×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Breach Exposes 19,000 Active US, UK Credit Cards

timothy posted more than 5 years ago | from the need-two-part-authentication dept.

Security 232

pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

232 comments

Cashless Society (5, Interesting)

Anenome (1250374) | more than 5 years ago | (#27265981)

It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.

The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.

Re:Cashless Society (5, Insightful)

zoney_ie (740061) | more than 5 years ago | (#27266013)

Cashless society gives control to others. OK cash is under the control of others, but not so much or in the same way.

People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

I for one sincerely hope we never have a cashless society.

Re:Cashless Society (3, Insightful)

sakdoctor (1087155) | more than 5 years ago | (#27266049)

People will not give up their cash without a fight,

Oh I don't know. I think it's pretty much down to culture that one.
I see people putting their credit cards behind the bar and drinking to the limit. Seems especially common for young professional women.

Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.

Cash on delivery seems quite alien to me now, having grown up in the UK with credit cards for everything. Yet what can be a more secure way of paying online, than not paying online at all.

Re:Cashless Society (0, Offtopic)

grahamm (8844) | more than 5 years ago | (#27266137)

I can remember when cash on delivery was common in the UK. Now you cannot even pay the postman if the sender has underpayed the postage or there are customs charges to pay - the postman just leaves a card and you have to go to the delivery office, pay and collect.

COD (0, Offtopic)

TheLink (130905) | more than 5 years ago | (#27266239)

Regarding COD nowadays. I doubt most honest and sane people would like to be the postman carrying the $$$$.

Crooks already rob pizza delivery workers.

Re:COD (1)

partenon (749418) | more than 5 years ago | (#27266335)

*That* is the main problem: trust and security, which turns out to be *respect* (a strong word for Japanese and other Asiatic cultures, and a weak word for "western"). Here in "western", we think in respect as up to the "is it legal?" level, while more advanced societies goes beyond that level.

Re:COD (1)

commodore64_love (1445365) | more than 5 years ago | (#27266609)

Perhaps we should revive the word "honor". At one time damaging an American's honor meant opening yourself to being murdered by duel. If you impugn my reputation or honor, your life may be forfeit. I nominate AIG executives for that. AIG versus the People in single-shot combat.

Re:COD (1)

partenon (749418) | more than 5 years ago | (#27266675)

Not sure I missed some sarcasm, but I think there is a truth in your comment :-) If someone lacks respect to others, they should be accountable for that. I mean, it should suffer severe consequences instead of getting huge bonuses ;-)

Re:Cashless Society (1)

commodore64_love (1445365) | more than 5 years ago | (#27266575)

>>>Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.
>>>

It sounds like Japan is the place for me. I don't trust banks or stores enough to get a debit card, since I feel it's just like cash but more vulnerable. With a debit card a person simply needs to steal the number and empty-out your savings. I already had that happen once where a person on the opposite side of the continent stole my number and rapidly spent $3500 at Walmart using a fake card.

Fortunately for me I had a *credit* card, not a debit card, so the loss did not come from my wallet. It came from VISA's wallet. Credit cards are better because you simply refuse to pay charges incurred by thieves.

Re:Cashless Society (2, Insightful)

Jane_Dozey (759010) | more than 5 years ago | (#27266667)

Perhaps you should think about organising your money a little differently. I have 3 accounts: Savings, Dumping account (where my pay cheque gets "dumped" into) and my spending account. I pay rent and bills from my dumping account when I get paid. I then put some into my savings account and then pay myself what I need for the month into my spending account. The only debit card I use is for my spending account, ensuring that if anyone manages to commit fraud on that card, the maximum I lose is 1 month plus whatever was left over from the previous month (if the amount starts building up I just move it to savings).

It works quite well since I know I'm not spending money that I don't have or is meant for something else and I don't have to worry about someone nicking everything I have.

To me, walking around with a debit card with access to all of your money is like walking around with your life savings in your wallet: stupid.

I also have a credit card on my spending account but that's just so I can boost my credit rating. That and buying things like plane tickets or any service that is at risk of not materialising is protected. In that case credit cards are indeed better.

Re:Cashless Society (1)

Anenome (1250374) | more than 5 years ago | (#27266053)

Well, the U.N. and some Russian dude recently called for a global currency, if such a thing were to happen it would likely become cashless. I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.

I remember hearing about a particular African country that had already gone cashless, that tourists basically changed money in for an ATM card at the airport, but couldn't find any references to it, just something about Nigeria moving towards a cashless society: http://www.africanews.com/site/Nigeria_moves_towards_a_cashless_society/list_messages/23145 [africanews.com]

Made me wonder what the Nigerian 419 scam would become in the future when they can't claim their uncle, the former finance minister, has a hundred million dollars hidden under his mattress and needs you to help launder it for him.

Re:Cashless Society (2, Funny)

unlametheweak (1102159) | more than 5 years ago | (#27266107)

I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.

Yeah, it's in the imaginations of people who buy financial instruments like stocks and bonds.

Re:Cashless Society (1)

commodore64_love (1445365) | more than 5 years ago | (#27266641)

Stocks and bonds have value. Each piece is a portion of the value of a company, or government. Other forms of wealth include:

- your land
- your house, your car, your furniture, your electronics and other toys (depreciating with age)
- oil, corn, wheat, soybeans, cattle, et cetera
- gold, silver, and other metals

Re:Cashless Society (1)

Hao Wu (652581) | more than 5 years ago | (#27266111)

People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

Sounds like a "gold standard" argument.... The best standard of all is: absolutely anything. You can use gold, lead, or bananas if you want. And people do -- it's called a futures market.

Basing all of your wealth on bananas might sound silly, but there are doubtlessly people who have made millions doing just that. Fruit, gold, and "trust" - they are all exactly the same in economic terms.

Wealth is between you, and whatever the next person is willing to trade.... before you inevitably break even and die taking NONE of it with you.

Re:Cashless Society (1)

krou (1027572) | more than 5 years ago | (#27266305)

People will not give up their cash without a fight? Just like people won't give up their rights without a fight, hey?

We've already taken a giant leap towards a cashless society, with two inventions that we all love: the internet, and mobile phones.

When I sit down and actually look at the majority of my transactions, they're already occurring electronically, via the internet. Amazon, eBay, electronic banking, booking airline tickets, booking concert tickets, supermarket shopping. That's all cashless. I would wager that, in my personal life, at least 70% of my cash transactions occur electronically. I'd be surprised to find geeks that don't have a majority of their transactions occurring without cash.

Also, I don't think you give enough credit (excuse the pun) to people for being as lazy as they can be. If a chip is put in someone's mobile phone (a device most people in the developed world have) to let them pay for things quickly and easily, do you think they won't use it? There are 360 and 380 billion mobile phones in the world to date (approximately) - the groundwork is set. Currently [bbc.co.uk] , only 10% of these phones have the necessary hardware, but that will change rapidly. A cashless society will be sold on the basis of convenience first, security second, and I suspect that, while it may take a long time for cash to disappear (if ever), cash will eventually be seen as something used by the poor and society's outcasts i.e. cashless technologies and cash will become emblematic of society's economic and social divisions.

Furthermore, look at someone like Wal-Mart, and their technology-adoption strategy. Look at how they pushed RFID. That sort of power is going to be crucial in bringing about a cashless society because they may make the decision to halve their workforce and install self-service, cashless machines at the checkout, or trolley/basket-based systems. The cashless society will likely materialise because of such strategies: the removal of choice.

And even if we have "cash" in the future, it will be embedded with RFID, anyway, so not much freedom there, either.

Re:Cashless Society (1)

Skrynesaver (994435) | more than 5 years ago | (#27266359)

Free speech, fair trial, freedom of assembly are fairly nebulous rights mainly exercised by a few radical wingnuts in the view of the "plain people", however the right to sell goods and services "off books" is something the the "plain people" cherish and hold dear.

Not to mention Drugs hookers and blackjack (or whatever that damn meme is :)

Re:Cashless Society (1)

commodore64_love (1445365) | more than 5 years ago | (#27266701)

The last two are nebulous, but the first is obvious. *You own your body.* Anyone with an IQ of 90 or higher can understand that argument, and if you own your body you also own the things it can do, like use your brain to form an opinion. Or open your mouth and express that opinion (the right to speak).

Oh....and don't give me the argument that speech is limited. If you're on somebody else's property, and you start shouting, they can certainly force you to leave, but they can't stop you from speaking. You can say whatever you want from the front yeard of your home. You can even issue death threats without restraint (as supported by numerous SCOTUS cases).

Re:Cashless Society (0)

Anonymous Coward | more than 5 years ago | (#27266379)

There will be other forms of inofficial cash, much like cigarettes in prisons. Anything that is limited in supply and convenient to transport can be used.

Re:Cashless Society (1)

CRCulver (715279) | more than 5 years ago | (#27266375)

People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

It's already happened here in Finland. Almost all my purchases and bill payment is done via bank transfer or Visa Electron card. When I get cash from someone, it actually feels like a burden because there are so few bank branches where I can deposit it (many branches only do advisory things now, not teller services), and the queues there are always long. There are instances where it's actually more expensive to pay with cash than with card.

Re:Cashless Society (1)

marcello_dl (667940) | more than 5 years ago | (#27266541)

> People will not give up their cash without a fight

We gave up our gold and silver for paper.

"...But after all, it is the leaders of a country who determine the policy, and it's always a simple matter to drag people along whether it is a democracy or a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. This is easy. All you have to do is tell them they are being attacked, and denounce the pacifists for lack of patriotism and for exposing the country to danger. It works the same in every country." -- Goering

Re:Cashless Society (1)

kiwi_jackal (1228098) | more than 5 years ago | (#27266687)

I think you're right in that some people will not give up their cash without a fight, but it's certainly not true in the vast majority of cases. Here in New Zealand, we've had EFTPOS for many years now, to the point where I don't remember a time when it wasn't around (born in '83). It is so prevalent that I'm shocked at the very rare occasion where it's not available.

I barely use cash myself, and mostly see it as an inconvenience. I know for a fact that I'm not the only one who thinks so, and I believe that the majority of my countrymen agree with me. Why on earth would you want to carry round bits of metal or plastic that you never seem to be able to get rid of entirely, when one or two cards will provide you with the same benefits with greater convenience and security? If I lose my EFTPOS card, I call the bank, cancel it, and arrange a replacement. If I lose cash, that's it - it's gone.

Although there is always the risk of fraudulent activity of my cards (much, much higher on my credit card than my EFTPOS card), every bank in this country, and I would expect in the world, has an agreement with their customers that if the customer does not contribute directly to the fraud, they are not liable for any stolen funds. Again, if someone steals my card, I'm inconvenienced for a couple of days, but if someone steals cash it's gone forever. I know which I prefer.

Re:Cashless Society (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27266017)

All credit card security is bullshit.
The credit card system is built wrong from the ground up, and we'll be applying patches for ever.

What is good for people is e-cash grounded in sound cryptographic principles. This isn't good for governments though, so it will never ever happen.

Re:Cashless Society (5, Funny)

gravos (912628) | more than 5 years ago | (#27266027)

Cashless is old hat. What we really need is a cacheless society.

That was a joke! (1)

gravos (912628) | more than 5 years ago | (#27266143)

That was a joke! A play on words!

Seriously though, caches are good. Worrying about credit card numbers being cached is as bad as promoting security through obscurity. We should be moving to a system that doesn't rely on "secret numbers," but instead makes use of multiple factors from the time-tested triumvirate of "something you have," "something you know," and "something you are." Something you know alone just isn't good enough for this day and age.

Google is just doing what Google does.

Re:Cashless Society (1)

Hao Wu (652581) | more than 5 years ago | (#27266045)

It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society.

That would be nice.

How many times have we read passionate arguments that "nobody should be in prison for non-violent crimes!"

Remember this story the next time you see those stupid posts modded +5 insightful.

Re:Cashless Society (1)

TheLink (130905) | more than 5 years ago | (#27266227)

Yeah, people like Maddof should most certainly go to jail for a long time.

If we are just going to fine and confiscate money from people who do nonviolent financial crimes, it does not discourage them much, there are so many ways of siphoning the money off and hiding it.

Prison works. Even if you are a billionaire, 10 years in prison is 10 years out of your life, 10 years of opportunity cost. You might be able to afford some lifespan extension treatments, but I doubt you're even going extend it to 150 years with existing tech.

Re:Cashless Society (1)

aix tom (902140) | more than 5 years ago | (#27266121)

Hey!! I have a great Idea for that secondary verification system!

The credit card companies just need to give the credit card holders little, colourful, pieces of paper with currency amounts printed on them. When someone makes a monetary transaction with the credit card, they also have to hand over the right amount of those pieces of paper!

Ehhhhh.... Waitaminute .....

Re:Cashless Society (2, Interesting)

Cyberax (705495) | more than 5 years ago | (#27266253)

Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).

Currently, credit cards are absolutely insecure.

Re:Cashless Society (1)

SIR_Taco (467460) | more than 5 years ago | (#27266695)

It's gonna be interesting when we finally move to a cashless society.

Perhaps we could just move to a cache-less society

Re:Cashless Society (1)

kiwi_jackal (1228098) | more than 5 years ago | (#27266709)

I work for a bank, and we have a fraud detection system which relies on contacting the customer if a suspicious transaction occurs on their credit card. Essentially, if a transaction breaks particular rules (multiple transactions at petrol stations in quick succession, say, or use of card in multiple countries in unlikely timeframes) we contact the customer. If we cannot do so, a temporary block is placed on the card until we can verify the transaction is legitimate.

I know this isn't very widespread yet - of the five main banks in New Zealand, I know that three use it. I imagine, however, that it won't be long until this is standard practice in the banking industry.

Shoot the messenger! (5, Insightful)

phayes (202222) | more than 5 years ago | (#27265987)

It's not a problem with the idiot sites that let unprotected critical information out on a public accessible net and in addition omitted to place a well placed robots.txt, no...

IT'S GOOGLE'S FAULT!!!

Re:Shoot the messenger! (5, Funny)

sakdoctor (1087155) | more than 5 years ago | (#27266057)

Google should take SOME blame.

I held a robots.txt poster up at my window and google streetmap still photographed it.

Re:Shoot the messenger! (0)

Anonymous Coward | more than 5 years ago | (#27266559)

Why should google take blame, its not like google made an agreement with the people in question to conceal their data, the responsiblity lies with which ever sites were stupid enough to have unencrypted data lying around the place

Re:Shoot the messenger! (0)

Anonymous Coward | more than 5 years ago | (#27266725)

Link or it didn't happen

Re:Shoot the messenger! (1)

trold (242154) | more than 5 years ago | (#27266303)

robots.txt is not for security. Using it as such is the same as protecting your sensitive data by writing "DONT READ" in the top. Even worse, if you do rely on it, you provide a public list of what might be interesting on your site.

er what (5, Insightful)

Idimmu Xul (204345) | more than 5 years ago | (#27265993)

How is putting all your customer's credit card information online so it is publicly available, and crawlable, Google's fault? What is the known issue? People are stupid?

Re:er what (0)

Anonymous Coward | more than 5 years ago | (#27266221)

perhaps google was not only the only place that copied it and reposted it, in voilation of copyright, but also the only place that downloaded it.

Why are they given a free ride? If I mirror CNN, I get in trouble, but if google do it it's a public good?

What if I had mirrored the CC list? would I be in trouble for that??

PCI DSS (0)

yttrstein (891553) | more than 5 years ago | (#27265999)

You'd think that Google would have been one of the very first ones that the CC companies demanded PCI DSS compliancy from. And if they had, you'd think that Google didn't just fill out the form and *promise* (they swear) that everything is compliant, cross their hearts and hope to die, just like all the tiny companies that can't afford PCI DSS consulting do.

Hmmm. Good lord.

Re:PCI DSS (3, Insightful)

MadMidnightBomber (894759) | more than 5 years ago | (#27266047)

What, now Google is meant not to index pages which have card data on them? How exactly is that even possible?

You can bet your boots that Google Checkout is PCI DSS-compliant.

Re:PCI DSS (2, Interesting)

lurcher (88082) | more than 5 years ago | (#27266117)

Ok, by your logic all I have to do to make slashdot fail compliance is post my credit card details.

No: 5434 6625 8876 1272
CVV: 854
Exp 09/12

So how would slashdot know if that post contains valid card info or not?

Or even better, I could email this information to my competetor, then ring them and point out that they have failed compliance, as they have unsecured card information stored on their systems.

Re:PCI DSS (1)

yttrstein (891553) | more than 5 years ago | (#27266399)

1. Yeah, that actually doesn't technically break any level of PCI DSS. You're missing at least one of two bits of information.

2. I'm sorry you missed the subtle reference to the inevitable litigation surrounding issues like this.

Re:PCI DSS (1)

lurcher (88082) | more than 5 years ago | (#27266451)

Well, YMMV, but from what I can read, it breaks validation types 1 to 4 at least on the no CHD storage rquirement. And the information I supplied is enough to auth a CHNP transaction.

But I think you get my point.

It seems to me that PCI DSS is this generations version of BS5750, just another excuse to create a market for over paid consultants who claim to understand the requirements.

You are quite confused about the scope of PCI/DSS (0)

Anonymous Coward | more than 5 years ago | (#27266471)

The only part of Google that needs to comply is Google CheckOut. Nothing else.

Re:PCI DSS (0)

Anonymous Coward | more than 5 years ago | (#27266715)

You seem to be under the impression that PCI actually makes things more secure. My employer is in a never-ending race for PCI compliance, which mainly seems to involve lots of trivial rules that make it nearly impossible to do our jobs.

Who are the lucky ones? (4, Insightful)

MikeOtl67of (1503531) | more than 5 years ago | (#27266011)

How can you know that your card was not among those?

Re:Who are the lucky ones? (3, Funny)

Anonymous Coward | more than 5 years ago | (#27266093)

google you credit card and CVV here, and post a link to the results here. It's the best way you can be sure you card is compromised.

Re:Who are the lucky ones? (1)

aix tom (902140) | more than 5 years ago | (#27266161)

But google for it WITH quotes, or you get an heart attack when you see the "Results 1 - 10 of about 2,000,000" that get's returned when you Google without quotes.

Re:Who are the lucky ones? (0)

Anonymous Coward | more than 5 years ago | (#27266623)

Actually, I received yesterday a letter informing me that my credit card information - through no negligence of the card provider - has been compromised, and that I can expect to receive a new card, with new cc# and ccv in the mail.

I hardly think there's an issue with Google. (4, Insightful)

TractorBarry (788340) | more than 5 years ago | (#27266029)

> The cause appears to be a known issue with the Google search engine

More like the usual issue with idiots who fail to adequately protect, secure and dispose of this sort of data in the first place. "Sensitive directories" have absolutely no business ever being readable from the web.

Company executives and IT administrators who allow this sort of security breach need to start doing hard jail time. Until this happens we'll be reading more and more of these stories by the week.

Re:I hardly think there's an issue with Google. (5, Interesting)

Sockatume (732728) | more than 5 years ago | (#27266059)

From the sounds of things, I reckon the gateway was creating a web page for every transaction that included the card details, and those pages were not only unsecured and publicly viewable but indexable. They probably auto-deleted the pages after the transaction was completed but obviously not quick enough. GCache? It's probably all in the internet archive at this stage. It's not a Google issue, it's staggering security error on the part of the gateway that every internet crawler saw. No wonder the gateway's defunct.

Re:I hardly think there's an issue with Google. (1)

stray (73778) | more than 5 years ago | (#27266369)

From what I can see the unprotected directory is a *deliberate* setup by perpetrators who compromised a number of merchant sites.

The compromised servers send the CC transaction details to the unprotected site (now suspended by the registrar) for easy retrieval by the perps.

The security breach obviously happened on the individual merchant sites, the leaking unprotected directories on the hackers' drop box is just a symptom.

Somebody check if all merchant sites use a common web shop application?

Misplacing blame on google (5, Insightful)

Confuse Ed (59383) | more than 5 years ago | (#27266065)

From both the article and the summary re:

The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone

This makes it sound like the issue is with google's search engine and makes light of the real issue which is that at some point this information was published for all the world to see (or search engines to index) and anyone to cache (or write-down, or memorize).

Insisting on search engines removing removing this information from their indexes and remove it from their caches is just sweeping the problem under the rug : you or I taking a quick peek on the internet to see if our credit-card infomation has been published anywhere would get a false sense of security if the search engines pretended it wasn't there and that security breaches had never happened.

*tin-foil-hat-time* It seems analogous to re-writing history books to cover up prior misdeeds.

Exactly (1)

Chrisq (894406) | more than 5 years ago | (#27266141)

Its like if you make a credit card payment and someone videos you then a "known issue with the video camera" will allow people to see the data you entered.

Re:Exactly (1)

ilo.v (1445373) | more than 5 years ago | (#27266275)

Its like if you make a credit card payment and someone videos you then a "known issue with the video camera" will allow people to see the data you entered.

No. It's as if you are sleeping with your best friend's wife and someone videos you then a "known issue with the video camera" will allow people to see the "data" you entered.

Internet Finance (4, Interesting)

unlametheweak (1102159) | more than 5 years ago | (#27266099)

The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).

Re:Internet Finance (5, Interesting)

Anonymous Coward | more than 5 years ago | (#27266171)

Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.

Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...

Re:Internet Finance (1)

Fallus Shempus (793462) | more than 5 years ago | (#27266185)

Sorry but that particular tin foil hat is actually a sieve

See here [bbc.co.uk]

Call centres are manned by people, who can write down anything you say.

Re:Internet Finance (1)

unlametheweak (1102159) | more than 5 years ago | (#27266251)

Of course, the same with any place that you have to give your credit card too (like restaurants). The point is that these transactions are more transparent than dealing only with complex automated software systems that can easily store, copy, and manipulate data. It is harder for example, to have a cross-site scripting attack with a (non-M$ Windows, programmable, Internet) telephone.

Re:Internet Finance (5, Insightful)

gmack (197796) | more than 5 years ago | (#27266545)

But much easier for someone to simply make a copy of the details. I find that my credit card info is treated much more carelessly during card present transactions. Credit card is printed on a bill. Where does the business owner keep their copy? Who all can see it? I've even had my card number written on the top of my order. In some of the places I've done tech support I've seen sheets laying around with credit card numbers. It's nice to know that even the janitor can steal my credit card info.

Also larger retail stores feed your numbers into "complex automated software". Think TG max who was a huge source of stolen credit cards and guess what? As of last summer they still hadn't bothered to secure anything.

I make a ton of transactions online and only once have I had fraudulent transactions on my credit card. That once was the local pizza place

Re:Internet Finance (0)

Anonymous Coward | more than 5 years ago | (#27266381)

Do you realize that those people who answer the phone call may just be (and in fact, most times they are) using just a web browser and the same web page you would use to place your order?

Re:Internet Finance (1)

awyeah (70462) | more than 5 years ago | (#27266389)

When you call an 800 number to place an order or walk into a store, unless you hear a modem dial out, your account information is *probably* being sent over the public internet.

That doesn't mean it's necessarily insecure (the industry has serious standards they have to follow - see PCI-DSS), but it's likely that your details are going over an encrypted connection to a processor.

Many web sites use the exact same protocols to talk to the payment processors as brick and mortar stores do.

Re:Internet Finance (0)

Anonymous Coward | more than 5 years ago | (#27266509)

Amazon's stock must go up every time one of these stories is posted.

Sure, anyone can do eCommerce by putting up a website. Except for a very few, though, these are going to be run by businesspeople for whom security for their customers is somewhere on Page 3 of a To-Do list that is two pages long.

Can some American please explain to me... (4, Insightful)

Hurricane78 (562437) | more than 5 years ago | (#27266165)

...why anyone would use a payment system, with no safety at all?

What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...

Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?
I'd rather go back to bartering goods, than something like that.

When I do payments, I either do it with a bag of fixed-value credits. Like real cash in a wallet, or digital cash in a digital wallet (what we in Germany call "Geldkarte"). (Both can be filled/loaded like you fill your wallet, and when it's empty, it is empty. Additionally both are detached from the bank account. Unlike a credit card.)

Or I do it with a secure system that needs what I have, what I know, and who I am. Like a cash card. Or secure online banking with a keycard. (Both use a keyfile, that you decrypt by entering a code into a secured device with its own keyboard [and display], to create a secure channel, to transmit payment instructions, that only result in payment, if the server allows payment for that account at that moment.)

Or is it, because you have not much of a choice?

Please do not see this as a rant (it isn't one), because I really am interested in understanding this.

Re:Can some American please explain to me... (1)

Ihlosi (895663) | more than 5 years ago | (#27266229)

What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card.

No - in order to actually get paid, the merchant must also wait a few weeks in case the customer disputes the charge (and issues a chargeback).

Hence, the person using the credit card doesn't bear much risk, but the merchant that accepts them does (if he delivers goods and services, gets "paid" by credit card, and the charge gets disputed, he's out the money and the goods and possibly gets slapped with extra fees from the credit card company). Of course, this risk needs to go into the merchants price calculation. :P

Additionally both are detached from the bank account. Unlike a credit card.)

A credit card is not attached to bank account (at least not in the US). A debit card is.

Re:Can some American please explain to me... (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27266245)

I can't speak for any other countries, but I can tell you why that's not done in America. Two reasons: One, it would cost the banks money to implement such a system. That goes against their core ideals of charging us as much as possible at all times (some banks charge extra for depositing coins now). Two, Americans wouldn't stand for such "complexity". Too many of them would feel that a system like you described is incomprehensible, an they'd rather take their risks with ID theft. Sad but true.

Re:Can some American please explain to me... (4, Informative)

Tx (96709) | more than 5 years ago | (#27266269)

In the UK at least, your transactions are guaranteed by the credit card company. So it's often actually recommended that you purchase things online with a credit card, because if you get ripped off, the goods are defective, or the merchant goes bankrupt etc, the card company has to refund you. This is enshrined in law under the Consumer Credit Act. On the other hand, if you pay with a debit card or other direct payment, your money is gone.

Re:Can some American please explain to me... (0)

Anonymous Coward | more than 5 years ago | (#27266373)

On the other hand, if you pay with a debit card or other direct payment, your money is gone.

However, some debit cards (e.g. my Lloyds TSB Visa debit card) count as credit cards for the purposes of the consumer credit laws, and *are* covered (I know because I read and signed some document to this effect).

Re:Can some American please explain to me... (3, Informative)

psicic (171000) | more than 5 years ago | (#27266495)

I'm not American - and I wonder about the op's premise as I thought most countries had moved (or were moving) to PIN-numbers rather than signatures to verify in-store transactions.

Regardless, credit cards are very safe for Europeans because of the extra protection they provide to consumers.

In Ireland as well as the UK - and most other European countries - there is a version of the Consumer Credit Act. It treats all purchases on the card as, unsurprisingly, a type of credit agreement. This is a very powerful and pro-Consumer thing, providing lots of protection for any who cares to look into it, e.g. chargeback.

True, a lot of these 'safeties' was introduced in an attempt to make the cards more secure - don't forget the premise of credit cards has been around for many, many decades and, during that time, the type of fraud perpetrated against credit card users has become more and more complex.

It's also well documented that Germans (culturally/in general) have an aversion to credit cards for a number of reasons; from 'all credit is borrowing - and borrowing is bad' (note the low rate of borrowing in Germany) to a series of pre-existing methods of paying for goods and services easily at a distance (e.g. in Germany, there is the long standing inter-bank transfer system; very cheap and secure to use inside the borders of Germany but, until very recently, was astronomically expensive for anyone in another country to transfer money to).

So why do I use a credit card? A large number of international traders accept credit cards, doesn't cost me any extra and I get points on my Sony card for every purchase I make. I am not liable for any fraud/misuse of my card. I suspect it's the same for Americans and most people who use credit card. Having the advantage of being European, I also have a lot of legally enforceable extra protections that I'm not sure Americans have in the Consumer Credit Act.

I also do use bank transfers to pay for stuff. Usually only to Germany because Germany is one country where their banks are pretty secure. And only in recent years - because, thanks to an EU Directive, the astronomical cost of transferring money across borders to another member state of the Eurozone has plummeted (note: UK not member of Eurozone, so a UK consumer could still face high charges).

I also have the protections of the Distance Selling Regulations when buying from Germany, but I would never transfer money via bank account outside of Europe.

As for 'reloadable' cards, for me they are slightly more expensive and don't offer me any incentive or attractiveness to use, and are not universally accepted.

Debit cards don't seem to be standarised internationally - or even across the EU - so are not really viable as a payment method.

Re:Can some American please explain to me... (1)

smoker2 (750216) | more than 5 years ago | (#27266503)

Debit cards are protected too. I've had my card details stolen and used, and I got my money back. I've had bad (non-existent) service from a few companies, and the bank has given me my money back. In no case has my money just been "gone". I don't have a credit card at all, and I've never lost money from an online transaction. Less FUD please.

Re:Can some American please explain to me... (1)

Tony Hoyle (11698) | more than 5 years ago | (#27266603)

Not by law.. a debit card has no more protection than a cheque.

The bank *may* choose to reimburse you for such thing, but you're far safer using a credit card.

Re:Can some American please explain to me... (1)

jimicus (737525) | more than 5 years ago | (#27266287)

I'm not American, but I can explain the idea to you.

Every decision that introduces a system or process of some sort (doesn't have to be a computerised one, just a system or process) inevitably means that you make a compromise between risk and benefit.

If nobody ever exchanged goods, the risk of losing goods in dishonest transactions or from being mugged would be much lower. However, we'd all be living in caves gathering berries and hunting animals.

Along comes bartering and suddenly those who have an unusual talent for making weapons but are lousy at doing the actual hunting can exchange food for weapons with someone who's a great hunter but a lousy weapon maker. Of course, the hunter could just take the weapon and kill the man who made it (so the risk is slightly higher) but what would he do when the when the weapon eventually wears out?

Fast forward to today and while we're no longer talking about spears and woolly mammoth, the same basic concepts apply.

Not everyone wants to carry lots of cash - mainly because if it gets stolen you're stuck. By making it easier for people to do this (using credit/debit cards), society can move faster because money is spent faster. Banks make money on per-transaction charges so they want to encourage as many as possible; companies make a sale where otherwise they may not have.

The risk is obvious - if card details are stolen, they can be abused. But the risk is reduced with things like online approval for purchases - which ensures that stolen cards aren't useful for very long.

The banks and merchants make money on the difference between (number of transactions) and (number of dishonest transactions). Provided the first is substantially higher than the second and the net figure is greater than what you'd get by just accepting cash, you're doing better.

You'll never invent a system which is 100% risk free, all you can do is reduce the risk. Everyone wants to reduce the risk, but making changes to reduce the risk requires man-hours and equipment, both of which cost money. If you can effectively eliminate US$100,000 of fraudulent charges per year with a change that will cost US$10,000,000, then that change is not going to happen.

If the numbers are the other way around, however, you should patent them and speak to your bank.

Re:Can some American please explain to me... (0)

Anonymous Coward | more than 5 years ago | (#27266297)

>Because if yes, then why in the word does anyone even consider using something like that?

Because it's convenient, and they don't take the hit if something goes wrong. If your credit card details get stolen by some third party because a merchant processed them insecurely, you're not liable for any activity on the card.

Even many debit cards carry the same protection against fraud - if someone uses it who's not you, you get your more back.

Re:Can some American please explain to me... (1)

toQDuj (806112) | more than 5 years ago | (#27266397)

For about a year now, I have signed (where requested) the credit card transactions with fake signatures (something that looks like a sig, but isn't mine). No-one cares enough, as I haven't been caught at it even once.

Money still gets withdrawn from my account, though.

Re:Can some American please explain to me... (1)

INeededALogin (771371) | more than 5 years ago | (#27266607)

I am pretty sure that your signature is an after-the-fact paper trail. Meaning that if you complained you didn't purchase something then they have your signature to analyze. I always find it funny watching old people sign those electronic signature pads. They do it so careful thinking that if they don't, the transaction won't complete.

Re:Can some American please explain to me... (1)

Tony Hoyle (11698) | more than 5 years ago | (#27266649)

Nobody checks signatures.. that's why many countries went to pin entry.

Of course pins are just as bad..

1. If someone gets your pin they can reproduce it 100% accurately every time, unlike a signature. Since a pin is only 4 characters it's trivial to remember.
2. Many transactions don't use the pin - the local supermarket auto checkout doesn't require a pin, only the card. Also all the cities car parks are the same.
3. When you're paying for something how do you know they aren't skimming the card (90% of shops still take the card off you an scan it through the till, even though apparently they're not supposed to any more) and storing the pin in a computer under the till?

IMO the pin should be a string of beetween 10 and 20 digits. Much harder to for someone to shoulder surf. All transactions should require the pin, otherwise the transaction isn't valid.

Re:Can some American please explain to me... (1)

Corbets (169101) | more than 5 years ago | (#27266645)

We're liable - by federal law - for a maximum of $50 if our cards get misused. So it's not a terribly big deal in that sense.

More troubling are the difficulties you have to go through to undo identity theft, but that has little to do with the credit card payment system you're referring to.

It's Google's fault (3, Insightful)

Anonymous Coward | more than 5 years ago | (#27266199)

And the Watergate was Washington Post's fault!

Re:It's Google's fault (0)

Anonymous Coward | more than 5 years ago | (#27266599)

No, The Roman Catholic Church as they were the owners of the building!

Re: (1)

clint999 (1277046) | more than 5 years ago | (#27266263)

Ok, by your logic all I have to do to make slashdot fail compliance is post my credit card details.No: 5434 6625 8876 1272CVV: 854Exp 09/12So how would slashdot know if that post contains valid card info or not?Or even better, I could email this information to my competetor, then ring them and point out that they have failed compliance, as they have unsecured card information stored on their systems.

teachers expose 2.* billion lost souls (0)

Anonymous Coward | more than 5 years ago | (#27266327)

mostly due to misinformation/hypenosys. some (un)knowingly give up their spirit, to experience the excesses/illusionary trappings of man'kind', without remorse over the less 'fortunate'.

our only purpose here is to take care of each other. failing that (& who hasn't?), we're simply passing through.

there's no need to confuse/compare 'religion', with being a spiritual being. the lights are coming up all over now.

known issue in Google (2, Insightful)

Arancaytar (966377) | more than 5 years ago | (#27266347)

What the FUCK?

There is a "defunct web site containing sensitive directories" that exposed secret information to the public for anyone to see, and now it's Google's fault that it cached that information?

Newsflash: Security that relies on "nobody knows this URL" is NOT SECURITY.

Re:known issue in Google (1)

Aladrin (926209) | more than 5 years ago | (#27266527)

Not only that, but for Google to index it, Google had to know it was there! That means that either someone manually added that URL to Google, or it was linked from somewhere at some point.

Google isn't magic, and it isn't the source of the problem.

Are you affected (1)

jlebrech (810586) | more than 5 years ago | (#27266417)

in order to check if you are affected or not, please reply with your card number and security code on the back of your card. [/joke]

whirlpool discussion threat (4, Funny)

fluch (126140) | more than 5 years ago | (#27266441)

ITNews links to a discussion threat at whirlpool.net.au which has been deleted because it is "handeled by the authorities".

And again it is a known issue of Google which reveals the deleted thread: http://209.85.229.132/search?q=cache:uf9L_DtjAzYJ:forums.whirlpool.net.au/forum-replies-archive.cfm/1165021.html+http://forums.whirlpool.net.au/forum-replies.cfm%3Ft%3D1165021&cd=1&hl=en&ct=clnk [209.85.229.132]

- Martin ;-)

Google Fault? needs a car analogy (3, Interesting)

gapagos (1264716) | more than 5 years ago | (#27266511)

$MORON is driving on the highway with 0 driving experience, except that $MORON good at the videogame Need for Speed: High Skates on the playstation.
$MORON suddenly crashes on $OTHER_CAR who's driving at 65 mph. This is $OTHER_CAR'S FAULT for not knowing that $MORON was completing a RACE, here.

Just like Google is doing what it's designed to do, $OTHER_CAR is doing what it's meant to do.
The only problem is that this moronic IT staff didn't do their job to secure the information, just like $MORON can't drive for shit.

Stop always blaming other people for your incompetence, please. AIG is already overstaffed for that.

Re:Google Fault? needs a car analogy (1)

viperblades (576174) | more than 5 years ago | (#27266731)

remember kids now that google isnt popular its their fault if you put sensitive customer data OPENLY ON YOUR SITE.

by the same logic thumb drive makers are the blame for data loss via thumb drives.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...