Searching For Trouble With Google

achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."

Nothing wrong with this...

[Cytlid]

...it's called natural selection. Survival of the fittest... if people are that dumb to put stuff on the internet, so be it.

Re:Nothing wrong with this...

[stromthurman]

This may be seen as a nitpick, but it's actually an important point. It's survival of the "fit", not fittest. Evolution is about being *good enough*, not the best.

Re:Nothing wrong with this...

[psyklopz]

It often has very little to do with *you*.

It quickly becomes your problem if you have done business with someone else and *they* are stupid enough to leave stuff in plain view.

It would be nice if we knew that everyone we did business with was intelligent enough not to do this, but realistically we probably can't

Re:Nothing wrong with this...

[Scoria]

I realize that this was intended to be a joke; however, it is likely that many of these credit card numbers were derived from a malicious application. Although one might argue that anybody inexperienced enough to execute a malicious application is also "deserving," I have often observed that those individuals are -- perhaps ironically -- averse to conducting electronic transactions.

Re:Nothing wrong with this...

[nial-in-a-box]

Yea except these are the idiots that will also sue Google and try to take them down because of their own mistakes. If you're in some sort of struggle with an idiot, you'll be ok, but may God help you if that idiot has a halfway decent lawyer.

Re:Nothing wrong with this...

[HeghmoH]

It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.

Re:Nothing wrong with this...

[itsme]

none of the links found are from people who purposely put it online them selves, all you find are irclogs/hacker boards, where people exchange stolen card numbers.

Re:Nothing wrong with this...

[WIAKywbfatw]

I'll second that. A little over a month ago, a letter was sent to me but went missing in the post. That letter contained my full name, address and National Insurance number (similar to a US Social Security number).

That lost letter contains more information than I'd give out to anyone who's not an authorised government official (policeman, doctor, etc). Through no fault of my own, and despite my vigilance (I shred and burn every bit of correspondence that has my name and address on it, let alone financial or other personal details) that information is now potentially in the hands of someone unscrupulous.

If anything untoward were to happen, I have virtually no recourse, as it would be nigh on impossible to actually prove where my details were obtained and (as far as I know) it's impossible to get a new NI number: I'm stuck with the one that's issued to me at 16 until the day I die.

Re:Nothing wrong with this...

[chrish]

c.f. Microsoft's success in computer software.

Re:Nothing wrong with this...

[lachlan76]

I've accidently put my IM logs on the internet. Sometimes it can be easy enough to make a mistake (ie. deny,allow rather than allow,deny). A shitload of private stuff got out to everyone I know (I'm 14, so I have to be with these people a lot of the time), and now I use GnuPG with a 4096-bit key, and digest authentication.

You don't have to be dumb to make mistakes like this, a single typo can do it. Being dumb just helps.

Re:Nothing wrong with this...

[Yorrike]

Ask your bank for a second Credit Card with a few hundred dollar limit. Use that to buy stuff online, and if someone steals it, it won't cost you that much.

Re:Nothing wrong with this...

[$raim_n_reezn!]

They already did. http://www.omaha.bbb.org/news_phonyorders.html

Re:Nothing wrong with this...

[ePhil_One]

It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.

And then you give the PIN to the business to complete the transaction and now they have that. Exactly how does this improve security when you transact business with a company? It might improve security if someone were to steal your wallet, but without some complicated and difficult to verify one time hash scheme. Which has been done and tried (Amex gave me a smart card reader, Visa has tried 1-time CC numbers picked up their site.

Re:Nothing wrong with this...

[the+unbeliever]

Most terminals that are sold to merchants that have PIN pads encrypt the pin on the pad, then send it to the bank for authorization, or depending on your card, compare it to the hash written on the mag stripe. The merchant never knows your PIN, unless the clerk has a photographic memory and observes you entering it. Even then, it doesn't do them any good without your card.

Re:Nothing wrong with this...

[AnwerB]

It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.

You do realize that to do business on line, you would still have to give them your pin, right?

It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.

Re:Nothing wrong with this...

[extra+the+woos]

It wont cost you anything (or $50) if someone steals your cc and uses it to buy shit.. your best protection is to keep up to date on your banks site with what you have and haven't boughten, and investigate and report anything you didn't do immediately.. you wont be liable.

Re:Nothing wrong with this...

[BorgDrone]

Evolution is about being *good enough*, not the best.
Agreed, and to further narrow it down, it's being *good enough* at only 1 thing: reproduction.

Unfortunately, this doesn't usually have a lot to do with intelligence.

Re:Nothing wrong with this...

[the+unbeliever]

It's also not stored. :P

Re:Nothing wrong with this...

[skaffen42]

You know, I really wish the paranoia about using credit cards on the internet will go away.

Think about this as somebody with some technical background. What is more secure?
1. Giving your credit card to the waiter at Mafia Pizza, who takes it into a back room before he brings it back to you.
2. Providing your credit card number to Amazon.

So here is a better idea. Get one credit card and use it for everything. Watch your statement carefully. Complain loudly if you see any charges you didn't make.

I'd still avoid buying anything from Mr. Mbuthu at Nigeria Exports, but other than that why allow paranoia to keep you from the convenience of the internet? Remember, you are NOT liable for any fraud losses on a credit card other than the first $50. The bank takes risk in return for the fees the merchant pays and because they want you to run up a huge debt and pay them loads of interest.

Re:Nothing wrong with this...

[Shimbo]

isnt this whats happening in the UK now?

No, what is happening in the UK today is that the cards are being upgraded to smart cards, and the PIN is replacing the signature which is frequently not checked well.

Folks by and large understand the "never give away your PIN" rule. Disclosing your PIN to a web site other than your banks would completely subvert this.

It does not address "cardholder not present" fraud.

Re:Nothing wrong with this...

[the+unbeliever]

So you can use it like a credit card, rather than a debit card, at places that don't take debit. (such as most online purchases)

You should also note that Debit transactions will typically show up instantly, and "credit" ones will take 2-3 business days, if you have an online method of checking your statement.

Re:Nothing wrong with this...

[hendridm]

It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN.

Perhaps this is an area where the likes of third-party merchant services such as 2checkout.com, Paysystems, and iBill can really shine. Ignoring the problems these specific merchant services have had, the model of passing the user to a secure page provided by a "trusted" company to enter credit card details could be a good marketing gimmick.

Let's say you're shopping at <insert your favorite pricewatch merchant here>. You're tempted to make a purchase because their price is so much lower that your usualy merchant of choice. Would you prefer to enter transaction details directly on their web site and trust them to store your information in a secure way, or would you prefer a system where you are passed to visa.com or citibank.com to enter the transaction details, which are never given to the merchant, just a check in the mail every 2-4 weeks?

Just like how web sites plug their SSL cert seals with a verification image and link ("Secured with Thawte 128-bit encrypted - click here to verify"), perhaps the site could advertise something like, "For your protection, we do not store your credit card information anywhere on our servers. You will be passed to a secure page at Citibank.com and your transaction details will not be viewable by anyone but you. Click here to verify our partnership with Citibank.com". Okay, that sounds lame, but you get the idea. To me, it's reassuring that my transaction is being handled by a company whose best interest is in avoiding fraud versus passing them to a1discount-computer-parts.biz or whatever to store them as cleartext in their MySQL database...

Re:Nothing wrong with this...

[troc]

That's rather unfair, Mr. Mbuthu, who is a GOD-FEARING person, has asked me to look after $25,000,000 which his poor lamented grandfather's adopted goat left in an account when they were brutally slain in a TERRIBLE UPRISING. The poor guy has been through hell, apparently they won't even let him leave the country - I have wired him some cash but it was not enough for all teh bribes and things, not to mention the administration. He is sending a TRUSTED FRIEND to meet me tomorrow where I will give him my bank details.

Poor guy, life must be terrible in the Nigerian banking insustry.

Troc.

Re:Nothing wrong with this...

[HeghmoH]

You do realize that to do business on line, you would still have to give them your pin, right?

It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.

No, I do not realize this. You are not using your imagination.

During the checkout phase, you get a code. You log on to your bank/credit card/whatever account, paste that code into a field to authorize the funds, and get an order confirmation from the place where you bought your stuff.

There are probably a ton of other ways to make this work, too. It is not a requirement that you feed an online business enough information to make purchases using your credit card, that's just how it happens to be set up now.

Re:Nothing wrong with this...

[stephanruby]

In France, I've seen a system that protects consumers from giving out their real credit/debit card numbers to online merchants. Instead, the consumer would first have to go to his own bank's web site, he would have to enter the amount (or the range of the amount) he was about to charge, and then the bank would generate a unique one-time only credit card number. It was pretty nifty -- the online merchant would have no idea that you were giving him a one-time only credit card number.

One drawback was that this additional service came at an extra service charge of a few dollars per month (can't remember the exact amount). If anyone hears of an American bank doing this, either online or in California, please let me know. I've heard of American banks having a similar service for preauthorizing checks (via fax), but what I saw in France is taking it quite a step further.

Re:Nothing wrong with this...

[MikeDX]

We have this in a few uk banks, certainly the one I use called Cahoot webcard which is an online tool, you login into your online banking account, and request a card valid for 1 month with the amount you specify. Ive never had a problem with this and its perfect for online sales and even telephone credit card orders as they cant screw your account over and over for more money.

Re:Nothing wrong with this...

[danheskett]

I don't even think it needs to be that high tech. How about this:

You bank sends you in the SNAIL MAIL a sheet monthly of longish letters/numbers that represent an authorization to spend money. In fact, each one could be rated for a certain amount of money, say, up to $100 or $250, or something like that. That, in combination with a number on the back of your card (what are they called, CCV2 or something), forms a use-once key for an online purchase. That way you have to have the card present, plus your statement of authorization codes, to purchase goods online. The e-tailer never needs to know your card number, and the codes are only good for a single use. Even if a cracker got a hold of the site database, the CCV2 code would not be usuable for anything unless the cracker also got a hold of your randomly generated, time-sensitive, preset codes.

Something like this would cost practically nothing to implement, be very easy to maintain (you gotta send bank statements monthly anyways), easy to regulate - for example, pass a regulation saying that these can only be sent through the USPS or private carrier, never electronically or ever given out over the phone), and greatly improve security.

On top of that, it'd be great for people without regular banks or bank accounts. An intrepid consumer could easily sell pre-paid authorisation numbers on little scratch-loto style tickets.

On the processing side all we would need is a strong central party (or number of them), like Visa, Mastercard, or AmEx to recieve valid authorisation numbers from banks and hitch that into the POS and online processing systems.

In fact, even a strong libertarian, it makes me cringe to think how much trust and financial power we place into the hands of Visa, Mastercard, and their ilk. It might make sense at some point to expand the mission of the Federal Reserve or the Treasury to handle the verification and routing of authorisation numbers like I've described.

Re:Nothing wrong with this...

[Oddly_Drac]

"than I'd give out to anyone who's not an authorised government official"

A GP isn't an authorised government official, and you'd be scared if you saw the state of the records routinely passed around in the health service. BTW, the NI number is no longer used as a 'real' form of ID, requiring a better intersection of one or more pieces of ID. Again, it's not proof of your identity despite being asked for on some forms.

"information is now potentially in the hands of someone unscrupulous."

More unscrupulous than the home office? Seriously, you can't escalate an NI number to anything other than paying taxes or finding out that your national insurance contributions are up to date, specifically it's tied to your address, name and earnings. It can be used to claim benefits, but the address would be redflagged if there are tax inputs using it.

"If anything untoward were to happen, I have virtually no recourse"

See above. Generally speaking there isn't a lot that can happen that wouldn't result in someone getting in contact with you.

"it's impossible to get a new NI number:"

It's difficult, not impossible. You have to attend a one-on-one interview and prove who you are, although it's not generally necessary because it's not an important piece of information except for tax records.

Re:Nothing wrong with this...

[ePhil_One]

Ok, Since the article context was Credit Cards on the web, I was replying in the context of web merchants, who I expect are grabbing all the data via web-forms for prossessing, since embedding forms from another web site should set off all sorts of security alarms.

However, "Even then, it doesn't do them any good without your card" is flat wrong, cards can be forged, magnetic stripes rewritten (Ever see a cashier verify the numbers that got approved are the numbers on the card? They rarely confirm the signature, and I've even used other peoples Photo Visa's).

Also, video cameras can record pin numbers, electronic eavesdropping tricks could "hear" the PIN number, etc. Heck, what guarantee do you have walking into any store that the CC terminal is legitimate, and not a fake designed to capture your CC number and PIN before passing it on to a legitimate machine in the back? Dig around for ATM fraud to see what is actively going on.

Re:Nothing wrong with this...

[feargal]

"what are they called, CCV2 or something"

For the record, I looked this up when doing a shopping system once.

Visa uses the term Card Verification Value (CVV2), Mastercard calls it Card Verification Code (CVC2). I don't know what the "2" refers to, one assumes there was once a CVV and CVC. Some websites claim the initial "C" in both stands for "Credit Card", but the system is used for debit cards too, so it appears the authors in question were being stupid.

Amex has a Card Identification (CID) which is a four digit number that appears on the front of the card.

It annoys me when I see online forms providing options of Visa, Mastercard, and Amex, and then ask exclusively for the CVV2. Almost as much as the sites that insist I tell them what city I live in, ignoring the 50 odd percent of people who don't live in one.

The term Card Security Code (CSC) is used as a catch-all label, and it's what I use when building shop sites.

Re:Nothing wrong with this...

[jrexilius]

You are correct from a consumers point of view only in the context of th transaction.

The cost, however, is passed onto the consumer as the merchants have to charge premiums for fraud in an insecure system, as do the banks, and everyone else along the chain that has to support fraudulent transactions.

This is no small thing, the very large bank I worked at had to spend a great deal of money around this and online-billpay activity.

The credit card is an unfortunate half-breed trying to be somewhere between cash and a check. Historical reasons and trying to gain usage and market acceptance have pushed it into this rols perhaps, but where its at now is broken.

Re:Nothing wrong with this...

[pfleming]

Actually it's more like survival of the most adaptable. Anything that can't or won't change dies. That which does adapt to the "new" conditions will survive and live on.

Re:Nothing wrong with this...

[peatbakke]

In the United States, a lot of credit card companies are issuing single purchase numbers. I think a few of them allow you to set the amount available, than use the generated number to make the purchase. I think it's an excellent solution to online CC transactions, that doesn't require overhauling the whole transaction system.

I'm in Germany at the moment, and we have a pretty good system for transactions don't involve cash currency. Most people here don't use credit cards or cheques; they use bank issued debit cards, and bank transfers.

The debit card can only be used in person. You have to supply the card ... there's no cheating by just providing the number or anything like that. Can't really use it for online transactions, but it's not meant for that. Cashiers are usually pretty meticulous about checking your signature, so you have relatively good physical security.

There's a surprising number of bank transfers ... you use it for almost everything: rent, utilities, regular bills, paying your friends back, paying for things online, and just about anything except for general shopping.

For every bank transfer you make, you have to supply a transaction authorization number (TAN). When you open an account, you're given a sheet with a couple hundred of these numbers, and you have to use them in sequence. When you want more, you go to the bank, present a valid ID of somesort, and get another sheet.

It's a pretty good system, very convenient, but would require quite a bit of infrastructure changes in the US ...

Re:Nothing wrong with this...

[Thuktun]

Agreed, and to further narrow it down, it's being *good enough* at only 1 thing: reproduction.

I disagree. It also includes avoiding being killed before reproducing.

Unfortunately, this doesn't usually have a lot to do with intelligence.

Avoiding predators and other dangers may not require intelligence, but it requires instincts. Being conspicuously careless--to bring this somewhat back on-topic--is not usually a good survival trait.

Re:Nothing wrong with this...

[superman53142]

Agreed, and to further narrow it down, [Evolution] is about being *good enough* at only 1 thing: reproduction.

It's pretty good at email, too.

Re:Nothing wrong with this...

[Frizzle+Fry]

Yes, but the point is that intelligence can be very helpful towards the goal of staying alive. And since, as you say, staying alive is part of being successful at reproduction, this means that being smart does help your evolutionary chances (although of course other things can help too, and sometimes enough to offset lack of intelligence). The fact that humans evolved from fairly unintelligent life (at least if you go far enough back) is pretty good evidence of this.

Re:Nothing wrong with this...

[EvilSporkMan]

s/rabbits/bacteria/;

this was on cryptome

[jabella]

This was on bugtraq a week or two ago:

Check it out and there was a discussion of it a few days later.

Someone actually has a whole forum dedicated to finding things you can do with google here.

Apparently this was even a DEFCON speech subject.

Re:this was on cryptome

Someone actually has a whole forum dedicated to finding things you can do with google here.

Another good site is searchlores.org

It doesn't limit itself only to Google.

I blame the Google Toolbar for a lot of this

[twoshortplanks]

It used to be the case that If you put something temporarily in a directory on your webserver (that didn't have indexes turned) on you could simply give the URL of the file to a couple of people to have a quick look at and not have to worry about putting a password on the file. Because it wasn't linked from anywhere unless someone could guess the URL then no-one else wouldn't be able to find it.

This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

Re:I blame the Google Toolbar for a lot of this

[makapuf]

Which in the long run is a good thing, because people will then use real security, and if it is not easy enough to set up, some solutions will emerge.

In the long run, thus, we'll have real security and ease of use.

Re:I blame the Google Toolbar for a lot of this

[Max+Romantschuk]

The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

Nasty? Yes.

But then again, as far as I know Google does respect robots.txt. It's not hard to make a robots.txt file to exclude whatever dir you wish to use for temporary private viewing.

And it's not that hard (on Apache servers) to make an appropriate .htaccess file either.

Re:I blame the Google Toolbar for a lot of this

[jsebrech]

This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

If you want to share something without google indexing it, there are many strategies you can use, all outlined on google.com itself.

Google does not index anything you have not allowed it to.

The problem is people putting private information in a public forum, not someone indexing that private information.

Re:I blame the Google Toolbar for a lot of this

[RsG]

Not to troll, but "real security and ease of use"? That's a contradiction in terms. Any system thats easy to use is almost certainly easy to crack (hint, the crackers have as easy a time as the user). Any secure system usually requires long passwords, encryption keys or something equally challenging. If your users keep their passwords the same for all systems, or have accessable copies to remind them, then the system isn't secure (remember last week when Gabe Newall's forum accounts got hacked because he used the same friggin password and it was easy to guess?)
If you mean security through obscurity then you're describing the current situation on the net, but the article states that Google is removing the obscurity aspect by making the entire net accessible. We no longer have any kind of assurance than a given nook or cranny is too obscure to bother with.
I agree that people shouldn't leave their personal data lying around, but to simply assume that the general public can adopt security measures that we, the /. crowd, consider adequate and easy to use is silly. What we need is internet education (the do's and do not's for the clueless).

Re:I blame the Google Toolbar for a lot of this

[xQx]

The only problem with that is that hackers have a tendency not to respect robots.txt .. in fact, it's a great index of stuff to have a look at on public websites.

Re:I blame the Google Toolbar for a lot of this

[TheViciousOverWind]

The same problem actually exists with lots and lots of files...

Try out these searches on Google:

• users filetype:mdb
• admin filetype:mdb
• config filetype:inc

Lots and lots of people is reckless with their data.

Re:I blame the Google Toolbar for a lot of this

[Ancil]

srv1(~)% cat /var/www/html/robots.txt
User-agent: *
Disallow: /
srv1(~)#

Re:I blame the Google Toolbar for a lot of this

[WoofLu]

whoa, your `cat` utility seems to get you to a root shell ^^

maybe it's a new security hole? q:

Re:I blame the Google Toolbar for a lot of this

[5E-0W2]

The rest of your security is still pretty bad though. By the looks of your prompt you just got a root shell by catting your robots.txt.

Re:I blame the Google Toolbar for a lot of this

[Lev13than]

The same problem actually exists with lots and lots of files...

Nice links. In the same vein, try variations of this:

"company confidential" filetype:ppt

Re:I blame the Google Toolbar for a lot of this

[Neil+Watson]

The problem is people putting private information in a public forum, not someone indexing that private information.

People still 'hide' house keys under their doormat. Try explaining to them why they shouldn't do it on the Internet.

Re:I blame the Google Toolbar for a lot of this

[Blakey+Rat]

What's the problem here? If you don't want it indexed, say so in a robots.txt file... Google respects those if they're present.

Quicken files

[Space+cowboy]

I feel sorry for 'Haley' and others with their Quicken files being shown to all of /. and presumably friends etc. I wonder what the 'reach' of the slashdot crowd is when it's a "You're not going to believe this!" story...

Simon

Re:Quicken files

[ImaLamer]

What I'm wondering is....

Can I mirror these files on my web site?

I've downloaded a few but don't plan on doing anything dirty. Maybe I'll send out a few letters telling people that they should watch what they post on-line

I can see the reponse:

"Honey, do you know anyone named 'ImaLamer'?"

"No dear"

"Well, he or she claims that your bank information is online"

"Must be some sort of scam sweetie, toss it"

FBI use?

[SynKKnyS]

Looks more like Google found forums where people were swapping credit card numbers.

Priceless

[Killjoy_NL]

Good thing I've got a Mastercard then :)

Re:Priceless

[interiot]

Visa and MasterCard use different prefixes though... so you have to change the number range to 5000000000000000..5699999999999999.

What I'm more surprised by

[suso]

is that you can search for ranges of numbers like that in google. That's pretty neat.

Re:What I'm more surprised by

[phreakv6]

That feature has been here for sometime.If you want a list of all such obscure features
of google check this

Re:What I'm more surprised by

[cymen]

I don't see the number range listed on that page. Am I missing something?

Googledorks

[tb()ne]

I think there was a similar /. article a while back. Do a google search for "googledorks" to find out what additional kinds of data are accessible.

Liability

[usefool]

Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?

Also, maybe those numbers are traps to catch people? Surely you need those goods to be sent to an address and someone has to eventually pick it up.

Re:Liability

[tb()ne]

Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?

If a google search finds it then google is not publishing it; rather, google is simply providing a link to something that is already published. IANAL but, cacheing aside, all they are doing is providing a link to something that is already publicly accessible, so I don't see how they could be liable. The situation may be more complicated if the data were illegally published, later pulled from the web site, but remain in google's cache.

Re:Liability

[swillden]

If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?

Bad analogy. A better one: If the neighbor posts his naked photo on a public bulletin board, does that mean you can show other people where it is?

Stuff that's on the web is there because someone put it there, i.e. they published it. The fact that they may not have *meant* to publish it doesn't change the fact that they did. If you place an ad in the newspaper, but screw up and give the paper a steamy letter to your secret gay lover instead of the blurb about the 1998 Camaro you want to sell, are they liable for the damage done to your reputation when they publish it? (Assuming, of course, that you consider it more damaging to be 'outed' as a closet homosexual than as a Camaro owner).

Try phpMyAdmin

Very popular is the search for "Welcome to phpMyAdmin".

This will give you some nice databases to browse through.

How many of you...

[curne]

How many people dug out their own visa cards and googled for the number ? :-) I managed to stop
myself.

Re:How many of you...

[Dr.+Hok]

If you are worried about privacy, give me your visa number and I google for you. This will hide the connection between your name and the number.

Re:How many of you...

[noselasd]

I did that some weeks ago. Now, what would be the harm of that,
given one erases the browser history rather quick ?
Google stores all searches somewhere ?

Re:How many of you...

[julesh]

for instance any page that does turn up (if any) will get the card number in the HTTP_REFERER URL.

But, given that they must already have your card number in order to turn up on the list, this isn't actually a problem.

This is supposed to be wrong?

[Epistax]

Having google blocked (presumably from google's end) from this is just security through obscurity. Well it's not even that really, it means there is (1) stuff available in plain text which is a part of a website's (2) public access AND (3) for one reason or another has searching enabled. The problem is part 1 and/or 2, the symptom is 3. Cure the problem, not the symptom.

N.O. has a nice article on google searches also.

[generalbeard]

Not getting just credit cards, but other nice little things.. New Order

Same for SSNs

[bcarl314]

Just tried google for a SSN search as well. Same thing, you get a list of results within that social security number range, along with names, and addresses.

I just can't figure out why people would be victim to identity theft.

Re:Same for SSNs

[JavaPriest]

You mean you found a nuclear submarine ?

Time to join the 21st Century

[WallaceSz]

Information on the internet is publicly available. Google simply makes it easier for people to find publicly available material. Same for third party apps like Google Alert that allow you to search on a regular basis for certain terms.

Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.

The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.

W00t!

[tgd]

Just ordered a computer that can actually play Doom 3!

Thanks Slashdot!

Re:W00t!

[anticypher]

You mean you found a screen where the brightness control goes up to 11?

the AC

Comment removed

[account_deleted]

Comment removed based on user account deletion

on the google link in this article...

[generalbeard]

Check out the cached version of the third link and look in the text box. Hopefully it's not any of you... google link

Terrifying

[corby]

I had trouble believing this, so I downloaded one of the .QDF files from the referenced link. I am feeling completely sick. This guy's checking account number, credit card number, and meticulously-maintained transaction history are sitting on my computer.

It's way too late to warn these people about the files. Their current identity is toast. So is their credit for the next seven or so years.

Is there anything we can advise these people to do to minimize the damage at this point?

Re:Terrifying

[zoeblade]

Is there anything we can advise these people to do to minimize the damage at this point?

That's a nice thought, but how can you word it so it doesn't sound like you're either threatening them or selling them something? People have been called illegal hackers for trying to help other people out by pointing out blatantly obvious security holes before.

Re:Terrifying

[hugesmile]

Here's an idea:

Notify them via a phone call, using the Relay phone system for the deaf.

Not exactly a good use of the service that we all pay for, but it's fairly anonymous, and you can be non-threatening.

A couple more fun examples:

Don't publish this on ... hey!

Who needs P2P?

Re:A couple more fun examples:

[zoeblade]

"index of mp3 parent directory" may be a bit more accurate, as the phrase "parent directory" appears on FTP sites being rendered as HTML. Of course, the same applies to ROMs and pr0n0r as well :)

Re:A couple more fun examples:

[zoeblade]

Ah, perfected :)

"index of mp3" "Parent Directory" -filetype:html -filetype:asp -filetype:php -filetype:htm -filetype:shtml

It works quite well :)

Comment removed

[account_deleted]

Comment removed based on user account deletion

The funniest part...

[Fortress]

of the VISA/Google search is that VISA is a sponsored link. Kind of like Microsoft advertising on a website that bashes it for its security holes...wait a minute...

Re:only few matches

[sigaar]

Only some of us are fortunate enough to learn from other people's mistakes. The rest of us has to be the other people....

try this

[circletimessquare]

convert 29 fahrenheit to celsius

or

pi=

or

define: hubris

google's got neat tricks

Re:try this

[adavidw]

Don't forget "answer to life the universe and everything"

Try it!

-Aaron

Re:try this

[maxwell+demon]

But I didn't find documentation of this at google.

The sad thing...

[Sinistar2k]

The sad thing is that now people will be Googling for their credit card numbers to be sure they're 'safe', but doing so means their credit card number will show up in the list of things people are Googling.

Re:The sad thing...

[TheLink]

The other sad thing is people actually think it's such a big risk to cardholders.

Without the signature a cardholder can repudiate the transaction. So if you didn't buy the stuff, just tell the Issuing Bank that you didn't and just don't pay for that transaction.

Then either the Merchant loses or the Bank loses. You, the cardholder don't unless you use a crappy card company that charges you to reissue a new card. Of course there's the inconvenience of being short of one usable credit card. But it's not as big a disaster to cardholders as some people make it.

In short with credit cards, if anything happens it's mainly SOMEONE ELSE's money involved NOT yours. Whereas cash, debit cards, cheques are riskier. Coz if anything happens - it's YOUR money.

So many people are ignorant of this and say stuff like "Buying stuff online with your credit card? Is that safe?".

It's selling stuff online that's risky. You ship goods, cardholder says "nope not me", and EVEN if cardholder screws up and forgot, you LOSE.

Re:The sad thing...

[Eccentrica+Galumbits]

no probs, I just googled for 5454178568431210..5454178568431212. Anyway, this thing expires the end of next month. Anyone know what that 481 on the signature strip is for?

--
A N Other.

Re:The sad thing...

[ibennetch]

It's some sort of extra protection measure that isn't encoded in the magnetic strip and therefore needs to be entered manually...not used all of the time but when it is used it prevents someone from using a magnetic cardswipe to steal your number...the credit card company knows that number and sometimes requires it for authorization

Re:The sad thing...

[Electrum]

Then either the Merchant loses or the Bank loses.

No, the merchant loses. The bank never loses.

eBooks

[upside]

Another good one is searching for copywrite phrases found on front pages of eBooks such as O'Reilly CD Bookshelves. People seem to put up their eBooks for their own convenience. OTOH publishers seem to be doing a bit of Googling of their own, as they tend to be taken down pretty soon. Nothing that a quick WGET won't handle...

Re: additionally

[BitterAndDrunk]

A post like the grandparent highlights the gap between tech savvy and those who aren't.

Guess what - someone who isn't a /. reader is:

Probably the ones most vulnerable to Google mining (for lack of a better term)

The ones least likely to know what a robots.txt is, what it does, and how to utilize it to prevent stuff like this.

/. readers for the most part are paranoid and cautious enough to minimize their risk of exposure on the net (even without robots.txt) - it is the group of users (increasing every day mind you) who are semi-literate and don't have the time or inclination to become well versed in security on the net. And really, who can blame them? Most of them don't embrace computers the way many here do and view them as a necessary evil that can occasionally help them find pornography.

Introducing...

[Gleng]

Norton DumbWall 2004

Featuring:

• VisaBlock: Keep your credit card information off of the Internet
• NoShare: Safeguard your banking details and MP3s from prying eyes
• PackAway: If you're deemed to be too stupid to own a computer, Norton DumbWall 2004 will format your hard drive and arrange for one of our qualified technicians to come over to your house and take your computer away. It's for your own good.

Order now and get a free drool-bib.

Dammit!

[beaverbrother]

Thats my credit card number!

Re:Dammit!

[Anml4ixoye]

Thats my credit card number!
-------

Get a free ipod! [freeipods.com]

Thanks! Just did!

My favourite..

[Haydn+Fenton]

"index of /admin" site:.gov

Pwned!

Re:My favourite..

[Placido]

You should have put a link to the results up. All you do is put that search into the google search box, hit enter and copy the url from the.... hold on there's FBI cars outside and someone's knocking on my door. I think my neighbour is getting busted. brb.

Re:on the right track, except for...

[RsG]

Well that gets us back to the free market correcting itself. I would ask you though if that's necessarily a good thing.

Remember Microsoft? Corporate giant, kinda unethical? Their producs are notoriously unsecure, and yet people still use Windows/IE/Outlook. Why? Because free market economics don't work in a corporate dominated environment. We don't have free market capitalism, we have corporate monculture, and it's notoriously unreliable for producing good, solid, honest products. Instead we get salesweasels shovel^H^H^H^H selling producs that don't work as advertised. Better alternatives are quashed, or relegated to the open source community (which is good, but lacks an R&D budget). I think you're being overly optimistic.

This could be good

[phoey]

This could be good in finding websites that illegally publish this content.

With this search in google:
Mastercard 5000000000000000..5999999999999999

I found this russian site that published American credit card information with expiration dates, names and addresses:

http://kupi-cc.0golf.com/halyva.htm

Scary stuff. I would prefer google to find this information so that I can type in a simple query and see where my information is being wrongly published then not knowing at all.

what an attitude

I'm surprised at how easily you guys assume other net users are simply so dumb? Let's be a bit more humble and take any news/comment with a grain of salt. If you try the search suggested, you'll see some sites were russian forums exchanging credit card numbers they illegally obtained.

Besides, who would ever take the time to post one's own credit card numbers on the net? It's dumb to assume someone did that by themselves, frankly. I can only imagine someone might got card lost and the number got into those illegal forums, or someone put the number in an email to CS representative and the email got put into FAQ, or scenarios like that.

P2P is Worse

[deebaine]

On a lark, I've tried searching P2P (in this case, Kazaa), for things that people have inadvertently made available. The things I found were jaw-dropping. Beyond the expected credit card and finance information, I found patent applications, doctoral dissertations, corporate documents, etc.

I'm pretty laissez faire on this one. If you leave your keys in the car and car running, the insurance company won't cover its theft (or at least, so goes the lore). Same principle applies here, I think.

-db

Re:P2P is Worse

[Slayer]

First: If you steal a car which has the key left in it and which is running, it's still punishable by the law.

Second (just a detail): If I had P2P running on my home PC, I'd post my doctoral thesis. It is published anyway (just check out your favourite universities' library), I don't earn money from selling it (in fact, you can find it online), so why not use P2P to distribute it. Hey, that's supposedly the official justification for P2P, not illegal MP3s!

Suppositions

[AviLazar]

This person uses a lot of (paraphrase) "I haven't seen it myself, but I am sure real numbers are there."

Unless this person can site a real case then all he did was show us test files (as he claims he has seen)

Some of them plants?

[tekiegreg]

At this point if I were someone looking for a free credit card, I'd probably go at least a few down in the results, I'd like to think that the top 20 or so are plants by law enforcement by now...at least I'd hope...

AVS

[barcodez]

Any website that accepts credit card payments worth using will require an AVS number and address.

As for coding these numbers on to other cards and using them in bricks and mortar shops, you would hope that the shops check that the embossed number matches. If they have checked all this, under UK law anyway, the CC company is liable.

With chip and pin cards being introduced across Europe CC numbers are becoming more and more useless to criminals now.

Re:DoH!

[Jugalator]

actually, I didn't input the entire number, I omitted the last four.

In that case you won't find it even if it was there. Google uses exact matches, so 1234 won't match 123456789.

And why it isn't a big deal..

[random_culchie]

Yes and they also mentioned that this wasn't as big a deal as people think.
For one the the valid credit cards numbers will be rapidly be made useless as 3rd parties use them and they are cancelled. The bottom line is very few customers will be liable for any of these fraudulent transactions.
The majority of the credit card numbers are on semi underground script kiddy sites. Where they are posted to gain cred or access to pr0n. I'd like to bet that most of these are invalid or the product of a credit card number generator.
Lastly this article implies (and a number of posters here) that the credit card numbersfound are the result of carelessness by credit card holders on the web and therfor it is their own fault. This is not the case. Google did not expose any mass stupidity by internet users, it simply exposed some of the sites that havest credit card numbers.

Gmail

[sudotcsh]

Unfortunately there isn't a good way to search for URL strings like this:

http://gmail.google.com/gmail/a-e00073f786-289e2 6b 40f-c8a84ba388

But once someone figures out a way ... EVERYONE will have Gmail!

--

Until then, five of you can hit me up at kevinomara at gmail.

Summary

[hamlet2600]

Seems that everything, except the personal information posted by a third party, can be summed up by a simple common acronym: RTFM. Ignorance of the law isnt a defense -- neither should be not reading the manual.

TWO WORDS!!!!!!

[spidergoat2]

"Parent directory". That Google search is the most fun you can have with your clothes on.

So what if there are card numbers on the web...

[mrjb]

There are banks offering special 'web credit card' services. They issue credit card numbers that are valid only for a single transaction. After the transaction has taken place, the number expires. Even if a site would have serious security issues, allowing someone to see all the credit card numbers they ever received from people, these single-transaction numbers would be worthless to anyone finding them. Of course ultimately a website shouldn't ever receive credit card numbers, but instead relay credit card payment to a bank and then communicate with that bank to see if all went well, but that is another issue.

Re:Keys in the ignition

[jm2morri]

Actually, at least here in Canada, the insurance companies have to cover you even if the keys are in the ignition--theft is theft. I know this because my father just went through getting his truck stolen after leaving the keys in the ignition.

The insurance companies will try to bully you into thinking that they don't have to cover you, but they do. However if they can convince you that they don't have to and you just go away then they don't have to pay you. This is the usual course of action.

Luckily my father has a good insurance broker who knows the law and wouldn't let his client be bullied. Its astounding what insurance companies can get away with.

This of course after them pleading poor to the Canadian government only to report record profits a couple of months later. What's $2.6Billion among friends? Now that is in Canadian funds but it still works out to about $100US or so :)

One-time numbers are key

[swb]

Which has been done and tried (Amex gave me a smart card reader, Visa has tried 1-time CC numbers picked up their site.

I'd like to see more of that kind of thing, preferrably all of the following as options:

• One-time credit card numbers
• One-time PIN numbers
• Region lock in and lock out, with 'region' being defined as geographically tight as possible and discontiguous region mapping allowed (eg, MN yes, Africa No, with "undefined=no" being the default). And yes, I know this would be tough to guarantee.
• Merchant/bank lock-in and lock-out -- either limit to specific merchants or ban specific merchants or banks. My grocery store OK, Paypall not OK
• 
  
  "Good everywhere all the time, with no control at all" just seems like a bad idea. But since banks either shit on the consumer or the merchant when it comes to fraud, they have little incentive to secure the system. When they pass the new bankruptcy bill in congress, even shoddy lending practices will be given a pass as well.

Re:One-time numbers are key

[EtherMonkey]

Actually, American Express used to have (until April of this year) something like a one-time-use account number. It was called Private Payments, and you could generate a new, temporary account number from their secure website. Although it wasn't truly one-time use, it was only valid for 30 days and could be cancelled at any time by the cardmember.

I used it religiously for all on-line, telephone and mail-order purchases until it was discontinued. If a merchant didn't take Amex I'd shop elsewhere.

Now that PrivatePayments has been discontinued, I purchase Visa Gift Cards (pre-paid Visa cards) and use them for my small/medium-ticket on-line purchases. For major purchases I use a Visa card with fraud protection and check the account activity on-line at least once a week.

But in any event, you should never be liable for a fraudulent credit card transaction. That doesn't mean you can be careless with your account information, but if there is a fraudulent charge you're not out any money if you pay attention and dispute the charge within the specified period of time.

The real danger is ACH (Automated Clearing House) transactions against your bank accounts. Any person or organization that has the ability to perform ACH transactions (and there are plenty of third-party processors with low scruples and high tolerence of unethical behavior) can suck money DIRECTLY from your bank account. All they need is your bank routing number and bank account number. They don't need your name, address, phone number or any password or PIN (they are supposed to get your written authorization first, but there's no mechanism to check or enforce this before the fact). There is no verification or fraud protection system for ACH, as there is on most credit cards. The merchant simply asks and he receives.

And unlike credit card disputes, where you don't pay until the dispute is settled, ACH immediately withdraws the money from your account and you have to wait for the dispute to be settled before getting your money back (if ever). Since there are no limits on ACH withdrawals, (other than having sufficient funds for payment), one fraudulent charge can lead to bounced checks, overdraft fees, returned check fees and more, increasing your loss by hundreds of dollars.

There's no mechanism to opt-out of ACH or limit transactions to only approved merchants. Once a fraudulent charge is made you may be able to block further transactions by that merchant, but possibly only for a limited time and with payment of a stop-payment processing fee. The only real relief is to close the account and open a new one (resulting in administrative hassles and costs for new checks and forms).

How hard it is for a bad guy to get your bank routing number and account number depends on how use your checks. The routing and account numbers are required on the bottom of each check. It takes a few seconds for a dishonest cashier, clerk or other employee to copy this info down and sell it later. The lock-box services used by large creditors often convert paper checks to ACH transactions themselves, then discard the paper checks; depending on how discarded checks are handled, they might be subject to unwanted access. Your own handling of unused and cancelled checks also comes into play.

Between credit-card fraud and ACH fraud, its the latter that scares me the most. I've been a victim of unauthorized ACH transactions twice: once through a mistake made by a merchant and just recently through outright fraud. I am still waiting for the return of $100 due to the most recent fraud, and it will cost me more than that by the time I'm done switching to a new checking account.

Hardware vendor accounts (Cisco, Enterasys)

[telemonster]

A while ago SOME GUY ON IRC personal Cabletron switch puked out, so SOME GUY ON IRC needed a new firmware image. Low and behold, SOME GUY found an account via google. Some school posted theirs online. (Cabletron makes overpriced gear sold to gov't mainly, you can generally get enterprise level huge switches on ebay for $5, since it doesn't carry the Cisco name.). Oh that was a lucky find, since hardly anyone uses Cabletron (now Enterasys) equipment, it is hard to find unlike Cisco CCO accounts.

Google rocks! Don't forget to google for your FLEXLM license files for your Solaris and similar systems, or your crusty Digital licenses for VMS, OSF/1, etc.

Will Visa numbers get slashdotted?

[atomic-penguin]

Soon enough all valid Visa numbers will be slashdotted by orders at ThinkGeek.

Unless your PIN...

[caveat]

...is the price of a cheese pizza and a large soda at Pinnuci's!

Just Call Them and help them out.

[freality]

I just called all the people on one of the lists linked here and either left a msg or explained the situation. Took about 30 minutes. The clearest way I found of convincing them was to tell them how to do the Google search themselves. For most of them, their name in quotes and the word "MasterCard" or whatever brought up 1 page, the page with their info on it. I got many answering machines and disconnected numbers, but a few thanks as well.

That depends...

[LordPixie]

Anyone know what that 481 on the signature strip is for?

It actually depends on what the name is on the front of the card. It has different meanings for different names.

Yours would be.... ?


--LordPixie

Also try searching for outlook databases

[fluor2]

"outlook.pst" filetype:pst

Unique/one-time use credit card numbers

[dstutz]

MBNA has ShopSafe
Citibank has Virtual Account Numbers
Discover has Discover Deskshop
even American Express...

This is *nothing* new

I got over 10,000 pages of credit card listings!

[rfc1394]

His example only selects cards belongng to one issuer (because the first 4 digits are the same), and only got 8 hits. Let' not be pikers and do the whole range of Visa Cards; the number 4 followed by 15 digits. And let's do Mastercard (50-53 followed by 14 digits) while we're at it, let's not discriminate!

For Visa, I did this one and got 2450 pages of listings of credit card numbers. Doing the same for Master Card returns only another 481 pages - not just card numbers, but web pages containing numbers - and some are test pages to demonstrate how LUHN codes work, but I don't think they all are. Oh, let's not leave home without American Express, where we can find a whopping 7,780 pages of listings!

I don't think they are all tests. Some include the number, expiration date, plus the name, address and telephone number of some people who apparently placed orders on-line. A great way to commit fraud or implement identity theft, wouldn't you say?

My guess is that if you called some of these people you would find out that yes, that is their credit card number and they had no idea it had been exposed.

Oh, I forgot to troll for Social Security Numbers. Now that returns 7 million pages, most being things like zip codes and such, but it wouldn't be hard to do that by redoing the search on an automated basis by inserting the '-' where appropriate and generating several thousand searches. At random I picked a range and tried all Social Security 301-01 numbers, and got 115 pages. Not only that, but the text ad from Google was for a company that offered on-line searches of social security information! Very helpful too!

Paul Robinson

Yahoo! has even more neat tricks...

[edsarkiss]

http://help.yahoo.com/help/us/ysearch/tips/tips-01 .html

* Airport Information
* Airline Registration Information
* Area Codes
* Calculator
* Dictionary Definitions
* Encyclopedia Lookup
* Exchange Rates
* Flight Tracker
* Gas Prices
* Hotel Finder
* ISBN Numbers
* Local Search[new]
* Maps
* Movie Showtimes
* News
* Packages
* Patents
* Sports Scores
* Stock Quotes
* Synonym Finder
* Time Zones
* Traffic
* UPC Codes
* VIN Number
* Weights, Measures and Temperatures
* Weather
* Zip Codes

how to remove things from google's cache

[sootman]

If you find something of yours that shouldn't be online, and you have access to the server, the best thing to do is put up an empty document with the same name.

Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.

However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.

Re:robots.txt

[pclminion]

Hasn't anyone heard of using a robots.txt to block web spiders? If people are stupid enough not to, then their hidden data is just asking to be found by anyone.

I can't tell if you're being ironic or just stupid.

You're suggesting that you "secure" you sensitive information by listing where it is in robots.txt? I think I want to have a look in your robots.txt, now.

The purpose of robots.txt is not to secure your information, it is to avoid getting eaten alive by bandwidth-hogging search spiders, and to prevent spiders from indexing irrelevant or out of date information.

If you want your information to be secure, here's a hint: don't put it on a fricking web server.

Re: additionally

[multimed]

All the stuff about most people not knowing about robots.txt and all that are true. It would be crazy to expect all internet users to understand all of the is and outs of security. BUT anyone who chooses to publish to the web, nat the very least needs to understand rule number one is "publishing on the world wide web means by default the world can see it." If they don't want the world to see it, they can choose to either not post it or learn about security.

One thing I don't think I've seen mentioned yet though, is that everyone is assuming that people choose to post the data in question. While this is probably true to a large part, it is by no means always the case. Some of the data may have been stolen due in no part to the victims (hacked website, disgruntled employee at a bank, etc) was then posted.

Asking for Trouble! Zeitgeist

[Steve+Cowan]

I worry, now that it's on Slashdot, a certain Visa search will end up on Zeitgeist for sure!