Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Privacy The Almighty Buck

Breach Exposes 19,000 Active US, UK Credit Cards 232

Posted by timothy from the need-two-part-authentication dept.
pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."
This discussion has been archived. No new comments can be posted.

Breach Exposes 19,000 Active US, UK Credit Cards More

Breach Exposes 19,000 Active US, UK Credit Cards

Comments Filter:

  • Cashless Society (Score:5, Interesting)

    by Anenome ( 1250374 ) on Friday March 20, 2009 @05:17AM (#27265981)

    It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

    I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.

    The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.

  • Re:Cashless Society (Score:1, Interesting)

    by Anonymous Coward on Friday March 20, 2009 @05:23AM (#27266017)

    All credit card security is bullshit.
    The credit card system is built wrong from the ground up, and we'll be applying patches for ever.

    What is good for people is e-cash grounded in sound cryptographic principles. This isn't good for governments though, so it will never ever happen.

  • Re:I hardly think there's an issue with Google. (Score:5, Interesting)

    by Sockatume ( 732728 ) on Friday March 20, 2009 @05:32AM (#27266059)
    From the sounds of things, I reckon the gateway was creating a web page for every transaction that included the card details, and those pages were not only unsecured and publicly viewable but indexable. They probably auto-deleted the pages after the transaction was completed but obviously not quick enough. GCache? It's probably all in the internet archive at this stage. It's not a Google issue, it's staggering security error on the part of the gateway that every internet crawler saw. No wonder the gateway's defunct.

  • Internet Finance (Score:4, Interesting)

    by unlametheweak ( 1102159 ) on Friday March 20, 2009 @05:41AM (#27266099)

    The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).

  • Re:PCI DSS (Score:2, Interesting)

    by lurcher ( 88082 ) on Friday March 20, 2009 @05:48AM (#27266117) Homepage

    Ok, by your logic all I have to do to make slashdot fail compliance is post my credit card details.

    No: 5434 6625 8876 1272
    CVV: 854
    Exp 09/12

    So how would slashdot know if that post contains valid card info or not?

    Or even better, I could email this information to my competetor, then ring them and point out that they have failed compliance, as they have unsecured card information stored on their systems.

  • Re:Internet Finance (Score:5, Interesting)

    by Anonymous Coward on Friday March 20, 2009 @06:04AM (#27266171)

    Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.

    Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...

  • Re:Can some American please explain to me... (Score:1, Interesting)

    by Anonymous Coward on Friday March 20, 2009 @06:25AM (#27266245)
    I can't speak for any other countries, but I can tell you why that's not done in America. Two reasons: One, it would cost the banks money to implement such a system. That goes against their core ideals of charging us as much as possible at all times (some banks charge extra for depositing coins now). Two, Americans wouldn't stand for such "complexity". Too many of them would feel that a system like you described is incomprehensible, an they'd rather take their risks with ID theft. Sad but true.

  • Re:Cashless Society (Score:3, Interesting)

    by Cyberax ( 705495 ) on Friday March 20, 2009 @06:27AM (#27266253)

    Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).

    Currently, credit cards are absolutely insecure.

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Friday March 20, 2009 @07:34AM (#27266511)
    Comment removed based on user account deletion

  • Re:Whirlpool thread (Score:4, Interesting)

    by pallmall1 ( 882819 ) on Friday March 20, 2009 @08:43AM (#27266889)

    This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however

    Ironically, the Whirlpool page is still available in the google cache [74.125.95.132] of the thread.

    What I want to know is why the CVV numbers [nasa.gov] were there and for what merchants, as they are not supposed to be cached according to the Payment Application Data Security Standard (PA-DSS) [visa.com].

  • Re:er what (Score:3, Interesting)

    by skeeto ( 1138903 ) on Friday March 20, 2009 @12:40PM (#27269897)

    For my website, I share a server with a bunch of other sites. I was poking around /tmp one day and came across dumps of credit card information. I forget the website, but apparently they thought /tmp, with global read permissions, was a safe place to generate HTML after a transaction. I reported it to the hosting service and the offending website fixed their scripts.

    Luckily, credit cards have strong protections, so you aren't responsible for any fraud charges due to these leaks. Just check the charges every month.

  • Re:Cashless Society (Score:3, Interesting)

    by gzipped_tar ( 1151931 ) on Friday March 20, 2009 @12:54PM (#27270109) Journal

    Here in China, not only is cash on delivery very common, but also the option of debit card on delivery. Last time I ordered a wireless NIC, it was carried to my door by a postman with a frickin' mobile debit card reader. I swept the card through the reader, checked the sums, entered my password and it was done.

    Debit cards are much safer -- you'll always need to enter the password to draw money from your account.

Slashdot Top Deals

Anyone can make an omelet with eggs. The trick is to make one with none.

Close