×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Credit Card Numbers Still Google-able

Soulskill posted about 6 months ago | from the information-is-not-good-at-judging-when-it-should-want-to-be-free dept.

Privacy 157

Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.

If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.

In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.

The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.

So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)

It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."

After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."

Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."

(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)

Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

157 comments

Thanks USPTO (5, Funny)

rodrigoandrade (713371) | about 6 months ago | (#45369225)

Thankfully, the first few digits of my credit card are the same as a rather important USPTO patent #, so all Google results link to that.

Re:Thanks USPTO (5, Funny)

Qzukk (229616) | about 6 months ago | (#45369273)

Which patent number would that be? (Just out of curiosity of what you consider important patent numbers, of course :)

Re:Thanks USPTO (1)

Mitchell314 (1576581) | about 6 months ago | (#45369649)

It's the same as my social security number.

Re:Thanks USPTO (0)

Anonymous Coward | about 6 months ago | (#45369771)

What a coincidence! my birthday in millis!

Re:Thanks USPTO (4, Funny)

nxcho (754392) | about 6 months ago | (#45369795)

That's amazing. I've got the same combination on my luggage.

Re:Thanks USPTO (1)

imatter (2749965) | about 6 months ago | (#45369869)

Dark Helmet: So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!

Re:Thanks USPTO (0)

Anonymous Coward | about 6 months ago | (#45369937)

The other dude that Dark Helmet reports to is the one that said the line GP quoted. The guy that was backwards after being teleported.

Many are Fake (5, Interesting)

Anonymous Coward | about 6 months ago | (#45369231)

There are thousands of pages of fake credit card numbers, SSNs, etc. This is done intentionally to dilute the value, and some are probably honeypots. The numbers are bogus, expired, etc. that pass the checksum.

Re:Many are Fake (4, Insightful)

game kid (805301) | about 6 months ago | (#45369341)

Any prospective user of them should assume the Slashdot poll disclaimer: "If you're using these numbers to do anything important, you're insane."

So what (5, Insightful)

hannson (1369413) | about 6 months ago | (#45369239)

Google is not responsible for your CC info. Find the merchants and tell on them.

Re:So what (1)

mythosaz (572040) | about 6 months ago | (#45369397)

They're not responsible for plenty of other (generally) good things they do either.

Automating a service that warns about leaked data could be another of them...

Re:So what (2)

Joining Yet Again (2992179) | about 6 months ago | (#45369409)

So if A gives something to B, and then B passes on to C without A's permission, and C profits from it, C has no responsibility?

Hmm, if only there were a way of compartmentalising my activities... some sort of limited.. liability.. thing... I could make a mint out of this!

Re:So what (1)

Anonymous Coward | about 6 months ago | (#45369935)

Well in your situation, B is Google. They did not ask A's explicit permission, and aren't knowingly passing you this information. A said it has searchable data, C said they wanted to look for data matching certain criteria, which just happens to have been provided by A. the fact that B has absolutely no real knowledge of the contents insulates them from liability to a very large degree.

Re:So what (1)

viperidaenz (2515578) | about 6 months ago | (#45370351)

No, B is who ever made it publicly available to be found by Google.
A is the customer, B is the merchant, C is the thief who "stole" the credit card number that B promised both A and violated the contract they have with their payment provider to not let anyone else get the number.

Re:So what (1)

harvestsun (2948641) | about 6 months ago | (#45369543)

Did you read the article AT ALL? He's not saying "it's Google's fault", he's saying "Google could handle this problem pretty efficiently, gaining some goodwill in the process."

Re:So what (5, Interesting)

amicusNYCL (1538833) | about 6 months ago | (#45369569)

What merchants? Searching for the first 8 digits of a Wells Fargo Mastercard brings up an Excel file with several worksheets in it, including one that lists a bunch of websites and login information (including bank websites). It's on a user's FTP share at their job. So someone decided to put their important file there and they have no clue it's publicly available.

Re:So what (1)

Anonymous Coward | about 6 months ago | (#45369853)

They are not responsible for malware infected websites either but they still blacklist them...

Comment Subject: (1)

Anonymous Coward | about 6 months ago | (#45369249)

I don't see why this is Google's problem; if users' credit card numbers are visible to robot crawlers, then they are not being handled correctly by web sites to begin with.

Re:Comment Subject: (4, Interesting)

pspahn (1175617) | about 6 months ago | (#45370207)

A bit of anecdote from a client's site I used to work on...

Client was complaining of some random issue and I went to take a look. Right away I was prevented from doing so because he changed his FTP/SSH permissions and I wasn't able to access the files.

I decided to poke around the front-end to try and find clues while I waited for him to respond with a fresh set of credentials. Eventually, I came across a server log that was mistakenly made available to the public at large (though you would have to know the URL to find it). Inside the log file were hundreds... probably thousands of records of customer information, including last four digits of their CC used for payment (if they had one).

I immediately got back to him about to tell him this information was available on his site to anyone and said that I could fix the permissions once he allowed me access. Unfortunately, he never did get back to me and it was a short time afterward that I was fired from that job (thank god).

I didn't develop his site, but I do know the person who did, and he happens to be a director at the company. Out of curiosity, I just checked, and the information is still openly available on his site, and it's been like 8 months. Now, though, there seem to be some additional logs of juicyness. 'authorize_net.log', 'google_checkout.log'....

To top all this off, he used to (not sure if he's come around by now by I doubt it) store customer's CC info in the store database. Before he started using this, I warned him that it was not a good idea, but he said it was the best way. There can be no way his site is PCI complaint, so in all likelihood an audit would completely put him out of business.

Nothing for me... (4, Interesting)

yakatz (1176317) | about 6 months ago | (#45369305)

I tried with the first 8 digits of 6 different cards and founds nothing but Australian phone numbers.

Re:Nothing for me... (1)

willthiswork89 (2885827) | about 6 months ago | (#45369363)

accidentily modded parent flamebait... not on purpose! stupid touch screen

Re:Nothing for me... (1)

yakatz (1176317) | about 6 months ago | (#45369577)

Off-topic, but I have done the same thing. Once upon a time, you had to click submit to moderate, it did not use this "fancy" javascript. I can't find any option to go back to that.

Re:Nothing for me... (0)

Anonymous Coward | about 6 months ago | (#45369535)

same, i found mostly phone numbers, but i did find one credit card number in a google groups chat, along with the expiration date and verification code from the back of the card..

Re:Nothing for me... (1)

krotkruton (967718) | about 6 months ago | (#45370121)

didn't find any excel sheets, but found two pdfs with full bank statements including CC# and sample checks with bank and routing numbers.

Re:Nothing for me... (5, Interesting)

Anonymous Coward | about 6 months ago | (#45369683)

I tried this with the first eight digits that I got out of a credit card generator (I'm not going to type in my own). The second result as a Word document that contained a full credit card number, expiration date, security code, and name. The .doc was hosted on a website (csonet.org) that claims to be part of the United Nations. So, I did the usual whois lookup and it started looking fishy, like a honeypot: registered to a company that sounded like a front company ("anywhere design" and "computeragent.net"), and really, why would someone post on the web a Word document with exactly the information you need to make a fraudulent transaction? And isn't the UN a bit more competent?

Then I visited the UN's web page and, son of a bitch, csonet.org is plastered everywhere on the actual UN site: it' s apparently how you apply to get money out of the UN. See http://www.un.org/womenwatch/daw/csw/NGO.html for an example. Holy fucking diplomatards, BanKiman! If they're posting credit card info with full validation information online there, what's the rest of their security awareness like? No fucking wonder the UN is a playground for the NSA, CIA, KGB, GCHQ, and everyone with unjustifiable budgets that match only their unjustifiable egos.

I'd love to give it a try (1)

eggsurplus (631231) | about 6 months ago | (#45369347)

"using the simple trick of Googling the first 8 digits of your credit card number" What are the first 8 digits of your credit cart number?

Re:I'd love to give it a try (0)

Anonymous Coward | about 6 months ago | (#45369465)

Mine used to be 4640 1880

There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.

I started using that after the third time my card was compromised last year. I could never figure out which merchant was leaking my number, but the perpetrator's MO was always the same: a small purchase at a small store on the east coast to see if the number was working, then try to buy airline tickets.

Re:I'd love to give it a try (1)

Joining Yet Again (2992179) | about 6 months ago | (#45369501)

I started using that after the third time my card was compromised last year.

I have had the same Amex, Visa and MC credit card numbers since around 1999. I have not once received a fraudulent charge. Where am I going right?

Re:I'd love to give it a try (2)

paiute (550198) | about 6 months ago | (#45369659)

I have had the same Amex, Visa and MC credit card numbers since around 1999. I have not once received a fraudulent charge. Where am I going right?

Herd immunity.

The more Google censors (1)

fustakrakich (1673220) | about 6 months ago | (#45369369)

The more incentive there is to build an alternative. I say, keep up the good work. Maybe I'll make my raspberry into a web crawler, since it's always running anyway.

I tried this and found an interesting page (4, Interesting)

bigHairyDog (686475) | about 6 months ago | (#45369415)

It seems that people are deliberately creating millions of fake identities and putting them online just to screw with the bulk data collectors.

Read the explanation on this page: http://xdduk.org/nino/BT889440D [xdduk.org]

Re:I tried this and found an interesting page (1)

SuricouRaven (1897204) | about 6 months ago | (#45369471)

Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?

Re:I tried this and found an interesting page (1)

Em Adespoton (792954) | about 6 months ago | (#45370143)

Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?

No need to do that... spammers already do it to waste time and resources of anti-spam groups.

Re:I tried this and found an interesting page (1)

Maow (620678) | about 6 months ago | (#45370157)

Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?

It'd take some time to create the pages of addresses, even if automated, and the incidental cost to spammers of an extra million invalid email addresses would be negligible.

Basically, good guys spend time to create these, bad guys don't notice much difference. I wish it were so easy, "sigh".

The real question is, "why do people buy from spammers?" Or, "why does comment spam increase page rank scores?"

Now, where's that "your idea won't work because..." form? That thing is hilarious.

Re:I tried this and found an interesting page (1)

pspahn (1175617) | about 6 months ago | (#45370363)

...cause spammers to waste time and resources?

Don't they already waste enough of our time and resources? Whose side are you on?

Re:I tried this and found an interesting page (4, Funny)

Joining Yet Again (2992179) | about 6 months ago | (#45369531)

Anyway, if there's one thing I've learnt from giving my name as Sir Handjob Sausage-thief, it's that nothing seems to check your name. Gives the postman a laugh, too.

Whats the point (0)

Anonymous Coward | about 6 months ago | (#45369433)

What use is a CC # without an expiration date or security code?

Re:Whats the point (1)

edibobb (113989) | about 6 months ago | (#45369653)

You don't have to have the security code to charge a credit card. It's an option merchants can use to reduce fraud. It's easy to try all the reasonable expiration dates. Once you have it, go shopping online. Or sell the card info to the Russians.

Re:Whats the point (1)

globalist (1332141) | about 6 months ago | (#45369831)

Are you saying there are merchants who do not require you to type in the sercurity code? Can you give an example of such merchants?

Re:Whats the point (4, Informative)

lgw (121541) | about 6 months ago | (#45369895)

Trying all the reasonable expiration dates will quickly get a card locked down for fraud. It's reliable DOS attack.

Didn't work for me. (1)

edibobb (113989) | about 6 months ago | (#45369435)

All my credit cards apparently have a unique 8-digit beginning.

Re:Didn't work for me. (3, Informative)

tlhIngan (30335) | about 6 months ago | (#45369997)

All my credit cards apparently have a unique 8-digit beginning.

The first six digits of a card number identify the type of card and the issuing financial institution. The next 9 are the actual number and the last is a check digit via Luhn's method.

There are 100 different numbers once you identified the first 6 (Wikipedia has a nice list). That will get you the first 8 digits quite easily.

And yes, it seems to be a standard format, like Visa begins with 4, MC with 5, and Amex with 6, then the next 5 digits uniquely identify a financial institution that issued that card.

If it's don't work. Try this (5, Funny)

indybob (2731135) | about 6 months ago | (#45369447)

If you want to be sure that you find your number on Google, do the following thing: 1) Write a message here with your first 8 digits here on slashdot. 2) Send me in a private message your last 8 digits. And the 3 digits number at the back of your card. 3) Wait 2-3 weeks After that, you can try to Google your number with success! ;o)

Re:If it's don't work. Try this (2)

NotSanguine (1917456) | about 6 months ago | (#45370217)

If you want to be sure that you find your number on Google, do the following thing: 1) Write a message here with your first 8 digits here on slashdot. 2) Send me in a private message your last 8 digits. And the 3 digits number at the back of your card. 3) Wait 2-3 weeks After that, you can try to Google your number with success! ;o)

Public service at its best! Thank you for supporting our civil society, Bob!

another solution (3, Insightful)

a2wflc (705508) | about 6 months ago | (#45369449)

Credit card companies could google all of the numbers for cards they have issued and take care of it themselves. Why would this be google's responsibility?

Re:another solution (1)

MobyDisk (75490) | about 6 months ago | (#45370125)

Credit card companies could google all of the numbers for cards they have issued and take care of it themselves

That was his first suggestion.

Why would this be google's responsibility?

As he said in his write-up, it isn't Google's responsibility.

Don't drill down through the CC number lists! (2, Informative)

Anonymous Coward | about 6 months ago | (#45369451)

If you google around for the first 8 digits of your credit card number, you will undoubtedly come across this link:

In this link is a generated list of all possible combinations of Visa, MasterCard, American Express, etc... credit card numbers and PINs. Each group of card numbers is shown in a range... for instance 1234 4600 through 1234 4699....

If you click through the ranges until you find your card number, and PIN, and it will be in there, you will have given the website owner your credit card number and PIN!

Re:Don't drill down through the CC number lists! (0)

Anonymous Coward | about 6 months ago | (#45369517)

I'm not sure how to display a link in slashdot, but I'll try again:

http://all-the-numbers.com/credit-cards.html

After the mandatory 9 minute delay...

It Used to Be Even Easier (4, Interesting)

Anonymous Coward | about 6 months ago | (#45369479)

Google has a little-known search operator for finding numbers within a range. To find all numbers between two numbers, you Google the two numbers separated by two dots. For example, to find all numbers between 87600 and 89061, you'd Google "87600..89061" as shown below.

https://www.google.com/search?q=87600..89061

It used to be that you could simply Google a large range of possible credit card numbers using this operator and find tons of numbers. However, a few years ago, Google put a stop to this by forbidding number range searches involving large numbers.

For example: https://www.google.com/search?q=8760000000000..89061000000000

It's unfortunate and disappointing that Google crippled its search engine to solve the problem, as there are lots of legitimate reasons for searching number ranges involving large numbers.

reserved for the media industry (3, Insightful)

Revek (133289) | about 6 months ago | (#45369481)

One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results.

That right is reserved for mpaa to censor my subtitles to my video files and other important stuff like that.

Useful To Law Enforcement, Perhaps? (1)

NotSanguine (1917456) | about 6 months ago | (#45370399)

If the po-po could take five minutes and stop spying on *everyone* they could use google searches to identify such breaches. They could contact the website owners about the CC leaks, which would actually be a public service. They could also partner with the CC companies to see if any of these cards were used in fraud. Any large scale use of exposed CC numbers could then be investigated with the support of the website owners and CC companies, potentially resulting in the apprehension of fraudsters.

Unfortunately, law enforcement is too busy spying on those who speak out against the status quo to do anything so breathtakingly rational. Sigh.

hi (-1)

Anonymous Coward | about 6 months ago | (#45369487)

daily scam reviews

dailyscamreviews.blogspot.com is a blog that help and provide customer to get the best digital product with real and free user reviews without scam indication on it.

Summay of the summary (4, Insightful)

Obfuscant (592200) | about 6 months ago | (#45369529)

Eleven words: "People put shit on the web. Google lets you find it."

The suggestion that Google should pounce upon any 16 digit numbers it finds that meet the single-digit checksum test is just ridiculous. Oh, and start with "all known 8 digit prefixes". Now, the first four identify the card type, so there's a natural limit there. But the next four are 10,000 possibilities.

We'd complain loudly if someone scanned the web looking for things that LOOK like they shouldn't be there and issue takedown notices. No, people here DO complain loudly when the "someone" matches ??AA and the target is digital media. But credit card companies should scan for their prefixes and issue take downs for anything that matches a possible credit card number?

I can see a wonderful jimmy to the system along the lines of anti-meth and other anti-this or that campaigns. Create "web pages" for Google to index that are pseudo-random number generators so Google or the credit card companies can find tons of "credit cards" to cancel. People who don't want you to find meth recipes through google already pollute the namespace so you can't do that; people who want to put a monkey wrench into the credit card system can do the same thing.

Re:Summay of the summary (1)

minstrelmike (1602771) | about 6 months ago | (#45369729)

Removing the ability to search for numbers would probably be a lot easier than removing links to some sex pages you don't want google to show anybody anymore.
Not saying it would be effective in fighting credit card fraud. Just looking at the technical aspect.

Re:Summay of the summary (1)

skiingyac (262641) | about 6 months ago | (#45370445)

Yeah somebody didn't think this article through all the way...

1. Post credit card numbers a website's forum, etc...google would then de-list them for you
2. ???
3. Profit

Not just 4111 1111 1111 1111 which is easy to ignore, but there is an endless supply http://www.getcreditcardnumbers.com/ (or just randomly guess, a decent percent of 16 digit numbers are valid).

Instructions (0)

ketomax (2859503) | about 6 months ago | (#45369553)

For those of you who don't want to have to RTFA, the steps below outline how to verify whether or not your credit card no. is Google-able:-

STEP 1: Navigate to google.com and focus on the Search text box.
STEP 2: Enter the first 8 digits of your credit card number. Remember to surround it with double quotes. Also, add a space after the first 4 digits
STEP 3: Press Enter
STEP 4: If you see more than one result, also include the last 8 digits of the card. Remember to use a space after every 4 digits.
STEP 5: Add another space, type EXP_DATE: where Date is the non-confidential date at the front of your card (usually labelled Valid thru)
STEP 6: Add another space, type CHKSM: where Num is the 3 digit checksum used to verify that the search engine's result is correct.
STEP 7: Press Enter

Example: "4956 6543 2789 6969" EXP_DATE: 2018/02/31 CHKSM: 911

STEP 8: If you still don't see any results, drop me an email along with the search query at: yours@truly.me I will make sure your problems (all of them) are resolved.

I am also working on a REST based web service for this.

Re:Instructions (1)

Joining Yet Again (2992179) | about 6 months ago | (#45369631)

Don't forget to enable page pre-fetching in your browser, and do NOT use the HTTPS version of your search engine - this declines the quality of results because encryption is lossy.

Re:Instructions (1)

minstrelmike (1602771) | about 6 months ago | (#45369753)

the e-mail is on its way.
dang, it got returned. I'll just forward it to everybody in my address book and hopefully, someone can forward it on to your correct email address.
Thanks for helping.

Need to move to "SecureID"-like solution (0)

Anonymous Coward | about 6 months ago | (#45369559)

One where the token has a keypad on it and requires a password to be entered in order to obtain an authorization number. That would authenticate the end-user and prevent spyware key loggers / password theft. Something all other methods are vulnerable to. Then to ensure the card holder has authorized the amount and not just the use of the card with a merchant the financial institution could ping the device via wifi/GSM. The user could then 'accept' or 'decline' the authorization based on the merchant name being shown. Then there is no question who the liable party should be. There could also still be limits on the transaction size (say $5,000-$10,000 USD +) or limits to the amount per day which can be charged. This should probably be a variable number that the customer acknowledges they are willing to accept liability on and should be 'in-person' authorized (at the bank when signing up for the card, with ID checked, etc). That way it's near impossible for card holders to deny purchases or for criminals to put a gun to anothers head in an effort to extort large sums of cash. The card holder would then be liable and at the same time there would be so little risk it didn't matter.

I reported a similar issue to BofA in 2008 (2)

Havokmon (89874) | about 6 months ago | (#45369625)

Completely against PCI Compliance, they were using your 'account number' (full card number) as your identifier when downloading your statement in PDF form. So their web server logs would have been chock full of credit card numbers in clear text. Doh!

The biggest problem was finding someone to report it to. Customer Service doesn't know dick about Compliance - I had to to cross my fingers that it would get escalated properly. It took about 6 months for that to change.

When I did this 'search test', Most of my hits were PDFs of credit card statements.

Found several CC's within seconds... (0)

Anonymous Coward | about 6 months ago | (#45369635)

It works. You won't find them on the first page of Google results. Jump to the eighth page of results or beyond. Just searched on my Chase card and found merchant sites displaying complete name, address and credit card information for their customers. Very nice...

public information (0)

Anonymous Coward | about 6 months ago | (#45369671)

Why should google censor/block information that is public knowlege? Credit card numbers (not the CVV/expire date) can be generated using public information e.g. using BIN database and the knowledge of the luhn algorithm.

Different incentives (5, Interesting)

minstrelmike (1602771) | about 6 months ago | (#45369695)

The main reason credit card companies don't care that much is the same reason you probably wouldn't crawl under a car for a quarter that you dropped.
The value ain't worth the time spent.

If you have to spend 1% of your time/money fighting fraud, well once the amount of fraud drops below that 1%, it isn't worth fighting fraud.
To you.
The problem is that a company might loose only .05% to fraud and seriously, that's irrelevant.
But to the .05% of the customers who are subject to fraud, especially identity theft, they lose 100% of their stuff.
The incentives for the corporations are different from those for individuals. Imagine that.

What is happenning? (0)

Anonymous Coward | about 6 months ago | (#45369725)

There is a serious lack of Bennett Haselton hatred going on right now. Have we all forgotten so soon?

Re:What is happenning? (1)

CanHasDIY (1672858) | about 6 months ago | (#45370015)

There is a serious lack of Bennett Haselton hatred going on right now. Have we all forgotten so soon?

No, but he hasn't said anything too blisteringly stupid in this one, and fair's fair - he gets the benefit of the doubt this time around. The uppity, self-aggrandizing tone of his posts are just par for the course at this point.

Re:What is happenning? (0)

Anonymous Coward | about 6 months ago | (#45370457)

There is a serious lack of Bennett Haselton hatred going on right now. Have we all forgotten so soon?

I suggest a double-bill of APK and Bennett Haselton discussing Internet security and individual rights at the Staples Center. They could actually sell at least 20 or 30 (depending on how large their families are) tickets!

It is the credit card companies fault... (1)

Junta (36770) | about 6 months ago | (#45369741)

50 years ago, it was understandable that people were flinging account numbers back and forth because there wasn't much else feasible.

Now, probably 95% of transactions could easily be handled using a scheme where private key is used to sign transactions and the merchant is never ever privy to info that could be used multiple times.

If credit card companies did something to encourage point of sale equipment, internet merchants, and so on to work toward a scheme where private keys are kept private to the consumer rather than a loosely shared 'secret' scheme as it exists today...

Re:It is the credit card companies fault... (1)

Megane (129182) | about 6 months ago | (#45370439)

I bought something in a Best Buy the other day, yes, a "brick and mortar" store, and they needed to type in my CVN to make the sale. (It used to just be typing in the last 4 digits from the front of the card to ensure it matched the mag stripe.) Okay, so they were a big chain, but imagine what an unscrupulous small fly-by-night place could do if they kept those around.

google cashes SSNs, CC#s google will not remove (-1)

Anonymous Coward | about 6 months ago | (#45369803)

I have spent the last six months trying to get google to de-index an identity theft website that is also full of stolen credit card numbers, and google ignores me pointedly.

Google seems to have no problem at all with a TOR/P2P 'darkweb' silk road type website with no real WHOIS publishing the social security numbers, DOB and contact information of thousands of American citizens plus a horde of other illegal material. Google search is publishing this material live, AND caching it.

I have exchanged over 400 emails with google support on this topic, and they _refuse_ to to anything to stop publishing this criminal activity and blatant identity theft.

For a while, they WERE de-indexing this site, and now they utterly ignore me, we are talking 6 weeks of my ticket being open now with no attention.

here is the google search to get to this foul, illegal black hat hacker/identity theft website:

https://www.google.com/search?q=%22doxbin+social+security+number%22&oq=%22doxbin+social+security+number%22&aqs=chrome..69i57.7974j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8

and here is the page itself reached from that search:

https://npieqpvpjhrmdchg.onion.to/doxviewer.php?dox=1194_Americans_SSNs

also

https://doxbinumfxfyytnh.onion.lu/doxviewer.php

and here is a sample of what is on that website:

(excised)

I am including the SSN's in this post because GOOGLE NEEDS TO PAY SOME ATTENTION TO THIS MATTER!

google has inhumanly, cruelly and illegally IGNORED hundreds of emails about this issue!

google is monstrous, evil and vile to deal with!

google aids and abets SERIOUS CRIMINAL ACTIVITY!

and google doesn't give a damn who is harmed by it!

Re:google cashes SSNs, CC#s google will not remov (0)

Anonymous Coward | about 6 months ago | (#45370357)

caches, not cashes... typo

Re:google cashes SSNs, CC#s google will not remov (1)

NotSanguine (1917456) | about 6 months ago | (#45370497)

I have spent the last six months trying to get google to de-index an identity theft website that is also full of stolen credit card numbers, and google ignores me pointedly.

Google seems to have no problem at all with a TOR/P2P 'darkweb' silk road type website with no real WHOIS publishing the social security numbers, DOB and contact information of thousands of American citizens plus a horde of other illegal material. Google search is publishing this material live, AND caching it.

I have exchanged over 400 emails with google support on this topic, and they _refuse_ to to anything to stop publishing this criminal activity and blatant identity theft.

For a while, they WERE de-indexing this site, and now they utterly ignore me, we are talking 6 weeks of my ticket being open now with no attention.

here is the google search to get to this foul, illegal black hat hacker/identity theft website:

https://www.google.com/search?q=%22doxbin+social+security+number%22&oq=%22doxbin+social+security+number%22&aqs=chrome..69i57.7974j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8

and here is the page itself reached from that search:

https://npieqpvpjhrmdchg.onion.to/doxviewer.php?dox=1194_Americans_SSNs

also

https://doxbinumfxfyytnh.onion.lu/doxviewer.php

and here is a sample of what is on that website:

(excised)

I am including the SSN's in this post because GOOGLE NEEDS TO PAY SOME ATTENTION TO THIS MATTER!

google has inhumanly, cruelly and illegally IGNORED hundreds of emails about this issue!

google is monstrous, evil and vile to deal with!

google aids and abets SERIOUS CRIMINAL ACTIVITY!

and google doesn't give a damn who is harmed by it!

Actually, Google has no responsibility for this. If you see illegal activities, contact law enforcement or go vigilante. Going vigilante is really the only scenario which might get some results, but contacting law enforcement will allow you to convince yourself that you're doing something without actually doing something, FTW!

BS (0)

Anonymous Coward | about 6 months ago | (#45369833)

I just tried all 16 digits of mine, plus the exirey date and name, and found nothing

Revisit the idea (0)

Anonymous Coward | about 6 months ago | (#45369893)

Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.

Then you should revisit the idea - a more secure payment protocol was invented in 2009 and is now gaining popularity.

There's no leake on just numbers (0)

Anonymous Coward | about 6 months ago | (#45369931)

Unless the credit cards come together with some more data (name, ccv, expire date...) there is not such thing as a leakage, as those numbers can be randomly generated. Look at this: uppsss I just leaked this valid visa card number 4716105173066360, upsss now an Amex card 370279315276420. It makes no sense to report those, they will be found anyways. Credit card number + owner info is a totally different thing...

Not secret (0)

Anonymous Coward | about 6 months ago | (#45370073)

Neither social security numbers nor credit card numbers are secrets. We give them out to innumerable people we don't know personally with easily spoofable signatures and all.

Old news (0)

Anonymous Coward | about 6 months ago | (#45370175)

It's easy to make up a valid card # if you have the first 8 digits. Eg. "5424 1800" is always a Citibank gold card. Most statements print the last 4 numbers of a card.

Also interesting that some of the docs leaking card #s are from legal cases. http://www.leagle.com/decision/19941489843FSupp646_11406

Why? (0)

Anonymous Coward | about 6 months ago | (#45370201)

Search engines should be content agnostic at the search results level. I'm tired of seeing copyright removal notices when i search for, um, linux iso torrents.

What a "discover"y (2)

Megane (129182) | about 6 months ago | (#45370369)

I used the first 8 of my discover card (all DC start with 6011, FWIW, so there really were only 4 unique digits being searched) and found a couple of hits. One was from 2004 with a list of some students going to Korea for something, and someone put up a public web page with ALL their CC numbers.

Then I found another page somewhere with a big list of people apparently ordering take-out food three years ago. It was HTML without ".html" at the end, so it came up as a wall of tags. There was a credit card number, exp date in 2014, name, address, phone, AND CVN of someone in there. Holy identity theft, Batman! The CC, CVN, and address had been entered manually into a "notes" field. And someone made it public viewable by google bot. Good work, morons. And that was just five minutes of looking around.

Searching for Discover 6011, I also found an official test card number [discovernetwork.com] for Discover, and a check digit validator page. [ceisites.com]

But I still think googling for web cams in other countries was much more fun.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...