Slashdot Mirror
Searching For Trouble With Google
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
This was on bugtraq a week or two ago:
Check it out and there was a discussion of it a few days later.
Someone actually has a whole forum dedicated to finding things you can do with google here.
Apparently this was even a DEFCON speech subject.
This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.
-- Sorry, I can't think of anything funny to say here.
I feel sorry for 'Haley' and others with their Quicken files being shown to all of /. and presumably friends etc. I wonder what the 'reach' of the slashdot crowd is when it's a "You're not going to believe this!" story...
Simon
Physicists get Hadrons!
Looks more like Google found forums where people were swapping credit card numbers.
Good thing I've got a Mastercard then :)
This is the sig that says NI (again)
is that you can search for ranges of numbers like that in google. That's pretty neat.
I think there was a similar /. article a while back. Do a google search for "googledorks" to find out what additional kinds of data are accessible.
This may be seen as a nitpick, but it's actually an important point. It's survival of the "fit", not fittest. Evolution is about being *good enough*, not the best.
I have discovered a truly remarkable sig which this margin is too small to contain.
Is Google liable for harvesting and publishing sensitive information? If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?
Also, maybe those numbers are traps to catch people? Surely you need those goods to be sent to an address and someone has to eventually pick it up.
Uselessful technology (Air-Charged
It often has very little to do with *you*.
It quickly becomes your problem if you have done business with someone else and *they* are stupid enough to leave stuff in plain view.
It would be nice if we knew that everyone we did business with was intelligent enough not to do this, but realistically we probably can't
Very popular is the search for "Welcome to phpMyAdmin".
This will give you some nice databases to browse through.
How many people dug out their own visa cards and googled for the number ? :-) I managed to stop
myself.
All interpreted languages are abstractions over Lisp
Just tried google for a SSN search as well. Same thing, you get a list of results within that social security number range, along with names, and addresses.
I just can't figure out why people would be victim to identity theft.
Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.
The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.
Just ordered a computer that can actually play Doom 3!
Thanks Slashdot!
Comment removed based on user account deletion
I had trouble believing this, so I downloaded one of the .QDF files from the referenced link. I am feeling completely sick. This guy's checking account number, credit card number, and meticulously-maintained transaction history are sitting on my computer.
It's way too late to warn these people about the files. Their current identity is toast. So is their credit for the next seven or so years.
Is there anything we can advise these people to do to minimize the damage at this point?
Don't publish this on ... hey!
Who needs P2P?
of the VISA/Google search is that VISA is a sponsored link. Kind of like Microsoft advertising on a website that bashes it for its security holes...wait a minute...
Yea except these are the idiots that will also sue Google and try to take them down because of their own mistakes. If you're in some sort of struggle with an idiot, you'll be ok, but may God help you if that idiot has a halfway decent lawyer.
I am feeling fat and sassy
It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
I'll second that. A little over a month ago, a letter was sent to me but went missing in the post. That letter contained my full name, address and National Insurance number (similar to a US Social Security number).
That lost letter contains more information than I'd give out to anyone who's not an authorised government official (policeman, doctor, etc). Through no fault of my own, and despite my vigilance (I shred and burn every bit of correspondence that has my name and address on it, let alone financial or other personal details) that information is now potentially in the hands of someone unscrupulous.
If anything untoward were to happen, I have virtually no recourse, as it would be nigh on impossible to actually prove where my details were obtained and (as far as I know) it's impossible to get a new NI number: I'm stuck with the one that's issued to me at 16 until the day I die.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
convert 29 fahrenheit to celsius
or
pi=
or
define: hubris
google's got neat tricks
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
c.f. Microsoft's success in computer software.
- chrish
The sad thing is that now people will be Googling for their credit card numbers to be sure they're 'safe', but doing so means their credit card number will show up in the list of things people are Googling.
Norton DumbWall 2004
Featuring:
Order now and get a free drool-bib.
"Proudly Posting Without Reading The Article"
Ask your bank for a second Credit Card with a few hundred dollar limit. Use that to buy stuff online, and if someone steals it, it won't cost you that much.
Looks can be deceiving. Or CAN they?
Thats my credit card number!
"index of /admin" site:.gov
Pwned!
On a lark, I've tried searching P2P (in this case, Kazaa), for things that people have inadvertently made available. The things I found were jaw-dropping. Beyond the expected credit card and finance information, I found patent applications, doctoral dissertations, corporate documents, etc.
I'm pretty laissez faire on this one. If you leave your keys in the car and car running, the insurance company won't cover its theft (or at least, so goes the lore). Same principle applies here, I think.
-db
At this point if I were someone looking for a free credit card, I'd probably go at least a few down in the results, I'd like to think that the top 20 or so are plants by law enforcement by now...at least I'd hope...
...in bed
Most terminals that are sold to merchants that have PIN pads encrypt the pin on the pad, then send it to the bank for authorization, or depending on your card, compare it to the hash written on the mag stripe. The merchant never knows your PIN, unless the clerk has a photographic memory and observes you entering it. Even then, it doesn't do them any good without your card.
It would be nice if we could switch away from totally unverified financial transactions like the current credit card systems, and start using something that at least requires a PIN. That way, instead of having to trust every single company with which I do business, I only have to trust my bank.
You do realize that to do business on line, you would still have to give them your pin, right?
It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.
Evolution is about being *good enough*, not the best.
Agreed, and to further narrow it down, it's being *good enough* at only 1 thing: reproduction.
Unfortunately, this doesn't usually have a lot to do with intelligence.
You know, I really wish the paranoia about using credit cards on the internet will go away.
Think about this as somebody with some technical background. What is more secure?
1. Giving your credit card to the waiter at Mafia Pizza, who takes it into a back room before he brings it back to you.
2. Providing your credit card number to Amazon.
So here is a better idea. Get one credit card and use it for everything. Watch your statement carefully. Complain loudly if you see any charges you didn't make.
I'd still avoid buying anything from Mr. Mbuthu at Nigeria Exports, but other than that why allow paranoia to keep you from the convenience of the internet? Remember, you are NOT liable for any fraud losses on a credit card other than the first $50. The bank takes risk in return for the fees the merchant pays and because they want you to run up a huge debt and pay them loads of interest.
People couldn't type. We realized: Death would eventually take care of this.
isnt this whats happening in the UK now?
No, what is happening in the UK today is that the cards are being upgraded to smart cards, and the PIN is replacing the signature which is frequently not checked well.
Folks by and large understand the "never give away your PIN" rule. Disclosing your PIN to a web site other than your banks would completely subvert this.
It does not address "cardholder not present" fraud.
So you can use it like a credit card, rather than a debit card, at places that don't take debit. (such as most online purchases)
You should also note that Debit transactions will typically show up instantly, and "credit" ones will take 2-3 business days, if you have an online method of checking your statement.
"Parent directory". That Google search is the most fun you can have with your clothes on.
There are banks offering special 'web credit card' services. They issue credit card numbers that are valid only for a single transaction. After the transaction has taken place, the number expires. Even if a site would have serious security issues, allowing someone to see all the credit card numbers they ever received from people, these single-transaction numbers would be worthless to anyone finding them. Of course ultimately a website shouldn't ever receive credit card numbers, but instead relay credit card payment to a bank and then communicate with that bank to see if all went well, but that is another issue.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
I don't even think it needs to be that high tech. How about this:
You bank sends you in the SNAIL MAIL a sheet monthly of longish letters/numbers that represent an authorization to spend money. In fact, each one could be rated for a certain amount of money, say, up to $100 or $250, or something like that. That, in combination with a number on the back of your card (what are they called, CCV2 or something), forms a use-once key for an online purchase. That way you have to have the card present, plus your statement of authorization codes, to purchase goods online. The e-tailer never needs to know your card number, and the codes are only good for a single use. Even if a cracker got a hold of the site database, the CCV2 code would not be usuable for anything unless the cracker also got a hold of your randomly generated, time-sensitive, preset codes.
Something like this would cost practically nothing to implement, be very easy to maintain (you gotta send bank statements monthly anyways), easy to regulate - for example, pass a regulation saying that these can only be sent through the USPS or private carrier, never electronically or ever given out over the phone), and greatly improve security.
On top of that, it'd be great for people without regular banks or bank accounts. An intrepid consumer could easily sell pre-paid authorisation numbers on little scratch-loto style tickets.
On the processing side all we would need is a strong central party (or number of them), like Visa, Mastercard, or AmEx to recieve valid authorisation numbers from banks and hitch that into the POS and online processing systems.
In fact, even a strong libertarian, it makes me cringe to think how much trust and financial power we place into the hands of Visa, Mastercard, and their ilk. It might make sense at some point to expand the mission of the Federal Reserve or the Treasury to handle the verification and routing of authorisation numbers like I've described.
Soon enough all valid Visa numbers will be slashdotted by orders at ThinkGeek.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
...is the price of a cheese pizza and a large soda at Pinnuci's!
Facts do not cease to exist because they are ignored. - Aldous Huxley
I just called all the people on one of the lists linked here and either left a msg or explained the situation. Took about 30 minutes. The clearest way I found of convincing them was to tell them how to do the Google search themselves. For most of them, their name in quotes and the word "MasterCard" or whatever brought up 1 page, the page with their info on it. I got many answering machines and disconnected numbers, but a few thanks as well.
Actually, American Express used to have (until April of this year) something like a one-time-use account number. It was called Private Payments, and you could generate a new, temporary account number from their secure website. Although it wasn't truly one-time use, it was only valid for 30 days and could be cancelled at any time by the cardmember.
I used it religiously for all on-line, telephone and mail-order purchases until it was discontinued. If a merchant didn't take Amex I'd shop elsewhere.Now that PrivatePayments has been discontinued, I purchase Visa Gift Cards (pre-paid Visa cards) and use them for my small/medium-ticket on-line purchases. For major purchases I use a Visa card with fraud protection and check the account activity on-line at least once a week.
But in any event, you should never be liable for a fraudulent credit card transaction. That doesn't mean you can be careless with your account information, but if there is a fraudulent charge you're not out any money if you pay attention and dispute the charge within the specified period of time.
The real danger is ACH (Automated Clearing House) transactions against your bank accounts. Any person or organization that has the ability to perform ACH transactions (and there are plenty of third-party processors with low scruples and high tolerence of unethical behavior) can suck money DIRECTLY from your bank account. All they need is your bank routing number and bank account number. They don't need your name, address, phone number or any password or PIN (they are supposed to get your written authorization first, but there's no mechanism to check or enforce this before the fact). There is no verification or fraud protection system for ACH, as there is on most credit cards. The merchant simply asks and he receives.
And unlike credit card disputes, where you don't pay until the dispute is settled, ACH immediately withdraws the money from your account and you have to wait for the dispute to be settled before getting your money back (if ever). Since there are no limits on ACH withdrawals, (other than having sufficient funds for payment), one fraudulent charge can lead to bounced checks, overdraft fees, returned check fees and more, increasing your loss by hundreds of dollars.
There's no mechanism to opt-out of ACH or limit transactions to only approved merchants. Once a fraudulent charge is made you may be able to block further transactions by that merchant, but possibly only for a limited time and with payment of a stop-payment processing fee. The only real relief is to close the account and open a new one (resulting in administrative hassles and costs for new checks and forms).
How hard it is for a bad guy to get your bank routing number and account number depends on how use your checks. The routing and account numbers are required on the bottom of each check. It takes a few seconds for a dishonest cashier, clerk or other employee to copy this info down and sell it later. The lock-box services used by large creditors often convert paper checks to ACH transactions themselves, then discard the paper checks; depending on how discarded checks are handled, they might be subject to unwanted access. Your own handling of unused and cancelled checks also comes into play.
Between credit-card fraud and ACH fraud, its the latter that scares me the most. I've been a victim of unauthorized ACH transactions twice: once through a mistake made by a merchant and just recently through outright fraud. I am still waiting for the return of $100 due to the most recent fraud, and it will cost me more than that by the time I'm done switching to a new checking account.--- A man with a briefcase can steal more money, than any man with a gun. [Don Henley]
Anyone know what that 481 on the signature strip is for?
It actually depends on what the name is on the front of the card. It has different meanings for different names.
Yours would be.... ?
--LordPixie
For Visa, I did this one and got 2450 pages of listings of credit card numbers. Doing the same for Master Card returns only another 481 pages - not just card numbers, but web pages containing numbers - and some are test pages to demonstrate how LUHN codes work, but I don't think they all are. Oh, let's not leave home without American Express, where we can find a whopping 7,780 pages of listings!
I don't think they are all tests. Some include the number, expiration date, plus the name, address and telephone number of some people who apparently placed orders on-line. A great way to commit fraud or implement identity theft, wouldn't you say?
My guess is that if you called some of these people you would find out that yes, that is their credit card number and they had no idea it had been exposed.
Oh, I forgot to troll for Social Security Numbers. Now that returns 7 million pages, most being things like zip codes and such, but it wouldn't be hard to do that by redoing the search on an automated basis by inserting the '-' where appropriate and generating several thousand searches. At random I picked a range and tried all Social Security 301-01 numbers, and got 115 pages. Not only that, but the text ad from Google was for a company that offered on-line searches of social security information! Very helpful too!
Paul Robinson
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
If you find something of yours that shouldn't be online, and you have access to the server, the best thing to do is put up an empty document with the same name.
Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.
However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.