Slashdot Mirror
Searching For Trouble With Google
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
I feel sorry for 'Haley' and others with their Quicken files being shown to all of /. and presumably friends etc. I wonder what the 'reach' of the slashdot crowd is when it's a "You're not going to believe this!" story...
Simon
Physicists get Hadrons!
Looks more like Google found forums where people were swapping credit card numbers.
Which in the long run is a good thing, because people will then use real security, and if it is not easy enough to set up, some solutions will emerge.
In the long run, thus, we'll have real security and ease of use.
It often has very little to do with *you*.
It quickly becomes your problem if you have done business with someone else and *they* are stupid enough to leave stuff in plain view.
It would be nice if we knew that everyone we did business with was intelligent enough not to do this, but realistically we probably can't
Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.
The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.
Comment removed based on user account deletion
It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
The sad thing is that now people will be Googling for their credit card numbers to be sure they're 'safe', but doing so means their credit card number will show up in the list of things people are Googling.
Ask your bank for a second Credit Card with a few hundred dollar limit. Use that to buy stuff online, and if someone steals it, it won't cost you that much.
Looks can be deceiving. Or CAN they?
At this point if I were someone looking for a free credit card, I'd probably go at least a few down in the results, I'd like to think that the top 20 or so are plants by law enforcement by now...at least I'd hope...
...in bed
And then you give the PIN to the business to complete the transaction and now they have that. Exactly how does this improve security when you transact business with a company? It might improve security if someone were to steal your wallet, but without some complicated and difficult to verify one time hash scheme. Which has been done and tried (Amex gave me a smart card reader, Visa has tried 1-time CC numbers picked up their site.
You are in a maze of twisted little posts, all alike.
It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.
You do realize that to do business on line, you would still have to give them your pin, right?
It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.
Is there anything we can advise these people to do to minimize the damage at this point?
That's a nice thought, but how can you word it so it doesn't sound like you're either threatening them or selling them something? People have been called illegal hackers for trying to help other people out by pointing out blatantly obvious security holes before.
Yes and they also mentioned that this wasn't as big a deal as people think.
For one the the valid credit cards numbers will be rapidly be made useless as 3rd parties use them and they are cancelled. The bottom line is very few customers will be liable for any of these fraudulent transactions.
The majority of the credit card numbers are on semi underground script kiddy sites. Where they are posted to gain cred or access to pr0n. I'd like to bet that most of these are invalid or the product of a credit card number generator.
Lastly this article implies (and a number of posters here) that the credit card numbersfound are the result of carelessness by credit card holders on the web and therfor it is their own fault. This is not the case. Google did not expose any mass stupidity by internet users, it simply exposed some of the sites that havest credit card numbers.
Evolution is about being *good enough*, not the best.
Agreed, and to further narrow it down, it's being *good enough* at only 1 thing: reproduction.
Unfortunately, this doesn't usually have a lot to do with intelligence.
You know, I really wish the paranoia about using credit cards on the internet will go away.
Think about this as somebody with some technical background. What is more secure?
1. Giving your credit card to the waiter at Mafia Pizza, who takes it into a back room before he brings it back to you.
2. Providing your credit card number to Amazon.
So here is a better idea. Get one credit card and use it for everything. Watch your statement carefully. Complain loudly if you see any charges you didn't make.
I'd still avoid buying anything from Mr. Mbuthu at Nigeria Exports, but other than that why allow paranoia to keep you from the convenience of the internet? Remember, you are NOT liable for any fraud losses on a credit card other than the first $50. The bank takes risk in return for the fees the merchant pays and because they want you to run up a huge debt and pay them loads of interest.
People couldn't type. We realized: Death would eventually take care of this.
People still 'hide' house keys under their doormat. Try explaining to them why they shouldn't do it on the Internet.
UNIX/Linux Consulting
I don't even think it needs to be that high tech. How about this:
You bank sends you in the SNAIL MAIL a sheet monthly of longish letters/numbers that represent an authorization to spend money. In fact, each one could be rated for a certain amount of money, say, up to $100 or $250, or something like that. That, in combination with a number on the back of your card (what are they called, CCV2 or something), forms a use-once key for an online purchase. That way you have to have the card present, plus your statement of authorization codes, to purchase goods online. The e-tailer never needs to know your card number, and the codes are only good for a single use. Even if a cracker got a hold of the site database, the CCV2 code would not be usuable for anything unless the cracker also got a hold of your randomly generated, time-sensitive, preset codes.
Something like this would cost practically nothing to implement, be very easy to maintain (you gotta send bank statements monthly anyways), easy to regulate - for example, pass a regulation saying that these can only be sent through the USPS or private carrier, never electronically or ever given out over the phone), and greatly improve security.
On top of that, it'd be great for people without regular banks or bank accounts. An intrepid consumer could easily sell pre-paid authorisation numbers on little scratch-loto style tickets.
On the processing side all we would need is a strong central party (or number of them), like Visa, Mastercard, or AmEx to recieve valid authorisation numbers from banks and hitch that into the POS and online processing systems.
In fact, even a strong libertarian, it makes me cringe to think how much trust and financial power we place into the hands of Visa, Mastercard, and their ilk. It might make sense at some point to expand the mission of the Federal Reserve or the Treasury to handle the verification and routing of authorisation numbers like I've described.
However, "Even then, it doesn't do them any good without your card" is flat wrong, cards can be forged, magnetic stripes rewritten (Ever see a cashier verify the numbers that got approved are the numbers on the card? They rarely confirm the signature, and I've even used other peoples Photo Visa's).
Also, video cameras can record pin numbers, electronic eavesdropping tricks could "hear" the PIN number, etc. Heck, what guarantee do you have walking into any store that the CC terminal is legitimate, and not a fake designed to capture your CC number and PIN before passing it on to a legitimate machine in the back? Dig around for ATM fraud to see what is actively going on.
You are in a maze of twisted little posts, all alike.
I can't tell if you're being ironic or just stupid.
You're suggesting that you "secure" you sensitive information by listing where it is in robots.txt? I think I want to have a look in your robots.txt, now.
The purpose of robots.txt is not to secure your information, it is to avoid getting eaten alive by bandwidth-hogging search spiders, and to prevent spiders from indexing irrelevant or out of date information.
If you want your information to be secure, here's a hint: don't put it on a fricking web server.