Forgot your password?
typodupeerror
Security Privacy The Almighty Buck

Breach Exposes 19,000 Active US, UK Credit Cards 232

Posted by timothy
from the need-two-part-authentication dept.
pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."
This discussion has been archived. No new comments can be posted.

Breach Exposes 19,000 Active US, UK Credit Cards

Comments Filter:
  • Cashless Society (Score:5, Interesting)

    by Anenome (1250374) on Friday March 20, 2009 @05:17AM (#27265981)

    It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

    I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.

    The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.

    • by zoney_ie (740061) on Friday March 20, 2009 @05:22AM (#27266013)

      Cashless society gives control to others. OK cash is under the control of others, but not so much or in the same way.

      People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

      I for one sincerely hope we never have a cashless society.

      • by sakdoctor (1087155) on Friday March 20, 2009 @05:30AM (#27266049) Homepage

        People will not give up their cash without a fight,

        Oh I don't know. I think it's pretty much down to culture that one.
        I see people putting their credit cards behind the bar and drinking to the limit. Seems especially common for young professional women.

        Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.

        Cash on delivery seems quite alien to me now, having grown up in the UK with credit cards for everything. Yet what can be a more secure way of paying online, than not paying online at all.

        • >>>Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.
          >>>

          It sounds like Japan is the place for me. I don't trust banks or stores enough to get a debit card, since I feel it's just like cash but more vulnerable. With a debit card a person simply needs to steal the number and empty-out your savings. I already had that happen once where a person on th

          • Re: (Score:3, Insightful)

            by Jane_Dozey (759010)

            Perhaps you should think about organising your money a little differently. I have 3 accounts: Savings, Dumping account (where my pay cheque gets "dumped" into) and my spending account. I pay rent and bills from my dumping account when I get paid. I then put some into my savings account and then pay myself what I need for the month into my spending account. The only debit card I use is for my spending account, ensuring that if anyone manages to commit fraud on that card, the maximum I lose is 1 month plus wh

            • >>>The only debit card I use is for my spending account,

              Why would I choose the more-complicated solution of managing 3 different accounts when I can choose the simple solution of not getting a debit card? Your solution makes no sense. Like driving from Philadelphia to Pittsburgh by taking a detour to Miami.

              I'd rather just stay with credit cards, that way when someone steals, they don't steal from my account - they steal from VISA's account.

              • Er...it's not a solution to the debit card problem, it's a solution to organising my money in a way that I never have to worry about spending what I don't have and gives me peace of mind. The side effect is that I can use a debit card and also not worry about being robbed blind.

                The reason for using debit over credit is that you don't put your credit at risk. Forgetting a credit card bill can damage your credit rating, even if it's just with your bank. For many people (and not just plain old irresponsible on

          • Re: (Score:3, Informative)

            by billcopc (196330)

            The loss didn't come from VISA's wallet either, it is the merchant that got stiffed. Credit card companies are completely unaccountable, despite charging through the nose for their services. It's right there in the contract everybody has to sign to deal with them...

        • by AmiMoJo (196126)

          Japan is moving towards cashless pretty fast these days.

          Aside from credit cards now being widely accepted (with no surcharges like there often used to be), there are various touchless payment systems in use (and they are mostly compatible).

          For example, I have a Suica card which I can load up with money. I can then pay for train, subway, bus and some taxi rides with it, and many convenience stores now accept it too. Around train stations, even some larger shops and restaurants accept it now. You don't even n

        • Re: (Score:3, Interesting)

          by gzipped_tar (1151931)

          Here in China, not only is cash on delivery very common, but also the option of debit card on delivery. Last time I ordered a wireless NIC, it was carried to my door by a postman with a frickin' mobile debit card reader. I swept the card through the reader, checked the sums, entered my password and it was done.

          Debit cards are much safer -- you'll always need to enter the password to draw money from your account.

      • by Anenome (1250374)

        Well, the U.N. and some Russian dude recently called for a global currency, if such a thing were to happen it would likely become cashless. I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.

        I remember hearing about a particular African country that had already gone cashless, that tourists basically changed money in for an ATM card at the airport, but couldn't find any references to it, just something about Nigeria moving towards a cashless society: h [africanews.com]

        • Re: (Score:2, Funny)

          I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.

          Yeah, it's in the imaginations of people who buy financial instruments like stocks and bonds.

          • Stocks and bonds have value. Each piece is a portion of the value of a company, or government. Other forms of wealth include:

            - your land
            - your house, your car, your furniture, your electronics and other toys (depreciating with age)
            - oil, corn, wheat, soybeans, cattle, et cetera
            - gold, silver, and other metals

      • by Hao Wu (652581)

        People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

        Sounds like a "gold standard" argument.... The best standard of all is: absolutely anything. You can use gold, lead, or bananas if you want. And people do -- it's called a futures market.

        Basing all of your wealth on bananas might sound silly, but there are doubtlessly people who have made millions doing just that. Fruit, gold, and "trust"

      • by krou (1027572)

        People will not give up their cash without a fight? Just like people won't give up their rights without a fight, hey?

        We've already taken a giant leap towards a cashless society, with two inventions that we all love: the internet, and mobile phones.

        When I sit down and actually look at the majority of my transactions, they're already occurring electronically, via the internet. Amazon, eBay, electronic banking, booking airline tickets, booking concert tickets, supermarket shopping. That's all cashless. I would

        • Free speech, fair trial, freedom of assembly are fairly nebulous rights mainly exercised by a few radical wingnuts in the view of the "plain people", however the right to sell goods and services "off books" is something the the "plain people" cherish and hold dear.

          Not to mention Drugs hookers and blackjack (or whatever that damn meme is :)

          • The last two are nebulous, but the first is obvious. *You own your body.* Anyone with an IQ of 90 or higher can understand that argument, and if you own your body you also own the things it can do, like use your brain to form an opinion. Or open your mouth and express that opinion (the right to speak).

            Oh....and don't give me the argument that speech is limited. If you're on somebody else's property, and you start shouting, they can certainly force you to leave, but they can't stop you from speaking. Yo

            • by Fred_A (10934)

              The last two are nebulous, but the first is obvious. *You own your body.*

              Living people's genes can and have been patented, so that's not as obvious as it seems.

      • by CRCulver (715279)

        People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

        It's already happened here in Finland. Almost all my purchases and bill payment is done via bank transfer or Visa Electron card. When I get cash from someone, it actually feels like a burden because there are so few bank branches where I can deposit it (many branches only do advisory things now, not teller services), and the queues there are alw

        • by xaxa (988988)

          What about small transactions? Do you pay for a loaf of bread with cash? What about two drinks in a bar? A cheap train ticket? A taxi? Entry fee for a nightclub?

          Those are the only things I use cash for (in the UK).

      • > People will not give up their cash without a fight

        We gave up our gold and silver for paper.

        "...But after all, it is the leaders of a country who determine the policy, and it's always a simple matter to drag people along whether it is a democracy or a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. This is easy. All you have to do is tell them they are being attacked, and denounce the pacifists for l

    • by gravos (912628) on Friday March 20, 2009 @05:24AM (#27266027) Homepage
      Cashless is old hat. What we really need is a cacheless society.
      • I'm pretty tired, and believe it or not, I misread "cashless" as "cacheless" anyway...

      • That was a joke! A play on words!

        Seriously though, caches are good. Worrying about credit card numbers being cached is as bad as promoting security through obscurity. We should be moving to a system that doesn't rely on "secret numbers," but instead makes use of multiple factors from the time-tested triumvirate of "something you have," "something you know," and "something you are." Something you know alone just isn't good enough for this day and age.

        Google is just doing what Google does.
      • by Samah (729132)
        Except in Australia we pronounce it "kaysh". ;)
    • by Hao Wu (652581)

      It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society.

      That would be nice.

      How many times have we read passionate arguments that "nobody should be in prison for non-violent crimes!"

      Remember this story the next time you see those stupid posts modded +5 insightful.

      • >>>"nobody should be in prison for non-violent crimes!"

        That should be - Nobody should be in prison for victimless crimes. Like smoking marijuana, or driving too fast. But someone who engages in non-violent crimes like theft, should definitely be held accountable, since they have victimized someone & infringed upon another's rights (right of property).

    • by aix tom (902140)

      Hey!! I have a great Idea for that secondary verification system!

      The credit card companies just need to give the credit card holders little, colourful, pieces of paper with currency amounts printed on them. When someone makes a monetary transaction with the credit card, they also have to hand over the right amount of those pieces of paper!

      Ehhhhh.... Waitaminute .....

    • Re: (Score:3, Interesting)

      by Cyberax (705495)

      Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).

      Currently, credit cards are absolutely insecure.

      • by xaxa (988988)

        Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).

        Currently, credit cards are absolutely insecure.

        Something like EMV [wikipedia.org] brings a lot of benefits. See Chip+Pin [wikipedia.org] for the UK implementation.
        When paying by card in the UK (and a lot of other countries), you must provide a PIN number. A thief can't use a stolen card in a shop or an ATM (they don't know the PIN). They might be able to use it on the internet, but when paying online my bank has a system that redirects me to the bank's site, authenticates me, then confirms the transaction to the retailer.

        Thieves can (and do) copy the card number and produce fake cards

        • One thing that concerns me about chip and pin is if a criminal does manage to get your pin (e.g. through a hidden camera or just plain old shoulder surfing) then his authentications are indistiguishable from yours.

          So if the bank were to accuse you of lying when you reported such a fradulant transaction would have no evidence otherwise.

          • sorry that last sentance should have been

            So if the bank were to accuse you of lying when you reported such a fradulant transaction there would be no evidence to show otherwise.

    • I am cashless already, you insensitive clod!

    • by master_p (608214)

      They will propose the chip as the solution.

    • It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

      Perhaps the solution will be similar to that in the (underrated) world of Max Headroom, where credit fraud is punishable by televised public execution. And if you like American Idle (sic.), you're going to love "You, the Jury."

  • by phayes (202222) on Friday March 20, 2009 @05:18AM (#27265987) Homepage

    It's not a problem with the idiot sites that let unprotected critical information out on a public accessible net and in addition omitted to place a well placed robots.txt, no...

    IT'S GOOGLE'S FAULT!!!

  • er what (Score:5, Insightful)

    by Idimmu Xul (204345) on Friday March 20, 2009 @05:20AM (#27265993) Homepage Journal

    How is putting all your customer's credit card information online so it is publicly available, and crawlable, Google's fault? What is the known issue? People are stupid?

    • by houghi (78078)

      What is the known issue? People are stupid?

      That is unfortunately not something you can change, so you should look at what you CAN change. One thing could be to first make it a law that you MUST inform people, next the company at fault should pay for all the damages themselves.
      People ar not only stupid, they are greedy as well and once they see that it is bad business to do stupid things, a lot of it will solve itself.

      Will it still happen? Yes. Most likely in a very much smaller scale.

    • Re: (Score:3, Interesting)

      by skeeto (1138903)

      For my website, I share a server with a bunch of other sites. I was poking around /tmp one day and came across dumps of credit card information. I forget the website, but apparently they thought /tmp, with global read permissions, was a safe place to generate HTML after a transaction. I reported it to the hosting service and the offending website fixed their scripts.

      Luckily, credit cards have strong protections, so you aren't responsible for any fraud charges due to these leaks. Just check the charges every

  • Whirlpool thread (Score:3, Informative)

    by shird (566377) on Friday March 20, 2009 @05:21AM (#27265995) Homepage Journal

    This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however:

    http://forums.whirlpool.net.au/forum-alert.cfm?a=priv-deleted&t=1165021&v=0 [whirlpool.net.au]

  • by MikeOtl67of (1503531) on Friday March 20, 2009 @05:22AM (#27266011) Homepage
    How can you know that your card was not among those?
    • Re: (Score:3, Funny)

      by Anonymous Coward
      google you credit card and CVV here, and post a link to the results here. It's the best way you can be sure you card is compromised.
      • by aix tom (902140)

        But google for it WITH quotes, or you get an heart attack when you see the "Results 1 - 10 of about 2,000,000" that get's returned when you Google without quotes.

  • by TractorBarry (788340) on Friday March 20, 2009 @05:24AM (#27266029) Homepage

    > The cause appears to be a known issue with the Google search engine

    More like the usual issue with idiots who fail to adequately protect, secure and dispose of this sort of data in the first place. "Sensitive directories" have absolutely no business ever being readable from the web.

    Company executives and IT administrators who allow this sort of security breach need to start doing hard jail time. Until this happens we'll be reading more and more of these stories by the week.

    • by Sockatume (732728) on Friday March 20, 2009 @05:32AM (#27266059)
      From the sounds of things, I reckon the gateway was creating a web page for every transaction that included the card details, and those pages were not only unsecured and publicly viewable but indexable. They probably auto-deleted the pages after the transaction was completed but obviously not quick enough. GCache? It's probably all in the internet archive at this stage. It's not a Google issue, it's staggering security error on the part of the gateway that every internet crawler saw. No wonder the gateway's defunct.
      • by stray (73778)

        From what I can see the unprotected directory is a *deliberate* setup by perpetrators who compromised a number of merchant sites.

        The compromised servers send the CC transaction details to the unprotected site (now suspended by the registrar) for easy retrieval by the perps.

        The security breach obviously happened on the individual merchant sites, the leaking unprotected directories on the hackers' drop box is just a symptom.

        Somebody check if all merchant sites use a common web shop application?

  • by Confuse Ed (59383) <edmund@greeniuPO ... uk minus painter> on Friday March 20, 2009 @05:34AM (#27266065) Homepage

    From both the article and the summary re:

    The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone

    This makes it sound like the issue is with google's search engine and makes light of the real issue which is that at some point this information was published for all the world to see (or search engines to index) and anyone to cache (or write-down, or memorize).

    Insisting on search engines removing removing this information from their indexes and remove it from their caches is just sweeping the problem under the rug : you or I taking a quick peek on the internet to see if our credit-card infomation has been published anywhere would get a false sense of security if the search engines pretended it wasn't there and that security breaches had never happened.

    *tin-foil-hat-time* It seems analogous to re-writing history books to cover up prior misdeeds.

    • Its like if you make a credit card payment and someone videos you then a "known issue with the video camera" will allow people to see the data you entered.
  • Internet Finance (Score:4, Interesting)

    by unlametheweak (1102159) on Friday March 20, 2009 @05:41AM (#27266099)

    The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).

    • Re:Internet Finance (Score:5, Interesting)

      by Anonymous Coward on Friday March 20, 2009 @06:04AM (#27266171)

      Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.

      Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...

    • Sorry but that particular tin foil hat is actually a sieve

      See here [bbc.co.uk]

      Call centres are manned by people, who can write down anything you say.
    • by houghi (78078)

      I am less paranoid and use the "Internet Credit Card Number" provided by my bank. That creates a Credit Card Number that will be valid for 2 months with the amount I decide to put on it. So if I buy some service for 10EUR, I put 10EUR on that card. When then somebody else steals that number, it will be useless as the 10EUR is already used.

      For my credit card company it is then pretty easy to find out where I used that number and then know who caused the leak and punish them if they so wish. To me this is an

    • Yes, because buying things over the phone or in store [computerworld.com] will never [thebostonchannel.com] result in a breach [istockanalyst.com].

      Oh, wait...

      Those three stood out in my mind since we were affected by all of them. There are others, I'm sure. In the first two cases, our credit card information was compromised despite the fact that we shopped in-store and not online. In the third case, our information was compromised at the processor level, so it really didn't matter where we shopped. Face it, no matter where you shop, your information is in the hands

  • by Hurricane78 (562437) <deleted AT slashdot DOT org> on Friday March 20, 2009 @06:03AM (#27266165)

    ...why anyone would use a payment system, with no safety at all?

    What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...

    Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?
    I'd rather go back to bartering goods, than something like that.

    When I do payments, I either do it with a bag of fixed-value credits. Like real cash in a wallet, or digital cash in a digital wallet (what we in Germany call "Geldkarte"). (Both can be filled/loaded like you fill your wallet, and when it's empty, it is empty. Additionally both are detached from the bank account. Unlike a credit card.)

    Or I do it with a secure system that needs what I have, what I know, and who I am. Like a cash card. Or secure online banking with a keycard. (Both use a keyfile, that you decrypt by entering a code into a secured device with its own keyboard [and display], to create a secure channel, to transmit payment instructions, that only result in payment, if the server allows payment for that account at that moment.)

    Or is it, because you have not much of a choice?

    Please do not see this as a rant (it isn't one), because I really am interested in understanding this.

    • by Ihlosi (895663)

      What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card.

      No - in order to actually get paid, the merchant must also wait a few weeks in case the customer disputes the charge (and issues a chargeback).

      Hence, the person using the credit card doesn't bear much risk, but the merchant that accepts them does (if he delivers goods and services, gets "paid" by credit card, and the charge gets disputed, he's out the money and the goods and possibly ge

    • by Tx (96709) on Friday March 20, 2009 @06:30AM (#27266269) Journal

      In the UK at least, your transactions are guaranteed by the credit card company. So it's often actually recommended that you purchase things online with a credit card, because if you get ripped off, the goods are defective, or the merchant goes bankrupt etc, the card company has to refund you. This is enshrined in law under the Consumer Credit Act. On the other hand, if you pay with a debit card or other direct payment, your money is gone.

      • by psicic (171000) on Friday March 20, 2009 @07:32AM (#27266495) Homepage Journal

        I'm not American - and I wonder about the op's premise as I thought most countries had moved (or were moving) to PIN-numbers rather than signatures to verify in-store transactions.

        Regardless, credit cards are very safe for Europeans because of the extra protection they provide to consumers.

        In Ireland as well as the UK - and most other European countries - there is a version of the Consumer Credit Act. It treats all purchases on the card as, unsurprisingly, a type of credit agreement. This is a very powerful and pro-Consumer thing, providing lots of protection for any who cares to look into it, e.g. chargeback.

        True, a lot of these 'safeties' was introduced in an attempt to make the cards more secure - don't forget the premise of credit cards has been around for many, many decades and, during that time, the type of fraud perpetrated against credit card users has become more and more complex.

        It's also well documented that Germans (culturally/in general) have an aversion to credit cards for a number of reasons; from 'all credit is borrowing - and borrowing is bad' (note the low rate of borrowing in Germany) to a series of pre-existing methods of paying for goods and services easily at a distance (e.g. in Germany, there is the long standing inter-bank transfer system; very cheap and secure to use inside the borders of Germany but, until very recently, was astronomically expensive for anyone in another country to transfer money to).

        So why do I use a credit card? A large number of international traders accept credit cards, doesn't cost me any extra and I get points on my Sony card for every purchase I make. I am not liable for any fraud/misuse of my card. I suspect it's the same for Americans and most people who use credit card. Having the advantage of being European, I also have a lot of legally enforceable extra protections that I'm not sure Americans have in the Consumer Credit Act.

        I also do use bank transfers to pay for stuff. Usually only to Germany because Germany is one country where their banks are pretty secure. And only in recent years - because, thanks to an EU Directive, the astronomical cost of transferring money across borders to another member state of the Eurozone has plummeted (note: UK not member of Eurozone, so a UK consumer could still face high charges).

        I also have the protections of the Distance Selling Regulations when buying from Germany, but I would never transfer money via bank account outside of Europe.

        As for 'reloadable' cards, for me they are slightly more expensive and don't offer me any incentive or attractiveness to use, and are not universally accepted.

        Debit cards don't seem to be standarised internationally - or even across the EU - so are not really viable as a payment method.

      • by smoker2 (750216)
        Debit cards are protected too. I've had my card details stolen and used, and I got my money back. I've had bad (non-existent) service from a few companies, and the bank has given me my money back. In no case has my money just been "gone". I don't have a credit card at all, and I've never lost money from an online transaction. Less FUD please.
        • by Tony Hoyle (11698) *

          Not by law.. a debit card has no more protection than a cheque.

          The bank *may* choose to reimburse you for such thing, but you're far safer using a credit card.

          • by Xest (935314)

            "Not by law.. a debit card has no more protection than a cheque."

            Which is probably more than you think. For one, a bank can't just hand your money away to someone for a fraudulent debit card transaction or a faked cheque. If you wish to argue that you didn't authorise a transaction then they have to be able to prove otherwise if they want to avoid giving you your money back.

            You can't fiddle the system because say your card was used without your permission to buy a flatscreen TV online, the bank could contac

        • Debit cards are protected too. I've had my card details stolen and used, and I got my money back. I've had bad (non-existent) service from a few companies, and the bank has given me my money back. In no case has my money just been "gone". I don't have a credit card at all, and I've never lost money from an online transaction. Less FUD please.

          It's not FUD.

          Under the consumer credit act, when credit is extended for a purchase by a consumer, (for at least 100GBP) the credit company becomes jointly and severally

        • by rfunches (800928)

          Your money is gone until you call the bank and they replace the funds pending an investigation. If you have $1000 in a checking account and someone fraudulently charges $1000 to that account's debit card, of course you can dispute the charge and likely get your money back. Your balance, however, is $0 *until* the bank replaces the money. E.g. if you had auto bill-pay run the same day for $200 and didn't see the $1000 fraudulent charge until the next day or received an overdraft notice, you'd overdraft by $2

      • Only if the amount is over 100GBP but no more than 30,000GBP, or you use a VISA debit card as there is a voluntary scheme for them and I have used it sucessfully to claim back 75GBP for mis-sold items (so, actually, a VISA debit card is better for low value transactions!) There's also an issue with purchases for multiple items - they all have to be worth > 100GBP so, for example, if you buy two budget airline tickets for 99GBP outbound and 99GBP return, they're not covered! Here you go: http://www.news [newsoftheworld.co.uk]
      • Re: (Score:3, Informative)

        by Jason Levine (196982)

        In America, if your card is used fraudulently you are only liable (by Federal law) for the first $50 and even that is waived by all of the major credit card companies. Debit cards have no such protection enshrined in Federal law. Many banks have started to offer similar protections on their debit cards, but you would be dealing with bank policy as opposed to Federal law.

    • by jimicus (737525)

      I'm not American, but I can explain the idea to you.

      Every decision that introduces a system or process of some sort (doesn't have to be a computerised one, just a system or process) inevitably means that you make a compromise between risk and benefit.

      If nobody ever exchanged goods, the risk of losing goods in dishonest transactions or from being mugged would be much lower. However, we'd all be living in caves gathering berries and hunting animals.

      Along comes bartering and suddenly those who have an unusual

    • by toQDuj (806112)

      For about a year now, I have signed (where requested) the credit card transactions with fake signatures (something that looks like a sig, but isn't mine). No-one cares enough, as I haven't been caught at it even once.

      Money still gets withdrawn from my account, though.

      • by toQDuj (806112)

        p.s. That's in Denmark.

      • I am pretty sure that your signature is an after-the-fact paper trail. Meaning that if you complained you didn't purchase something then they have your signature to analyze. I always find it funny watching old people sign those electronic signature pads. They do it so careful thinking that if they don't, the transaction won't complete.
      • by Tony Hoyle (11698) *

        Nobody checks signatures.. that's why many countries went to pin entry.

        Of course pins are just as bad..

        1. If someone gets your pin they can reproduce it 100% accurately every time, unlike a signature. Since a pin is only 4 characters it's trivial to remember.
        2. Many transactions don't use the pin - the local supermarket auto checkout doesn't require a pin, only the card. Also all the cities car parks are the same.
        3. When you're paying for something how do you know they aren't skimming the card (90% of sho

    • by Corbets (169101)

      We're liable - by federal law - for a maximum of $50 if our cards get misused. So it's not a terribly big deal in that sense.

      More troubling are the difficulties you have to go through to undo identity theft, but that has little to do with the credit card payment system you're referring to.

    • the cost of setting up a new system is higher than the cost of paying for all of exploits

      for the companies that is. for the individuals, your credit is destroyed, you have to spend hours cleaning up the mess, etc.

      unfortunately, not enough have been victimized to make much of a ruckus. nor have the exploits been of the scale (yet) that really cost the providers dearly

      but that day will come. then we will get a more secure payment system

      the consumer is ignorant. the providers are content. and the tsunami is ov

    • by hab136 (30884)

      What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...
      Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?

      That's really how it works.

      From the consumer perspective:
      If my card is stolen, my maximum liability is $50 or less. It's usually $0. It's annoying to have your card stolen and put a stop on everything, but it's a

  • by Anonymous Coward on Friday March 20, 2009 @06:12AM (#27266199)

    And the Watergate was Washington Post's fault!

  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Friday March 20, 2009 @06:53AM (#27266347) Homepage

    What the FUCK?

    There is a "defunct web site containing sensitive directories" that exposed secret information to the public for anyone to see, and now it's Google's fault that it cached that information?

    Newsflash: Security that relies on "nobody knows this URL" is NOT SECURITY.

    • by Aladrin (926209)

      Not only that, but for Google to index it, Google had to know it was there! That means that either someone manually added that URL to Google, or it was linked from somewhere at some point.

      Google isn't magic, and it isn't the source of the problem.

  • by fluch (126140) on Friday March 20, 2009 @07:19AM (#27266441)

    ITNews links to a discussion threat at whirlpool.net.au which has been deleted because it is "handeled by the authorities".

    And again it is a known issue of Google which reveals the deleted thread: http://209.85.229.132/search?q=cache:uf9L_DtjAzYJ:forums.whirlpool.net.au/forum-replies-archive.cfm/1165021.html+http://forums.whirlpool.net.au/forum-replies.cfm%3Ft%3D1165021&cd=1&hl=en&ct=clnk [209.85.229.132]

    - Martin ;-)

  • by gapagos (1264716) on Friday March 20, 2009 @07:34AM (#27266511)

    $MORON is driving on the highway with 0 driving experience, except that $MORON good at the videogame Need for Speed: High Skates on the playstation.
    $MORON suddenly crashes on $OTHER_CAR who's driving at 65 mph. This is $OTHER_CAR'S FAULT for not knowing that $MORON was completing a RACE, here.

    Just like Google is doing what it's designed to do, $OTHER_CAR is doing what it's meant to do.
    The only problem is that this moronic IT staff didn't do their job to secure the information, just like $MORON can't drive for shit.

    Stop always blaming other people for your incompetence, please. AIG is already overstaffed for that.

  • by Hecatonchires (231908) on Friday March 20, 2009 @08:59AM (#27267029) Homepage

    Isn't it more a problem with websites that allow a spider to read what should be a secure directory?

  • Credit card security is for paying equals, the people you cannot not afford to upset.
    Other banks or the people data mining you.
    Paying a credit card consumer breach 'fine' every so often is still cheaper than the real expense of on going consumer security.
    If congress looks, any credit card company can swear they have the best security in place..
    A line of top university security experts and other independent experts would tell of how the company to company transactions are secure..
    Just not for you as a c
  • by iceT (68610) on Friday March 20, 2009 @11:06AM (#27268571)

    Just out of curiosity, how was Google's Crawler allowed to FIND the information in the first place to put it in the cache?

    You don't suppose that maybe the problem is in the ORIGINAL server allowing too much access, do you?

    Google just "remembers" your mistake for a LONG time.

1 Mole = 25 Cagey Bees

Working...