Slashdot Mirror
Massive Porn Buyer Info Leak
Anonymous Guy wrote to mention a Wired article that covers the release of information for millions of customers onto the Internet. From the article: "The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit-card processor for adult entertainment websites."
It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.
But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.
People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.
Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.
Funny sigs make your Karma go down.
If you care to read more about iBill, you can check out their blog on G Spot. I didn't link the blog because it's not about the company; it's about trading buyers across all of its customer sites.
I wonder if this is a case of the company selling anything they could to escape dire financial straights or if it is the case of a disgruntled underpaid employee indulging.
Am I surprised such a shady company had its user's credit card info traded on the black market? Gosh, not really.
My work here is dung.
After all, free, as in beer, porn, means never have to worry having identity stolen or saying sorry to wife.
Plus, given the bottoming out production costs, we can easily produce porn of the same quality as closed source porn.
"Massive Porn Buyer Info Leak?" What the hell does that even mean? Hats off to Zonk for managing to use "porn", "leak", and "massive" all in the same headline and posting it to one of the most widely read sites on the net. That sound you hear is thousands of RSS feed subscribers all scratching their heads.
Entrepreneur : (noun), French for "unemployed"
A sudden surge in the filing of divorces is plaguing thousands of local communities...
If brevity is the soul of wit, then how does one explain Twitter?
They didn't do credit card processing for midget-granny-and-horse-porn.com did they?
I mean, not that it would matter to me if they did...I'm just curious.
It was the other Chester J. Winthrop-Montague III!
Now if they leak the hardon pill database I'm screwed...
Man, you really need that seminar!
Internet IP addresses?
Well, as long as they didn't get their PIN numbers.
You can BUY porn? News to me.
CUSTOMER
--------
Bill O'Reilly
bill@billoreilly.com
WEBSITES
--------
falafelpron.com
hotfalafels.com
teenfalafel.com
Wait...did I just type that out loud?
"As God is my witness, I thought turkeys could fly." A. Carlson
I never use my real name. William R. Pearce Chicago, Il
If we used a decentralized, anonymous digital cash system, these kinds of problems would be much less common. Furthermore, the responsibility would lie in your own hands rather than in the hands of thousands of unidentifiable people at some corporation.
I suppose it's wishful thinking, though, because everybody wants to be the central financial gateway (Visa, Mastercard, Paypal, etc.) and governments prefer being able to track all transactions (toll booth transponders, bankers reporting all transactions over $10,000, etc.).
In January of last year, iBill was purchased by Interactive Brand Development for $23.5 million. On Monday, IBD's stock closed at 8 cents a share in over-the-counter trading.
8 cents a share? Nowhere to go but up! Time to call my broker*.
At the very least, their certificate will look good on the wall, next to the one from Enron. Maybe really good -- or really bad -- depending on which of their subsidiaries did the artwork. According to the Yahoo Finance link, "IBD also owns a library of original cartoon cel art (including He-Man, She-Ra, and Flash Gordon) [and] a 35% stake in Penthouse publisher Penthouse Media Group."
*Disclaimer: I don't have a broker.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Woohoo! Free porn for everyone!
Hah thats quite funny I wonder how much viagra adds and hack attempts they are going to have now?
I think it's kind of funny. My wife isn't really in on my porn habits but she isn't stupid and knows that sometimes her hubby isn't just "defragging the hard drive" in the basement.
The funny part is when we get to see the "questionable" surfing habits of some famous self-righteous fundy preachers. I love it.
Of course, it wouldn't be so funny if the entire credit card info got released...
I suggest that the open-porn should be stored on "Freshmeat".
Saturday is April 1. Slashdot will be shut down. Sorry for the inconvenience.
I guess it's a good thing that sex-starved geeks don't look at porn, huh?
// file: mice.h
#include "frickin_lasers.h"
A local guy, who I knew, got nailed when the cops busted a kiddie porn site. That led the cops to his credit card number and then to him. The judge threw the book at him and lamented the fact that he couldn't give him a longer sentence.
I'm conflicted about this: He was a nice guy and a good buddy. He never gave any hint that he was any kind of pervert. On the other hand, he wanted to be a youth worker.
As for myself, I behave as though anyone can see everything I do on the net. I am astounded that people are willing to give up personal information when they're doing something illegal. Yes I know that adult porn isn't illegal, it's just that if the woman is under 18 then it's child pornography. Call me paranoid but I'm not one of those who should be very worried today.
About the only thing one can do with this information is crank calls and spam.
Big deal.
I'm not a Troll, it's reverse psychology.
Last month, Sunbelt Software found an additional list of slightly over 1 million individual entries labeled Ibill_1m.txt on a spamming website. That list appeared to date from 2003.
Hmm.
http://www.google.com/search?q=Ibill_1m.txt Thaaaat doesn't look good.
What kind of moron buys porn? Hello? IT'S FREE ON TEH INTARWEBS, and especially on Usenet. There are people who literally get off on making and distributing porn of all varieties at no cost. They want you to watch.
Unless your idea of hotness is overproduced Playboy-style photography with a combination of four different skin textures, three different lighting rigs, and sixteeen different gauze filters, you can get what you want on Usenet without risking your credit history.
.....as if millions of computer geeks had cried out, and then became silent.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
grep -i 'senator' iBill.dat; grep -i 'representative' iBill.dat ; grep -i 'congress' iBill.dat
--
make install -not war
After all, the article said that no pieces of information were stolen that required them (by law) to inform their customers. Pretty convenient, eh?
I also noticed that they're from Deerfield Beach, Florida. Now, something odd about Deerfield Beach is its location. It's on the coast of Florida there. That unmarked island on the east side of the map? That would be Grand Bahama. Care to take a guess at what country it lies in?
So my guess is that the company did this legally and by choice. They probably found some bum on the street who didn't ask questions and would like to recieve a paycheck. He's probably also the president of the company with very limited responsibilities and capabilities. They're also probably prepared to give him a briefcase full of $100,000 and a boat to take to Freeport. And also some cute documents for him to sign that might as well say that he shot JFK.
Meanwhile, all the workers and people profiting off the deal claim they had no knowledge.
My work here is dung.
Or, would anyone want to go through that kind of lawsuit?
He who knows best knows how little he knows. - Thomas Jefferson
A year after the FBI first learned of the larger leak, they have also failed to issue any public warnings.
Yeah, because it's porn related. You can bet if this happened to Disney online they'd be maxim publicity.
I could swear that's the name of some Thai porn star.
... what moron pays for porn? :-)
${YEAR+1} is going to be the year of Linux on the desktop!
Anyone know if this guy is a known spammer? He's now upgraded to trafficking in stolen property.
http://www.whois.net/whois.cgi2?d=5sec.us
(sorry, lameness filter is being lame, here's just the basics badly formatted)
Registrant Name Sean Rogers
Registrant Organization Sean Rogers
Registrant Address1 1275 Falkland Rd
Registrant City Jacksonville
Registrant State/Province FL
Registrant Postal Code 32221
Registrant Country United States
Registrant Country Code US
Registrant Phone Number +95.486824101
Registrant Email gsmmax@mail.ru
grep -i "senator\|representative\|congress\|whitehouse" iBill.dat. There are sure to be plenty there.
I prefer the "u" in honour as it seems to be missing these days.
Anyone have a .torrent file?
What we need is for the name of some elected official(s) to be found in the data.
Then we'll see swift lawmaking action to clamp down on leaks of personal information by merchants and money-handlers.
So even those who give a f*ck, who bend over backwards for their customers, who do all that is humanly possible, don't get security right. ;-)
They can lick my balls for all I care.
They might take you upon that offer for their new Computer Geeks Gone Wild series.
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
From TFA:
The 41-year-old San Diego man says he allowed a "business partner" to use his credit card on an adult website dedicated to finding resources in Tijuana's red light district, with discussion groups and locations of prostitutes.
Right... a business partner...
No sig
I can see my inbox being flooded with subjects like
Porn customers EXP0S3D!!!
-FL
If ever a story qualified as, "News for Nerds. Stuff that Matters." -- this is it.
Pete Townshend has applogized in advance for anything he may have been caught for ....
"We shall party like the Greeks of old! You know the ones I mean." - HedonismBot
As long as they don't reveal my (rather embaressing) taste in porn.
If we used a decentralized, anonymous digital cash system, these kinds of problems would be much less common ... I suppose it's wishful thinking ... governments prefer being able to track all transactions.
Exactly. You are more likely to see secure computers and honest people than anonymous digital transactions. Governments won't allow it. And no you do not have a US Constitutional right, quite the contrary, the US government has the Constitutional power to create currency, collect taxes, define felonies (say money laundering) and pass enacting legislation, etc.
I know, I had a little scuffle with them last week because I couldn't change my CC# on my Washington Post Online subscription. So not all the names are pr0n buyers.
How about information of people whose credit card number was fetched from insecure software, like Microsoft IIS? Somehow I doubt that iBill would have removed those people from their database.
You can actually download this 214mb list of information here:
http://5sec.us/Ibill_1m.txt
I don't know why you'd want it, maybe you can use the passwords or something. But there it is anyway.
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
Livejournal, for example, was offering payment through iBill during the time covered by the leak (run that link through Archive.org if you care to verify, /. filters the part following the asterisk).
my guess is we're looking at probably 80+ percent of them will be in the pr0n buyer category and now the media will release their data.
Good thing I have a girlfriend.
-- Tigger warning: This post may contain tiggers! --
They didn't do credit card processing for midget-granny-and-horse-porn.com did they?
I mean, not that it would matter to me if they did...I'm just curious.
You know, that's illegal in the state of Washington now.
Seriously, the Governor just signed a bill.
-- Tigger warning: This post may contain tiggers! --
but other than that I'm as confused as you are.
Deleted
While I agree with you, keep in mid that every credit card bill that arrives at my home has the credit card number on it. I shred these, but many people simply throw them out.
Also, my point about the bar- there was no way, at the bar I worked at, and every bar I have ever worked in, for the customer to watch the bartender swipe the card. Also, not to be an ass, but who is going to follow a waiter, waitress to the bussing station to watch them handle the card?
And All I Ask is a Tall Ship And a Star to Steer Her By
Chip & Pin - recently implemented in the UK and in use in mainland Europe for some time - is a great way to avoid this. If you don't want to, you never even have to let go of the card. Basically you put your card into a reader, punch in your PIN, and take the card out again.
How many people can read hex if only you and dead people can read hex?
So what I want to know is... how many Sunday Sermon TV jockeys are on the list? Now _there's_ one for Conan O'Brien.
What, are you referring to the large number of priests and televangelists that were found to be on the list?
Horns are really just a broken halo.
For a long time, I've been thinking that a centralized IP database would be extremely useful. You know the big retailers and sites like Google cherish this info. This list could be very helpful towards those ends. A name and address cross-referenced with an IP address? That's hot in the data mining business.
I sure hope someone posts the list. They should put up a site where you can type in an IP and get a name and address. VERY, VERY useful in cases where you're getting spam from zombied PCs or someone's harassing you behind an IP and the ISP won't do anything about it.
Another thing: some companies will allow you the option of no longer receiving paper statements, and just doing everything online. This is great for me, because I never look at the paper statements anyways. They're out of date by the time they get to me.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
You know, that's illegal in the state of Washington now.
Seriously, the Governor just signed a bill.
Not that I'm curious, but your governor made curiosity illegal?
.. paranoid crackpot leftover from the days of Amiga.
Not that I'm curious, but your governor made curiosity illegal?
Why yes, but by asking that question, you've now entered double secret probation and must now stay more than 1000 feet away from all horses or equine species.
-- Tigger warning: This post may contain tiggers! --
Or is this just a list of suckers who paid for porn?
:)
Whaa? You have to pay for it?
Seven puppies were harmed during the making of this post.
As long as you trust the reading device. It could still display a different amount to the one that it charges you for; or copy your card details from the magstripe that is still on the back.
I was a subscriber to the MMORPG Horizons, which used to use iBill as their payment processor (they use iPay now; not much of a difference, really). I used new mail accounts I set up specifically for the game, and all of a sudden, about a month ago, I started getting tons of spam on them.
I figured my email addresses had been sold by one of those sleazebag payment processors. Turns out they aren't evil, they're just STUPID.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
Yeah, some very cursory research reveals 5sec.us is a host domain for all sorts of spam and trojan badness.
Years ago, I heard about a bar-related scam. It worked this way:
1) You have a bar tab. They ask to hold your credit card while you
and your friends get your fill of cocktails.
This was (and maybe still is) normal practice.
2) When it is time to pay, instead of getting your card back,
they give you another card. You go home drunk and sleep it off.
3) Meanwhile, they give your card to their criminal friends who
go out and spend, spend, spend.
4) After the normal time it takes to detect the lost card, they
re-cycle your card and give it to the next party animal
after they pay for their bar tab.
This was back in the 1980's.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Turn away from? Dude, I spent a lot of time watching Tracy Lords.
Oh - wait, you said Lord, singular. Sorry, my bad.
Hell it's fairly eaisy to add a second stripe scanner into the box and people would never even notice unless they really looked between the cracks to see two metal humps (swipe versions).
Oh, or more obviously it could capture your PIN and store it along with the card details. Can't believe I forgot that one!
As an admin at my previous job, I often searched SF.net and freshmeat for open-source/free solutions. At one point, our ISP's caching filter decided to regularly boink the freshmeat site, which resulted in the site autobanning one of the upstream routers.
It was a really fun thing trying to explain to the ISP person why they should put in an caching exemption for a site called "freshmeat", and what the actual content of said site was.
I'm astonished that porn is such a lucrative business. Everything, and I mean EVERY THING that I've looked for is there, free.
My poor Mule has to carry porn 24 hours a day up the pipe. I've got these nice open softwares and cc musics that get 1 or 2 downloads a month. But porn? tens of thousands.
Who the hell is buying porn and why the hell are they buying it?
I'm gonna guess idiots that install malware and buy herbal viagra from spam.
Man, you really need that seminar!
We need some of the anti-pr0n crusading wingnuts in congress to be caught with their own pr0nsite subscriptions...
The first thing they'd probably do is hunt down the info-leaking merchants with a vengeance.... but it would also be nice to see how such things fit with their anti-pr0n crusading.
"The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses."
So it included the internet internet protocol addresses? I keep my internet IP address next to my PIN number at the ATM machine.
Nah, no mag stripe. It's a smart-chip with quite a complex auth mechanism. I'm not party to the actual details (Anyone who works with it want to respond?) but from what I can tell it's a session-based encrypted system. At no point are your card details ever actually seen by the reader, only the end result of sending a key to the card. See http://www.chipandpin.co.uk/ for details.
How many people can read hex if only you and dead people can read hex?
That comment isn't so funny when you think about it.
Prisons provide cheap work programs to businesses so that they can keep the prisoners busy. Some of these programs involves things like processing credit card orders and doing data entry.
This particular link is from 1991, but it was one of the first that popped up in Google. AFAIK, it still goes on in various prisons.
[Fuck Beta]
o0t!
I don't believe this, and I won't be satisfied until I carefully examine the list of logins and passwords to the alleged pr0n sites.
It's not offtopic, dumbass. It's orthogonal.
This is true, but you forget that the cards still have an additional magnetic stripe on the bottom, for compatibility with legacy systems.
Not bad as far as efficiency, but the centrality of the scam (and the fact that you can't really pack up a bar and skip town) would make it easier to find and shut down, I would think. It seems like someone would see the big obvious pattern of bar-tabs followed by rack-up charges.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
I just did a search of my old, old emails, and it looks like usenet-access.com used iBill as well (back in the day, I downloaded DreamCast backups).
In my case, every piece of information in the database entry is wrong (according to the email I found from the original purchase), since I've moved four time since I bought the account.
Hmmph. I'm in the same boat as you. This sucks.
Michael C. Hollinger
Anybody dumb enough to pay for porn on the internet deserves to have their name and addy plastered everywhere.
One site for you dumbasses: www.persiankitty.com
If that not enough, just get some p2p software and have at it. I've never seen a DMCA cease and desist order for downloading porn...
I hear and I forget. I see and I remember. I do and I understand. -Confucius
that there's no such thing as anonymity on the internet.
and
In the article it talked about webmasters having to wait months to get paid.
Not true, they still owe me over $30k and I think 18 million total is still owed to webmasters
> Good thing I have a girlfriend.
ALARM!! Intruder at Slashdot!!!I travel sporadically.
And back in Aug 05 I had my CC declined because I had gotten a trailer ($800) and was moving some stuff a few states a way plus buying meals, gas etc.
I didn't know why it was declined so I called up my CC co and asked what was up and they said "well we saw some unusual activity and decided to put your account on hold until we heard from you"
I was PISSED! I told them to never decline my card again to help "prevent fraud" but if they thought there was a problem they should contact me directly and get ahold of me before assuming that an extra $3k of charges within a week was fradulent.
When one is on the road for a bit and living off of their CC to make all of their essential purchases, and then that gets axed, it tends to really be detrimental to one's short term operations. I made sure they know that if it happens again I will be dropping their card within 24 hours.
Libertas in infinitum
"Governments won't allow it."
It's sad that humanity is still at this point. We are ruled not by ourselves, not by self-enacted systems of individual responsibility and sovereignty, but by ephemeral "governments" (obviously made up of individuals, wielding their power over everyone else from behind the one-way mirror).
Now I have some libertarian tendencies, but what a load of crap you are serving up. Government is the US is completely under control of the voter. The simple truth is that all the crap politicians get away with is what we allow them. We are indifferent. When they cross "the line" and piss us off they get their butts thrown out on election day. Don't confuse you individual inability to enact change with the voters ability to enact change. There are thieves and liars in DC because voters knowingly send thieves and liars there.
I seem to recall the same story, maybe they were the first to get caught? Most bar tenders who want to boost thier paypack simply give drunks the wrong change.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
True that the cards have a mag stripe, but when you (the cardholder) put your card into the reader (as opposed to handing it to the shop assistant) then there is no way for the mag stripe to be read.
Unless the reader has a magstripe reader. ;p
Can't a human sort out the card number from the extra data? Do you have any further information about this?
Perhaps you're right. I heard this story a long time ago.
The disadvantage of that scheme is they know where to find the
bartender.
I did a google search and the closest thing I found to this was a
guy who was accidently given the wrong card back.
He went on to knowingly rack up charges on it. When they figured
it out, he had already fled and has an outstanding warrant.
So maybe it is an urban legend. The other kinds of bar tab frauds
I found were all targeted at foreign travellers. Look up
"friendly greek bar scam."
Oh well, I don't spend as much time drinking as I did when I was 22.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
iBill handles non-porn billing too; does anyone know if those customers were in the breach? For example, I formerly subscribed to the Washington Post's electronic edition, which relied on iBill. Telling of iBill's character, after I cancelled my subscription, they began marketing adult material to me through a newsletter called "G Spot News." Slightly different coverage than the Post.
The latest reports saying that the leaked data did not come from iBill.
"So maybe it is an urban legend." - Probably, could have been FUD started by the card companies to deter scammers.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Yes, this is what I thought. The attack I was talking about would involve a Chip & PIN reader that is modified in two ways. First, a magstrip reader is added, to capture the card number. Second, additional circuitry is added to the keypad so that the PIN is recorded. Now the evil shopkeeper has both your card number and PIN. :(
*nerd sees article* "Noooooooooooo!"
"When the atomic bomb goes off there's devastation...but when the atomic bong goes off there's celebraaaaation!"