insightful)
And the Watergate was Washington Post's fault!
known issue in Google (Score:3, Insightful)
What the FUCK?
There is a "defunct web site containing sensitive directories" that exposed secret information to the public for anyone to see, and now it's Google's fault that it cached that information?
Newsflash: Security that relies on "nobody knows this URL" is NOT SECURITY.
Re:Internet Finance (Score:5, Insightful)
But much easier for someone to simply make a copy of the details. I find that my credit card info is treated much more carelessly during card present transactions. Credit card is printed on a bill. Where does the business owner keep their copy? Who all can see it? I've even had my card number written on the top of my order. In some of the places I've done tech support I've seen sheets laying around with credit card numbers. It's nice to know that even the janitor can steal my credit card info.
Also larger retail stores feed your numbers into "complex automated software". Think TG max who was a huge source of stolen credit cards and guess what? As of last summer they still hadn't bothered to secure anything.
I make a ton of transactions online and only once have I had fraudulent transactions on my credit card. That once was the local pizza place
Re:PCI DSS (Score:4, Insightful)
Oops, you just killed a valid webpage:
http://www.merriampark.com/anatomycc.htm [merriampark.com]
*grumble* trigger-happy regexp jockeys *grumble*
Re:Cashless Society (Score:3, Insightful)
Perhaps you should think about organising your money a little differently. I have 3 accounts: Savings, Dumping account (where my pay cheque gets "dumped" into) and my spending account. I pay rent and bills from my dumping account when I get paid. I then put some into my savings account and then pay myself what I need for the month into my spending account. The only debit card I use is for my spending account, ensuring that if anyone manages to commit fraud on that card, the maximum I lose is 1 month plus whatever was left over from the previous month (if the amount starts building up I just move it to savings).
It works quite well since I know I'm not spending money that I don't have or is meant for something else and I don't have to worry about someone nicking everything I have.
To me, walking around with a debit card with access to all of your money is like walking around with your life savings in your wallet: stupid.
I also have a credit card on my spending account but that's just so I can boost my credit rating. That and buying things like plane tickets or any service that is at risk of not materialising is protected. In that case credit cards are indeed better.
Problem with google? (Score:3, Insightful)
Isn't it more a problem with websites that allow a spider to read what should be a secure directory?
CC #'s in Google Search Cache? (Score:3, Insightful)
Just out of curiosity, how was Google's Crawler allowed to FIND the information in the first place to put it in the cache?
You don't suppose that maybe the problem is in the ORIGINAL server allowing too much access, do you?
Google just "remembers" your mistake for a LONG time.