Breach Exposes 19,000 Active US, UK Credit Cards 232
pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."
Cashless Society (Score:5, Interesting)
It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.
I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.
The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.
Re:Cashless Society (Score:1, Interesting)
All credit card security is bullshit.
The credit card system is built wrong from the ground up, and we'll be applying patches for ever.
What is good for people is e-cash grounded in sound cryptographic principles. This isn't good for governments though, so it will never ever happen.
Re:I hardly think there's an issue with Google. (Score:5, Interesting)
Internet Finance (Score:4, Interesting)
The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).
Re:PCI DSS (Score:2, Interesting)
Ok, by your logic all I have to do to make slashdot fail compliance is post my credit card details.
No: 5434 6625 8876 1272
CVV: 854
Exp 09/12
So how would slashdot know if that post contains valid card info or not?
Or even better, I could email this information to my competetor, then ring them and point out that they have failed compliance, as they have unsecured card information stored on their systems.
Re:Internet Finance (Score:5, Interesting)
Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.
Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...
Re:Can some American please explain to me... (Score:1, Interesting)
Re:Cashless Society (Score:3, Interesting)
Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).
Currently, credit cards are absolutely insecure.
Comment removed (Score:4, Interesting)
Re:Whirlpool thread (Score:4, Interesting)
Ironically, the Whirlpool page is still available in the google cache [74.125.95.132] of the thread.
What I want to know is why the CVV numbers [nasa.gov] were there and for what merchants, as they are not supposed to be cached according to the Payment Application Data Security Standard (PA-DSS) [visa.com].
Re:er what (Score:3, Interesting)
For my website, I share a server with a bunch of other sites. I was poking around /tmp one day and came across dumps of credit card information. I forget the website, but apparently they thought /tmp, with global read permissions, was a safe place to generate HTML after a transaction. I reported it to the hosting service and the offending website fixed their scripts.
Luckily, credit cards have strong protections, so you aren't responsible for any fraud charges due to these leaks. Just check the charges every month.
Re:Cashless Society (Score:3, Interesting)
Here in China, not only is cash on delivery very common, but also the option of debit card on delivery. Last time I ordered a wireless NIC, it was carried to my door by a postman with a frickin' mobile debit card reader. I swept the card through the reader, checked the sums, entered my password and it was done.
Debit cards are much safer -- you'll always need to enter the password to draw money from your account.