Slashdot Mirror
Searching For Trouble With Google
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
This was on bugtraq a week or two ago:
Check it out and there was a discussion of it a few days later.
Someone actually has a whole forum dedicated to finding things you can do with google here.
Apparently this was even a DEFCON speech subject.
This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.
-- Sorry, I can't think of anything funny to say here.
I think there was a similar /. article a while back. Do a google search for "googledorks" to find out what additional kinds of data are accessible.
This may be seen as a nitpick, but it's actually an important point. It's survival of the "fit", not fittest. Evolution is about being *good enough*, not the best.
I have discovered a truly remarkable sig which this margin is too small to contain.
Just tried google for a SSN search as well. Same thing, you get a list of results within that social security number range, along with names, and addresses.
I just can't figure out why people would be victim to identity theft.
That feature has been here for sometime.If you want a list of all such obscure features
of google check this
fifteen jugglers, five believers
convert 29 fahrenheit to celsius
or
pi=
or
define: hubris
google's got neat tricks
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This person uses a lot of (paraphrase) "I haven't seen it myself, but I am sure real numbers are there."
Unless this person can site a real case then all he did was show us test files (as he claims he has seen)
I mod down so you can mod up. Your welcome.
Most terminals that are sold to merchants that have PIN pads encrypt the pin on the pad, then send it to the bank for authorization, or depending on your card, compare it to the hash written on the mag stripe. The merchant never knows your PIN, unless the clerk has a photographic memory and observes you entering it. Even then, it doesn't do them any good without your card.
isnt this whats happening in the UK now?
No, what is happening in the UK today is that the cards are being upgraded to smart cards, and the PIN is replacing the signature which is frequently not checked well.
Folks by and large understand the "never give away your PIN" rule. Disclosing your PIN to a web site other than your banks would completely subvert this.
It does not address "cardholder not present" fraud.
So you can use it like a credit card, rather than a debit card, at places that don't take debit. (such as most online purchases)
You should also note that Debit transactions will typically show up instantly, and "credit" ones will take 2-3 business days, if you have an online method of checking your statement.
Visa and MasterCard use different prefixes though... so you have to change the number range to 5000000000000000..5699999999999999.
There are banks offering special 'web credit card' services. They issue credit card numbers that are valid only for a single transaction. After the transaction has taken place, the number expires. Even if a site would have serious security issues, allowing someone to see all the credit card numbers they ever received from people, these single-transaction numbers would be worthless to anyone finding them. Of course ultimately a website shouldn't ever receive credit card numbers, but instead relay credit card payment to a bank and then communicate with that bank to see if all went well, but that is another issue.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Ah, perfected :)
"index of mp3" "Parent Directory" -filetype:html -filetype:asp -filetype:php -filetype:htm -filetype:shtml
It works quite well :)
"than I'd give out to anyone who's not an authorised government official"
A GP isn't an authorised government official, and you'd be scared if you saw the state of the records routinely passed around in the health service. BTW, the NI number is no longer used as a 'real' form of ID, requiring a better intersection of one or more pieces of ID. Again, it's not proof of your identity despite being asked for on some forms.
"information is now potentially in the hands of someone unscrupulous."
More unscrupulous than the home office? Seriously, you can't escalate an NI number to anything other than paying taxes or finding out that your national insurance contributions are up to date, specifically it's tied to your address, name and earnings. It can be used to claim benefits, but the address would be redflagged if there are tax inputs using it.
"If anything untoward were to happen, I have virtually no recourse"
See above. Generally speaking there isn't a lot that can happen that wouldn't result in someone getting in contact with you.
"it's impossible to get a new NI number:"
It's difficult, not impossible. You have to attend a one-on-one interview and prove who you are, although it's not generally necessary because it's not an important piece of information except for tax records.
Oddly Draconis
Too cynical to live, too stubborn to die.
Visa uses the term Card Verification Value (CVV2), Mastercard calls it Card Verification Code (CVC2). I don't know what the "2" refers to, one assumes there was once a CVV and CVC. Some websites claim the initial "C" in both stands for "Credit Card", but the system is used for debit cards too, so it appears the authors in question were being stupid.
Amex has a Card Identification (CID) which is a four digit number that appears on the front of the card.
It annoys me when I see online forms providing options of Visa, Mastercard, and Amex, and then ask exclusively for the CVV2. Almost as much as the sites that insist I tell them what city I live in, ignoring the 50 odd percent of people who don't live in one.
The term Card Security Code (CSC) is used as a catch-all label, and it's what I use when building shop sites.
"A goldfish was his muse, eternally amused"
Actually, American Express used to have (until April of this year) something like a one-time-use account number. It was called Private Payments, and you could generate a new, temporary account number from their secure website. Although it wasn't truly one-time use, it was only valid for 30 days and could be cancelled at any time by the cardmember.
I used it religiously for all on-line, telephone and mail-order purchases until it was discontinued. If a merchant didn't take Amex I'd shop elsewhere.Now that PrivatePayments has been discontinued, I purchase Visa Gift Cards (pre-paid Visa cards) and use them for my small/medium-ticket on-line purchases. For major purchases I use a Visa card with fraud protection and check the account activity on-line at least once a week.
But in any event, you should never be liable for a fraudulent credit card transaction. That doesn't mean you can be careless with your account information, but if there is a fraudulent charge you're not out any money if you pay attention and dispute the charge within the specified period of time.
The real danger is ACH (Automated Clearing House) transactions against your bank accounts. Any person or organization that has the ability to perform ACH transactions (and there are plenty of third-party processors with low scruples and high tolerence of unethical behavior) can suck money DIRECTLY from your bank account. All they need is your bank routing number and bank account number. They don't need your name, address, phone number or any password or PIN (they are supposed to get your written authorization first, but there's no mechanism to check or enforce this before the fact). There is no verification or fraud protection system for ACH, as there is on most credit cards. The merchant simply asks and he receives.
And unlike credit card disputes, where you don't pay until the dispute is settled, ACH immediately withdraws the money from your account and you have to wait for the dispute to be settled before getting your money back (if ever). Since there are no limits on ACH withdrawals, (other than having sufficient funds for payment), one fraudulent charge can lead to bounced checks, overdraft fees, returned check fees and more, increasing your loss by hundreds of dollars.
There's no mechanism to opt-out of ACH or limit transactions to only approved merchants. Once a fraudulent charge is made you may be able to block further transactions by that merchant, but possibly only for a limited time and with payment of a stop-payment processing fee. The only real relief is to close the account and open a new one (resulting in administrative hassles and costs for new checks and forms).
How hard it is for a bad guy to get your bank routing number and account number depends on how use your checks. The routing and account numbers are required on the bottom of each check. It takes a few seconds for a dishonest cashier, clerk or other employee to copy this info down and sell it later. The lock-box services used by large creditors often convert paper checks to ACH transactions themselves, then discard the paper checks; depending on how discarded checks are handled, they might be subject to unwanted access. Your own handling of unused and cancelled checks also comes into play.
Between credit-card fraud and ACH fraud, its the latter that scares me the most. I've been a victim of unauthorized ACH transactions twice: once through a mistake made by a merchant and just recently through outright fraud. I am still waiting for the return of $100 due to the most recent fraud, and it will cost me more than that by the time I'm done switching to a new checking account.--- A man with a briefcase can steal more money, than any man with a gun. [Don Henley]
I don't see the number range listed on that page. Am I missing something?
http://help.yahoo.com/help/us/ysearch/tips/tips-01 .html
* Airport Information
* Airline Registration Information
* Area Codes
* Calculator
* Dictionary Definitions
* Encyclopedia Lookup
* Exchange Rates
* Flight Tracker
* Gas Prices
* Hotel Finder
* ISBN Numbers
* Local Search[new]
* Maps
* Movie Showtimes
* News
* Packages
* Patents
* Sports Scores
* Stock Quotes
* Synonym Finder
* Time Zones
* Traffic
* UPC Codes
* VIN Number
* Weights, Measures and Temperatures
* Weather
* Zip Codes
SIGUSR1
If you find something of yours that shouldn't be online, and you have access to the server, the best thing to do is put up an empty document with the same name.
Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.
However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.