Slashdot Mirror
Searching For Trouble With Google
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
This was on bugtraq a week or two ago:
Check it out and there was a discussion of it a few days later.
Someone actually has a whole forum dedicated to finding things you can do with google here.
Apparently this was even a DEFCON speech subject.
This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.
-- Sorry, I can't think of anything funny to say here.
I think there was a similar /. article a while back. Do a google search for "googledorks" to find out what additional kinds of data are accessible.
This may be seen as a nitpick, but it's actually an important point. It's survival of the "fit", not fittest. Evolution is about being *good enough*, not the best.
I have discovered a truly remarkable sig which this margin is too small to contain.
Just tried google for a SSN search as well. Same thing, you get a list of results within that social security number range, along with names, and addresses.
I just can't figure out why people would be victim to identity theft.
They are not publishing anything. It was already published. Google just found it. Google should have NO liability whatsoever.
This does make it easier for me to search for MY credit card. I would never put my own in the search engine bar as the search would be cached in someone's computer. Now, I just put the range in to see if I am on some Russian mafia's list...
Comment removed based on user account deletion
That feature has been here for sometime.If you want a list of all such obscure features
of google check this
fifteen jugglers, five believers
none of the links found are from people who purposely put it online them selves, all you find are irclogs/hacker boards, where people exchange stolen card numbers.
convert 29 fahrenheit to celsius
or
pi=
or
define: hubris
google's got neat tricks
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Guess what - someone who isn't a /. reader is:
Probably the ones most vulnerable to Google mining (for lack of a better term)
The ones least likely to know what a robots.txt is, what it does, and how to utilize it to prevent stuff like this.
You better watch out, there may be dogs about . .
This could be good in finding websites that illegally publish this content.
With this search in google:
Mastercard 5000000000000000..5999999999999999
I found this russian site that published American credit card information with expiration dates, names and addresses:
http://kupi-cc.0golf.com/halyva.htm
Scary stuff. I would prefer google to find this information so that I can type in a simple query and see where my information is being wrongly published then not knowing at all.
I'm surprised at how easily you guys assume other net users are simply so dumb? Let's be a bit more humble and take any news/comment with a grain of salt. If you try the search suggested, you'll see some sites were russian forums exchanging credit card numbers they illegally obtained.
Besides, who would ever take the time to post one's own credit card numbers on the net? It's dumb to assume someone did that by themselves, frankly. I can only imagine someone might got card lost and the number got into those illegal forums, or someone put the number in an email to CS representative and the email got put into FAQ, or scenarios like that.
This person uses a lot of (paraphrase) "I haven't seen it myself, but I am sure real numbers are there."
Unless this person can site a real case then all he did was show us test files (as he claims he has seen)
I mod down so you can mod up. Your welcome.
NOT WORK SAFE!
NOT WORK SAFE!
NOT WORK SAFE!
Gah! And I here I thought I wouldn't be so stupid as to not realize what kind of link that would be.
(pounds head on desk repeatedly)
(no one notices since it's part of my job requirement)
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
They already did. http://www.omaha.bbb.org/news_phonyorders.html
All straight things must come to a bend
Any website that accepts credit card payments worth using will require an AVS number and address.
As for coding these numbers on to other cards and using them in bricks and mortar shops, you would hope that the shops check that the embossed number matches. If they have checked all this, under UK law anyway, the CC company is liable.
With chip and pin cards being introduced across Europe CC numbers are becoming more and more useless to criminals now.
----
actually, I didn't input the entire number, I omitted the last four.
In that case you won't find it even if it was there. Google uses exact matches, so 1234 won't match 123456789.
Beware: In C++, your friends can see your privates!
Most terminals that are sold to merchants that have PIN pads encrypt the pin on the pad, then send it to the bank for authorization, or depending on your card, compare it to the hash written on the mag stripe. The merchant never knows your PIN, unless the clerk has a photographic memory and observes you entering it. Even then, it doesn't do them any good without your card.
It wont cost you anything (or $50) if someone steals your cc and uses it to buy shit.. your best protection is to keep up to date on your banks site with what you have and haven't boughten, and investigate and report anything you didn't do immediately.. you wont be liable.
replacing it with NEW Folger's Crystals! (lets see if they notice the difference)
isnt this whats happening in the UK now?
No, what is happening in the UK today is that the cards are being upgraded to smart cards, and the PIN is replacing the signature which is frequently not checked well.
Folks by and large understand the "never give away your PIN" rule. Disclosing your PIN to a web site other than your banks would completely subvert this.
It does not address "cardholder not present" fraud.
So you can use it like a credit card, rather than a debit card, at places that don't take debit. (such as most online purchases)
You should also note that Debit transactions will typically show up instantly, and "credit" ones will take 2-3 business days, if you have an online method of checking your statement.
Visa and MasterCard use different prefixes though... so you have to change the number range to 5000000000000000..5699999999999999.
"index of mp3 parent directory" may be a bit more accurate, as the phrase "parent directory" appears on FTP sites being rendered as HTML. Of course, the same applies to ROMs and pr0n0r as well :)
There are banks offering special 'web credit card' services. They issue credit card numbers that are valid only for a single transaction. After the transaction has taken place, the number expires. Even if a site would have serious security issues, allowing someone to see all the credit card numbers they ever received from people, these single-transaction numbers would be worthless to anyone finding them. Of course ultimately a website shouldn't ever receive credit card numbers, but instead relay credit card payment to a bank and then communicate with that bank to see if all went well, but that is another issue.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Ah, perfected :)
"index of mp3" "Parent Directory" -filetype:html -filetype:asp -filetype:php -filetype:htm -filetype:shtml
It works quite well :)
We have this in a few uk banks, certainly the one I use called Cahoot webcard which is an online tool, you login into your online banking account, and request a card valid for 1 month with the amount you specify. Ive never had a problem with this and its perfect for online sales and even telephone credit card orders as they cant screw your account over and over for more money.
"than I'd give out to anyone who's not an authorised government official"
A GP isn't an authorised government official, and you'd be scared if you saw the state of the records routinely passed around in the health service. BTW, the NI number is no longer used as a 'real' form of ID, requiring a better intersection of one or more pieces of ID. Again, it's not proof of your identity despite being asked for on some forms.
"information is now potentially in the hands of someone unscrupulous."
More unscrupulous than the home office? Seriously, you can't escalate an NI number to anything other than paying taxes or finding out that your national insurance contributions are up to date, specifically it's tied to your address, name and earnings. It can be used to claim benefits, but the address would be redflagged if there are tax inputs using it.
"If anything untoward were to happen, I have virtually no recourse"
See above. Generally speaking there isn't a lot that can happen that wouldn't result in someone getting in contact with you.
"it's impossible to get a new NI number:"
It's difficult, not impossible. You have to attend a one-on-one interview and prove who you are, although it's not generally necessary because it's not an important piece of information except for tax records.
Oddly Draconis
Too cynical to live, too stubborn to die.
It's some sort of extra protection measure that isn't encoded in the magnetic strip and therefore needs to be entered manually...not used all of the time but when it is used it prevents someone from using a magnetic cardswipe to steal your number...the credit card company knows that number and sometimes requires it for authorization
Visa uses the term Card Verification Value (CVV2), Mastercard calls it Card Verification Code (CVC2). I don't know what the "2" refers to, one assumes there was once a CVV and CVC. Some websites claim the initial "C" in both stands for "Credit Card", but the system is used for debit cards too, so it appears the authors in question were being stupid.
Amex has a Card Identification (CID) which is a four digit number that appears on the front of the card.
It annoys me when I see online forms providing options of Visa, Mastercard, and Amex, and then ask exclusively for the CVV2. Almost as much as the sites that insist I tell them what city I live in, ignoring the 50 odd percent of people who don't live in one.
The term Card Security Code (CSC) is used as a catch-all label, and it's what I use when building shop sites.
"A goldfish was his muse, eternally amused"
Actually, American Express used to have (until April of this year) something like a one-time-use account number. It was called Private Payments, and you could generate a new, temporary account number from their secure website. Although it wasn't truly one-time use, it was only valid for 30 days and could be cancelled at any time by the cardmember.
I used it religiously for all on-line, telephone and mail-order purchases until it was discontinued. If a merchant didn't take Amex I'd shop elsewhere.Now that PrivatePayments has been discontinued, I purchase Visa Gift Cards (pre-paid Visa cards) and use them for my small/medium-ticket on-line purchases. For major purchases I use a Visa card with fraud protection and check the account activity on-line at least once a week.
But in any event, you should never be liable for a fraudulent credit card transaction. That doesn't mean you can be careless with your account information, but if there is a fraudulent charge you're not out any money if you pay attention and dispute the charge within the specified period of time.
The real danger is ACH (Automated Clearing House) transactions against your bank accounts. Any person or organization that has the ability to perform ACH transactions (and there are plenty of third-party processors with low scruples and high tolerence of unethical behavior) can suck money DIRECTLY from your bank account. All they need is your bank routing number and bank account number. They don't need your name, address, phone number or any password or PIN (they are supposed to get your written authorization first, but there's no mechanism to check or enforce this before the fact). There is no verification or fraud protection system for ACH, as there is on most credit cards. The merchant simply asks and he receives.
And unlike credit card disputes, where you don't pay until the dispute is settled, ACH immediately withdraws the money from your account and you have to wait for the dispute to be settled before getting your money back (if ever). Since there are no limits on ACH withdrawals, (other than having sufficient funds for payment), one fraudulent charge can lead to bounced checks, overdraft fees, returned check fees and more, increasing your loss by hundreds of dollars.
There's no mechanism to opt-out of ACH or limit transactions to only approved merchants. Once a fraudulent charge is made you may be able to block further transactions by that merchant, but possibly only for a limited time and with payment of a stop-payment processing fee. The only real relief is to close the account and open a new one (resulting in administrative hassles and costs for new checks and forms).
How hard it is for a bad guy to get your bank routing number and account number depends on how use your checks. The routing and account numbers are required on the bottom of each check. It takes a few seconds for a dishonest cashier, clerk or other employee to copy this info down and sell it later. The lock-box services used by large creditors often convert paper checks to ACH transactions themselves, then discard the paper checks; depending on how discarded checks are handled, they might be subject to unwanted access. Your own handling of unused and cancelled checks also comes into play.
Between credit-card fraud and ACH fraud, its the latter that scares me the most. I've been a victim of unauthorized ACH transactions twice: once through a mistake made by a merchant and just recently through outright fraud. I am still waiting for the return of $100 due to the most recent fraud, and it will cost me more than that by the time I'm done switching to a new checking account.--- A man with a briefcase can steal more money, than any man with a gun. [Don Henley]
MBNA has ShopSafe
Citibank has Virtual Account Numbers
Discover has Discover Deskshop
even American Express...
This is *nothing* new
I don't see the number range listed on that page. Am I missing something?
http://help.yahoo.com/help/us/ysearch/tips/tips-01 .html
* Airport Information
* Airline Registration Information
* Area Codes
* Calculator
* Dictionary Definitions
* Encyclopedia Lookup
* Exchange Rates
* Flight Tracker
* Gas Prices
* Hotel Finder
* ISBN Numbers
* Local Search[new]
* Maps
* Movie Showtimes
* News
* Packages
* Patents
* Sports Scores
* Stock Quotes
* Synonym Finder
* Time Zones
* Traffic
* UPC Codes
* VIN Number
* Weights, Measures and Temperatures
* Weather
* Zip Codes
SIGUSR1
If you find something of yours that shouldn't be online, and you have access to the server, the best thing to do is put up an empty document with the same name.
Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.
However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.