Breach Exposes 19,000 Active US, UK Credit Cards

pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."

Cashless Society

[Anenome]

It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.

The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.

Re:Cashless Society

[zoney_ie]

Cashless society gives control to others. OK cash is under the control of others, but not so much or in the same way.

People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

I for one sincerely hope we never have a cashless society.

Re:Cashless Society

All credit card security is bullshit.
The credit card system is built wrong from the ground up, and we'll be applying patches for ever.

What is good for people is e-cash grounded in sound cryptographic principles. This isn't good for governments though, so it will never ever happen.

Re:Cashless Society

[gravos]

Cashless is old hat. What we really need is a cacheless society.

Re:Cashless Society

[Hao+Wu]

It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society.

That would be nice.

How many times have we read passionate arguments that "nobody should be in prison for non-violent crimes!"

Remember this story the next time you see those stupid posts modded +5 insightful.

Re:Cashless Society

[sakdoctor]

People will not give up their cash without a fight,

Oh I don't know. I think it's pretty much down to culture that one.
I see people putting their credit cards behind the bar and drinking to the limit. Seems especially common for young professional women.

Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.

Cash on delivery seems quite alien to me now, having grown up in the UK with credit cards for everything. Yet what can be a more secure way of paying online, than not paying online at all.

Re:Cashless Society

[Anenome]

Well, the U.N. and some Russian dude recently called for a global currency, if such a thing were to happen it would likely become cashless. I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.

I remember hearing about a particular African country that had already gone cashless, that tourists basically changed money in for an ATM card at the airport, but couldn't find any references to it, just something about Nigeria moving towards a cashless society: http://www.africanews.com/site/Nigeria_moves_towards_a_cashless_society/list_messages/23145

Made me wonder what the Nigerian 419 scam would become in the future when they can't claim their uncle, the former finance minister, has a hundred million dollars hidden under his mattress and needs you to help launder it for him.

Re:Cashless Society

[unlametheweak]

I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.

Yeah, it's in the imaginations of people who buy financial instruments like stocks and bonds.

Re:Cashless Society

[Hao+Wu]

People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

Sounds like a "gold standard" argument.... The best standard of all is: absolutely anything. You can use gold, lead, or bananas if you want. And people do -- it's called a futures market.

Basing all of your wealth on bananas might sound silly, but there are doubtlessly people who have made millions doing just that. Fruit, gold, and "trust" - they are all exactly the same in economic terms.

Wealth is between you, and whatever the next person is willing to trade.... before you inevitably break even and die taking NONE of it with you.

Re:Cashless Society

[NoobixCube]

I'm pretty tired, and believe it or not, I misread "cashless" as "cacheless" anyway...

Re:Cashless Society

[aix+tom]

Hey!! I have a great Idea for that secondary verification system!

The credit card companies just need to give the credit card holders little, colourful, pieces of paper with currency amounts printed on them. When someone makes a monetary transaction with the credit card, they also have to hand over the right amount of those pieces of paper!

Ehhhhh.... Waitaminute .....

Re:Cashless Society

[grahamm]

I can remember when cash on delivery was common in the UK. Now you cannot even pay the postman if the sender has underpayed the postage or there are customs charges to pay - the postman just leaves a card and you have to go to the delivery office, pay and collect.

Re:Cashless Society

[TheLink]

Yeah, people like Maddof should most certainly go to jail for a long time.

If we are just going to fine and confiscate money from people who do nonviolent financial crimes, it does not discourage them much, there are so many ways of siphoning the money off and hiding it.

Prison works. Even if you are a billionaire, 10 years in prison is 10 years out of your life, 10 years of opportunity cost. You might be able to afford some lifespan extension treatments, but I doubt you're even going extend it to 150 years with existing tech.

Re:Cashless Society

[Cyberax]

Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).

Currently, credit cards are absolutely insecure.

Re:Cashless Society

[krou]

People will not give up their cash without a fight? Just like people won't give up their rights without a fight, hey?

We've already taken a giant leap towards a cashless society, with two inventions that we all love: the internet, and mobile phones.

When I sit down and actually look at the majority of my transactions, they're already occurring electronically, via the internet. Amazon, eBay, electronic banking, booking airline tickets, booking concert tickets, supermarket shopping. That's all cashless. I would wager that, in my personal life, at least 70% of my cash transactions occur electronically. I'd be surprised to find geeks that don't have a majority of their transactions occurring without cash.

Also, I don't think you give enough credit (excuse the pun) to people for being as lazy as they can be. If a chip is put in someone's mobile phone (a device most people in the developed world have) to let them pay for things quickly and easily, do you think they won't use it? There are 360 and 380 billion mobile phones in the world to date (approximately) - the groundwork is set. Currently, only 10% of these phones have the necessary hardware, but that will change rapidly. A cashless society will be sold on the basis of convenience first, security second, and I suspect that, while it may take a long time for cash to disappear (if ever), cash will eventually be seen as something used by the poor and society's outcasts i.e. cashless technologies and cash will become emblematic of society's economic and social divisions.

Furthermore, look at someone like Wal-Mart, and their technology-adoption strategy. Look at how they pushed RFID. That sort of power is going to be crucial in bringing about a cashless society because they may make the decision to halve their workforce and install self-service, cashless machines at the checkout, or trolley/basket-based systems. The cashless society will likely materialise because of such strategies: the removal of choice.

And even if we have "cash" in the future, it will be embedded with RFID, anyway, so not much freedom there, either.

Re:Cashless Society

[erikina]

Me too, surprisingly.

Re:Cashless Society

[Skrynesaver]

Free speech, fair trial, freedom of assembly are fairly nebulous rights mainly exercised by a few radical wingnuts in the view of the "plain people", however the right to sell goods and services "off books" is something the the "plain people" cherish and hold dear.

Not to mention Drugs hookers and blackjack (or whatever that damn meme is :)

Re:Cashless Society

[CRCulver]

People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

It's already happened here in Finland. Almost all my purchases and bill payment is done via bank transfer or Visa Electron card. When I get cash from someone, it actually feels like a burden because there are so few bank branches where I can deposit it (many branches only do advisory things now, not teller services), and the queues there are always long. There are instances where it's actually more expensive to pay with cash than with card.

Re:Cashless Society

There will be other forms of inofficial cash, much like cigarettes in prisons. Anything that is limited in supply and convenient to transport can be used.

Re:Cashless Society

[Samah]

Except in Australia we pronounce it "kaysh". ;)

Re:Cashless Society

[marcello_dl]

> People will not give up their cash without a fight

We gave up our gold and silver for paper.

"...But after all, it is the leaders of a country who determine the policy, and it's always a simple matter to drag people along whether it is a democracy or a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. This is easy. All you have to do is tell them they are being attacked, and denounce the pacifists for lack of patriotism and for exposing the country to danger. It works the same in every country." -- Goering

Re:Cashless Society

[marcello_dl]

I am cashless already, you insensitive clod!

Re:Cashless Society

[commodore64_love]

>>>Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.
>>>

It sounds like Japan is the place for me. I don't trust banks or stores enough to get a debit card, since I feel it's just like cash but more vulnerable. With a debit card a person simply needs to steal the number and empty-out your savings. I already had that happen once where a person on the opposite side of the continent stole my number and rapidly spent $3500 at Walmart using a fake card.

Fortunately for me I had a *credit* card, not a debit card, so the loss did not come from my wallet. It came from VISA's wallet. Credit cards are better because you simply refuse to pay charges incurred by thieves.

Re:Cashless Society

[commodore64_love]

Stocks and bonds have value. Each piece is a portion of the value of a company, or government. Other forms of wealth include:

- your land
- your house, your car, your furniture, your electronics and other toys (depreciating with age)
- oil, corn, wheat, soybeans, cattle, et cetera
- gold, silver, and other metals

Re:Cashless Society

[Jane_Dozey]

Perhaps you should think about organising your money a little differently. I have 3 accounts: Savings, Dumping account (where my pay cheque gets "dumped" into) and my spending account. I pay rent and bills from my dumping account when I get paid. I then put some into my savings account and then pay myself what I need for the month into my spending account. The only debit card I use is for my spending account, ensuring that if anyone manages to commit fraud on that card, the maximum I lose is 1 month plus whatever was left over from the previous month (if the amount starts building up I just move it to savings).

It works quite well since I know I'm not spending money that I don't have or is meant for something else and I don't have to worry about someone nicking everything I have.

To me, walking around with a debit card with access to all of your money is like walking around with your life savings in your wallet: stupid.

I also have a credit card on my spending account but that's just so I can boost my credit rating. That and buying things like plane tickets or any service that is at risk of not materialising is protected. In that case credit cards are indeed better.

Re:Cashless Society

[kiwi_jackal]

I think you're right in that some people will not give up their cash without a fight, but it's certainly not true in the vast majority of cases. Here in New Zealand, we've had EFTPOS for many years now, to the point where I don't remember a time when it wasn't around (born in '83). It is so prevalent that I'm shocked at the very rare occasion where it's not available.

I barely use cash myself, and mostly see it as an inconvenience. I know for a fact that I'm not the only one who thinks so, and I believe that the majority of my countrymen agree with me. Why on earth would you want to carry round bits of metal or plastic that you never seem to be able to get rid of entirely, when one or two cards will provide you with the same benefits with greater convenience and security? If I lose my EFTPOS card, I call the bank, cancel it, and arrange a replacement. If I lose cash, that's it - it's gone.

Although there is always the risk of fraudulent activity of my cards (much, much higher on my credit card than my EFTPOS card), every bank in this country, and I would expect in the world, has an agreement with their customers that if the customer does not contribute directly to the fraud, they are not liable for any stolen funds. Again, if someone steals my card, I'm inconvenienced for a couple of days, but if someone steals cash it's gone forever. I know which I prefer.

Re:Cashless Society

[SIR_Taco]

It's gonna be interesting when we finally move to a cashless society.

Perhaps we could just move to a cache-less society

Re:Cashless Society

[commodore64_love]

The last two are nebulous, but the first is obvious. *You own your body.* Anyone with an IQ of 90 or higher can understand that argument, and if you own your body you also own the things it can do, like use your brain to form an opinion. Or open your mouth and express that opinion (the right to speak).

Oh....and don't give me the argument that speech is limited. If you're on somebody else's property, and you start shouting, they can certainly force you to leave, but they can't stop you from speaking. You can say whatever you want from the front yeard of your home. You can even issue death threats without restraint (as supported by numerous SCOTUS cases).

Re:Cashless Society

[kiwi_jackal]

I work for a bank, and we have a fraud detection system which relies on contacting the customer if a suspicious transaction occurs on their credit card. Essentially, if a transaction breaks particular rules (multiple transactions at petrol stations in quick succession, say, or use of card in multiple countries in unlikely timeframes) we contact the customer. If we cannot do so, a temporary block is placed on the card until we can verify the transaction is legitimate.

I know this isn't very widespread yet - of the five main banks in New Zealand, I know that three use it. I imagine, however, that it won't be long until this is standard practice in the banking industry.

Re:Cashless Society

Pfft.

I've been cashless for a couple of years now!

Re:Cashless Society

[commodore64_love]

>>>The only debit card I use is for my spending account,

Why would I choose the more-complicated solution of managing 3 different accounts when I can choose the simple solution of not getting a debit card? Your solution makes no sense. Like driving from Philadelphia to Pittsburgh by taking a detour to Miami.

I'd rather just stay with credit cards, that way when someone steals, they don't steal from my account - they steal from VISA's account.

Re:Cashless Society

[daveytay]

+1ParentUp

Re:Cashless Society

[unlametheweak]

Wikipedia somes it up:

The concept of wealth is of great importance in economics, especially development economics, yet the definition of wealth is not straightforward and there is no universally agreed-upon definition. Different definitions and concepts of wealth have been put forth by different authors and in different contexts. The choice of a definition of wealth can be normative and have ethical implications, since wealth maximization is often seen as a goal or put forth as a normative principle of its own.

And then there's fiat currency. And intangibles of company profit margins that only forensic accountants with PhDs can grasp (think Enron). Much of wealth only exists in theory (like what a bank loans out; "The practice of fractional reserve banking expands the money supply (cash + demand deposits) of a country beyond what it would otherwise be.", Ref. Wikipedia). It's a mind game in many ways, but it drives the economy. People will work like slaves if they think they're actually working for something tangible. In the end they may just end up with a bank account and some stock certificates that are worthless accept as collectors items.

In my original post I was going to make a reference to the story about the king with no clothes, but was too lazy to try and fit it in with a moral of our modern fractional reserve banking system. And so I left the reader with what I thought was a terse, but somewhat witty remark.

Re:Cashless Society

[master_p]

They will propose the chip as the solution.

Re:Cashless Society

[Jane_Dozey]

Er...it's not a solution to the debit card problem, it's a solution to organising my money in a way that I never have to worry about spending what I don't have and gives me peace of mind. The side effect is that I can use a debit card and also not worry about being robbed blind.

The reason for using debit over credit is that you don't put your credit at risk. Forgetting a credit card bill can damage your credit rating, even if it's just with your bank. For many people (and not just plain old irresponsible ones) credit cards are dangerous.

Using a debit card and separated accounts is like driving from A to B via C because the direct road from A to B is known to be dangerous.

Re:Cashless Society

[Jedi+Alec]

The last two are nebulous, but the first is obvious. *You own your body.* Anyone with an IQ of 90 or higher can understand that argument, and if you own your body you also own the things it can do, like use your brain to form an opinion. Or open your mouth and express that opinion (the right to speak).

Right up to the point where there is another body inside yours, where the debate flares up again...in some countries anyway.

Re:Cashless Society

[Dog-Cow]

He should certainly not go to jail. That is simply not justice at all. He is directly responsible for several deaths. He contributes nothing, while at the same time ruining people's lives, not to mention ending them. He should be tortured to death. Over a period of about 10 years.

Re:Cashless Society

[commodore64_love]

>>>"nobody should be in prison for non-violent crimes!"

That should be - Nobody should be in prison for victimless crimes. Like smoking marijuana, or driving too fast. But someone who engages in non-violent crimes like theft, should definitely be held accountable, since they have victimized someone & infringed upon another's rights (right of property).

Re:Cashless Society

[Fred_A]

The last two are nebulous, but the first is obvious. *You own your body.*

Living people's genes can and have been patented, so that's not as obvious as it seems.

Re:Cashless Society

[Cathbard]

Cashless society??

"Won't somebody PLEASE think of the drug dealers!!!!"

Re:Cashless Society

[xaxa]

What about small transactions? Do you pay for a loaf of bread with cash? What about two drinks in a bar? A cheap train ticket? A taxi? Entry fee for a nightclub?

Those are the only things I use cash for (in the UK).

Re:Cashless Society

[xaxa]

Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).

Currently, credit cards are absolutely insecure.

Something like EMV brings a lot of benefits. See Chip+Pin for the UK implementation.
When paying by card in the UK (and a lot of other countries), you must provide a PIN number. A thief can't use a stolen card in a shop or an ATM (they don't know the PIN). They might be able to use it on the internet, but when paying online my bank has a system that redirects me to the bank's site, authenticates me, then confirms the transaction to the retailer.

Thieves can (and do) copy the card number and produce fake cards in insecure countries (e.g. Nigeria, USA). A friend had a phone call from the bank "are you in New York, trying to use an ATM?" "No." "Then we are cancelling your card, someone is trying to use it in New York".

Re:Cashless Society

[AmiMoJo]

Japan is moving towards cashless pretty fast these days.

Aside from credit cards now being widely accepted (with no surcharges like there often used to be), there are various touchless payment systems in use (and they are mostly compatible).

For example, I have a Suica card which I can load up with money. I can then pay for train, subway, bus and some taxi rides with it, and many convenience stores now accept it too. Around train stations, even some larger shops and restaurants accept it now. You don't even need a card - some phones have it built in and it just appears on your monthly bill.

The key difference between these stored value cards and credit cards is that you can only spend money that is on the card, you don't borrow money at all. Plus, you can only pay by physically touching the card to a payment machine so to abuse it someone would have to either physically take the card from you.

Well, actually, these cards use RFID, so I have wondered if someone with a big enough antenna could just charge people as they walked past... Presumably there is some kind of system to prevent that.

Re:Cashless Society

[hobbit]

How about just inventing a system where we hand over one-time tokens to the value of the goods we want to purchase, rather than, every time we use our credit card, giving some random stranger enough information to make independent purchases of their own?

I mean, duh! It would turn headlines like these into "Breach exposes 19,000 spent tokens", which is to say, not headlines at all.

Also, how is this a "known problem" with Google? The fact that Google caches and indexes public information is a feature, not a bug. The problem lies with whoever took private information and made it public.

Re:Cashless Society

[petermgreen]

One thing that concerns me about chip and pin is if a criminal does manage to get your pin (e.g. through a hidden camera or just plain old shoulder surfing) then his authentications are indistiguishable from yours.

So if the bank were to accuse you of lying when you reported such a fradulant transaction would have no evidence otherwise.

Re:Cashless Society

[petermgreen]

sorry that last sentance should have been

So if the bank were to accuse you of lying when you reported such a fradulant transaction there would be no evidence to show otherwise.

Re:Cashless Society

[imahawki]

There's a company called Mobiclear working on exactly that, but they're so small (and poorly managed) right now that they'll probably go bankrupt.

Re:Cashless Society

[InsertCleverUsername]

It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

Perhaps the solution will be similar to that in the (underrated) world of Max Headroom, where credit fraud is punishable by televised public execution. And if you like American Idle (sic.), you're going to love "You, the Jury."

Re:Cashless Society

[Jurily]

It's gonna be interesting when we finally move to a cashless society.

Now why would we even want to start considering that?

One, a security breach in a bank does not have a direct effect on the paper in your hand. Two, I don't want anyone to have a complete record of every fucking purchase I ever made. Three, I pay enough interest on my money via inflation. No need to add more.

Four, you might want to have a beer sometime in the future without your wife knowing it.

Re:Cashless Society

People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

Uh, the value of cash itself is subject to those same terms. Cash has no intrinsic value, its value is arbitrarily set just like like anything else. In essence cash is exactly the same thing as "cashless" value like credit or electronic bits stored at a bank.

Re:Cashless Society

[moxley]

I agree.

People don't realize everything that is inherent in a "cashless society." It's bee the wet dream of scum like David Rockefeller and all of the types who have their yearly meeting at Bohemian Grove because it gives any entity (basically the state and corporate power, which will have pretty much have completed their merger once banking is nationalized) the ability to completely control you.

With it will come biometrics - your biometrics (whether it's an iris scan or vein scan or whatever the current state of the art is when we get there in a few years) will be like your credit card. You can be stripped of all ability to do anything with just an entry in some databases.

For any benefit anyone thinks this may provide, the downsides are orders of magnitude worse, and the upside?

People may think that fraud will be a thing of the past - but it won't, fraud will always exist - as long as any person has access to any machine there will be fraud and mistakes; only this will be way worse because you won't have cash to hold you over while your investigate it - and likely if your money or access has been taken or wiped out it likely will not be as easy to get that fixed - depending on who fucked you and why.

So I agree with you, I hope we never have a cashless society, and it's one of the issues (like complete filtering/censorship of the internet, banning of the right to own firearms, and the undermining of the constitution) that I believe is worth fighting against, whatever it takes - because these are the only things standing between the people and complete slavery - and if we lose these things completely in the US, then America no longer truly exists.

Re:Cashless Society

fuck me.. working on it ? They've had the text immediately system in South Korea for aeons now.

Re:Cashless Society

[Thaelon]

This will never happen.

How can you tip a stripper in a cashless society?

Please, think of the children (and their single mothers).

RE: Cashless Society

We pretty much already live in a cashless society.

US Population: 300,000,000
UK Population: 60,000,000

19,000 out of 360,000,000 doesn't seem so bad to me.
I wish it were 0 and we need to find ways to avoid this sort of thing, but nothing to get angered over. If you do get angry, direct it at Google. That's where the solution will have to come from.

Re:Cashless Society

[Hes+Nikke]

I'm sorry, you lost that fight 75 years ago when the US gov took away your gold away and gave you worthless paper that they had already been printing for 20 years. $1 today has the same value as $0.03 in 1913.

Re:Cashless Society

[billcopc]

The loss didn't come from VISA's wallet either, it is the merchant that got stiffed. Credit card companies are completely unaccountable, despite charging through the nose for their services. It's right there in the contract everybody has to sign to deal with them...

Re:Cashless Society

[CRCulver]

I don't know about entry fees to clubs, but all the other things are paid for with cash. Even if I buy a 60 cent package of ramen, it's paid for with card.

Re:Cashless Society

[Stanislav_J]

...while it may take a long time for cash to disappear (if ever), cash will eventually be seen as something used by the poor and society's outcasts...

Even the poor are going cashless. In many areas, welfare, unemployment, food stamps, etc. are paid with stored value debit cards, not checks or cash. The lower economic population is also four-walled with ads for the Green Dot Card, Wal-Mart's new debit card, and other debit instruments designed to appeal to regular joes. They hype the "security" angle, plus subliminally convey the using of a Visa or MC branded card as an element of status.

As for "outcasts," that's not quite the right word...maybe "troublemakers?" "Nonconformists?" Anyway, already those who pay for costlier items with cash come under heightened scrutiny in some cases. Hell, you can't even purchase a postal money order above a certain amount anymore without being forced to supply additional "none of their damn business" information (who the money is going to, what it's for, let's get your d/l number on file here, etc.). Even if cash continues to be a viable, permitted mode of exchange, increasingly those who insist on cash will be subject to rasied "what do you have to hide and why will you not allow your benevolent overlords to record and track every dime of your financial affairs" eyebrows.

Re:Cashless Society

[bishiraver]

In order for a cashless society to exist, we need to change the model for how credit cards work.

Currently: we give our number, merchant bills the card.

Future: We get the merchant's number (via, say, a photo of the merchant's barcode on a cellphone) and explicitly /send/ them the money. Over a heavily encrypted wireless signal, routed through our banking institution.

Re:Cashless Society

[gzipped_tar]

Here in China, not only is cash on delivery very common, but also the option of debit card on delivery. Last time I ordered a wireless NIC, it was carried to my door by a postman with a frickin' mobile debit card reader. I swept the card through the reader, checked the sums, entered my password and it was done.

Debit cards are much safer -- you'll always need to enter the password to draw money from your account.

Re:Cashless Society

[mattwarden]

Uhhh, what? We already have a cashless society in any meaningful way you can put it. We exchange paper, and a large amount of money exists as numbers in bank account databases and does not even have a paper dollar representation.

What possible value are you attributing to paper money that can be printed at will by a delegated agency of the government?

We have already lost the meaningful battle, which was when we moved off commodity-based money and the government declared that all debts are payable by this paper. Commodity-based money cannot be created by any government agency, without finding more of the commodity (which anyone could do). If the government declares that all debts are payable by plastic, what in god's name is the difference???

Re:Cashless Society

[TheRaven64]

This is great in theory, except that it most often flags up when you are making transactions in a foreign country. It then calls you at your home address, and when you don't respond (because you are in a foreign country) disables your card.

Re:Cashless Society

[JasterBobaMereel]

No it's simple you have a wallet card .... fill it up with "cash" at a bank or hole in the wall machine ... pay anonymously anywhere like cash ....

Works exactly like cash ... but it's lighter and easier

If it gets stolen, it's exactly like having the cash stolen out of your wallet... no link to you, and you only lose as much as you were carrying

Credit cards should only be used for higher price items ...i.e. that you need credit on, and need the payment guaranteed....

Re:Cashless Society

[zoney_ie]

I'm in Ireland. Last time I heard about it in the news (possibly Euro changeover time), we used the most actual cash per head of population in the EU.

Probably explains why ATMs here in Ireland just dispense large value notes where possible - most European countries I've visited, the ATMs give you change - e.g. 10, 20, 20, 50 for 100 euro/pounds. Here in Ireland, you invariably get two 50s (I often try to "force" the ATMs to give change by asking for 80 or 130). Of course this is also possibly just the Irish banks being lazy cheapskates - maybe the cash-in-transit robberies wouldn't be so common if ATMs were restocked more frequently with lower denomination notes (many ATMs run out of cash by the end of the weekend - and a sports event can ensure people are pretty stuck very quickly!)

I'd be pretty ticked off in Finland about the 5c minimum price fractions. It's simply an incentive to currency devaluation - a very good thing much of the rest of the Eurozone isn't following suit. Can people really not cope with having loose change in their pocket and making up the price of things on the fly when they have change to spend? If nothing else it might help people with their addition/subtraction skills.

It's not like the US where you jump from 1c to 5c (resulting in lots of pennies in change). Having 2c coins means you mostly don't end up with too much complication adding up change and can avoid a surplus of coppers.

Re:Cashless Society

[techess]

Bank of America and Citibank have this cool thing called Virtual Numbers (other cc companies may have them but these are the ones I know about). Anytime you buy online you can create a "fake" number that is good for one use and a certain $$ amount. Once it is used the number is recycled and can never be used again.

I can even generate the number on a web capable cell and use it in person. Though I've had stores refuse to take it. It would be an awesome addition if you could also limit who could use it, but like you say that will probably be the future.

Re:Cashless Society

[Cyberax]

...then it's just easier to use physical cash.

Re:Cashless Society

[profplump]

Cashless society doesn't have to give control to anyone -- you don't have to link the card back to an account or have any central repository. Putting value into the card, rather than into a DB, exposes the system to possible counterfeiting, but it's not any different than the same risks today, and you get the benefits of electronic data transfers. You only carry only one bit of "cash", you can transfer funds to or from it via anything with an appropriate port (i.e. your cell phone), you could have it store a record of your transactions, always having exact change -- all sorts of things that are convenient, with no requirement for central reporting.

Re:Cashless Society

Heh, zero wealth is in paper form. (ok, paper itself is wealth in paper form, but I know that's not what you mean)

Only things and time are wealth. Money is just a convenient lubricant to facilitate the exchange thereof. It has value only because organizations large enough to establish it have declared it has value.

Re:Cashless Society

[lgw]

Or you could, you know, spend within your limits and pay your bills on time. Some people can still manage that these days (though you'd never know it by looking at American banks).

Re:Cashless Society

[Pervaricator+General]

Federal Reserve Conspiracy Theorists = Gold-Foil Hats

Re:Cashless Society

[Pervaricator+General]

Mandated cameras on all places that accept...crap

Re:Cashless Society

[Pervaricator+General]

It is not their fault you forgot to notify them of something so outside the realm of possibility as to be laughable. I mean, really! WHO goes to GERMANY on PURPOSE?!

Re:Cashless Society

[kiwi_jackal]

that's why we have staff involved in the process, to remove that mechanical error issue. There's a whole bunch of ways we work around that issue - if the cardholder has told us they'll be in that country, the card's not stopped; if we can contact them on their mobile, the card's not stopped; if someone at home tells us they're overseas, the card's not stopped; if we can tell from their spending on other cards they're overseas, the card's not stopped. The system's not perfect, but we very rarely block a card unneccessarily.

Re:Cashless Society

[CodeBuster]

Presumably there is some kind of system to prevent that.

One would hope, but as these data breaches demonstrate, we have been bitten and disappointed before.

Re:Cashless Society

[Hes+Nikke]

nah, silver is my foil of choice. :P

Re:Cashless Society

[Darkk]

My bank already requires a second authorization password before Newegg will process my order. I know it might be a hassle for some but I feel better knowing my bank supports this.

Re:Cashless Society

[Vyse+of+Arcadia]

I dunno about that whole "when" thing. I don't just don't see it happening. There will always be some use for cash, if only just to fall back on. Even 4e Shadowrun has certified credsticks.

Re:Cashless Society

[Jane_Dozey]

I spend well within my limits, to the point of being able to save a good chunk of my pay every month. I also pay all of my bills on time, or if possible ahead of time (e.g. one month ahead on rent). The problem I have is that I get uncomfortable spending money if I'm not 100% sure I don't need it for something else. Hence the spending account, I know that whatever is in there is fair game.

Re:Cashless Society

[JasterBobaMereel]

Physical cash weighs more ... the people you are buying from have to have change ....

Shoot the messenger!

[phayes]

It's not a problem with the idiot sites that let unprotected critical information out on a public accessible net and in addition omitted to place a well placed robots.txt, no...

IT'S GOOGLE'S FAULT!!!

Re:Shoot the messenger!

[sakdoctor]

Google should take SOME blame.

I held a robots.txt poster up at my window and google streetmap still photographed it.

Re:Shoot the messenger!

[DikSeaCup]

Coordinates? ;)

Re:Shoot the messenger!

[Hieronymus+Howard]

I don't think that the streetview camera car is actually a robot, so of course that wouldn't work.

Re:Shoot the messenger!

[trold]

robots.txt is not for security. Using it as such is the same as protecting your sensitive data by writing "DONT READ" in the top. Even worse, if you do rely on it, you provide a public list of what might be interesting on your site.

Re:Shoot the messenger!

Why should google take blame, its not like google made an agreement with the people in question to conceal their data, the responsiblity lies with which ever sites were stupid enough to have unencrypted data lying around the place

Re:Shoot the messenger!

Link or it didn't happen

Re:Shoot the messenger!

[machine321]

They should make the camera car look like a spider.

Re:Shoot the messenger!

[phayes]

Which part of

It's not a problem with the idiot sites that let unprotected critical information out on a public accessible net

didn't you understand?

The robots.txt is not designed for security, but it will stop google from placing content into it's cache where clueless admins are unable to purge it themselves after they finally discover have been hacked.

Re:Shoot the messenger!

Maybe one of these.

Re:Shoot the messenger!

http://boingboing.net/images/googlevan.jpg

Re:Shoot the messenger!

[Fbelch]

Google listened to your robots.txt.

They stayed out of the directory.

They didn't come into your house and photograph the contents.

The robots.txt kept them out of that 'directory'.

Re:Shoot the messenger!

[JerRocks]

Your forgot to add content to you robots.txt file, er, poster. This may help: User-agent: * Disallow: /

Re:Shoot the messenger!

[OneMadMuppet]

omitted to place a well placed robots.txt

Really, if you're relying on a robot file to keep your customers data safe, you deserve to be beaten and have your geek card revoked.

Re:Shoot the messenger!

You forgot your sarcasm tag. Read literally, you just said it isn't the site's fault.

Re:Shoot the messenger!

[phayes]

Who said anything about relying only upon a robots.txt file for all "security"? GPP referred to "idiot sites that let unprotected critical information out on a public accessible net": Do you think I was referring to sprinkling pixie dust? In addition to appropriate security access measures, if you're not placing robots.txt files at the root of all pages having to do with payment, you're making a stupid mistake. There is no valid reason to not tell indexers to leave those parts of a web server alone.

Re:Shoot the messenger!

if you're not placing robots.txt files at the root of all pages having to do with payment, you're making a stupid mistake.

You're kidding, right? That's not how you use robots.txt files at all. http://www.robotstxt.org/robotstxt.html

Re:Shoot the messenger!

[phayes]

Hey AC, http://www.worldwidewords.org/qa/qa-tea1.htm

er what

[Idimmu+Xul]

How is putting all your customer's credit card information online so it is publicly available, and crawlable, Google's fault? What is the known issue? People are stupid?

Re:er what

perhaps google was not only the only place that copied it and reposted it, in voilation of copyright, but also the only place that downloaded it.

Why are they given a free ride? If I mirror CNN, I get in trouble, but if google do it it's a public good?

What if I had mirrored the CC list? would I be in trouble for that??

Re:er what

[houghi]

What is the known issue? People are stupid?

That is unfortunately not something you can change, so you should look at what you CAN change. One thing could be to first make it a law that you MUST inform people, next the company at fault should pay for all the damages themselves.
People ar not only stupid, they are greedy as well and once they see that it is bad business to do stupid things, a lot of it will solve itself.

Will it still happen? Yes. Most likely in a very much smaller scale.

Re:er what

[skeeto]

For my website, I share a server with a bunch of other sites. I was poking around /tmp one day and came across dumps of credit card information. I forget the website, but apparently they thought /tmp, with global read permissions, was a safe place to generate HTML after a transaction. I reported it to the hosting service and the offending website fixed their scripts.

Luckily, credit cards have strong protections, so you aren't responsible for any fraud charges due to these leaks. Just check the charges every month.

Whirlpool thread

[shird]

This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however:

http://forums.whirlpool.net.au/forum-alert.cfm?a=priv-deleted&t=1165021&v=0

Re:Whirlpool thread

[pallmall1]

This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however

Ironically, the Whirlpool page is still available in the google cache of the thread.

What I want to know is why the CVV numbers were there and for what merchants, as they are not supposed to be cached according to the Payment Application Data Security Standard (PA-DSS).

PCI DSS

[yttrstein]

You'd think that Google would have been one of the very first ones that the CC companies demanded PCI DSS compliancy from. And if they had, you'd think that Google didn't just fill out the form and *promise* (they swear) that everything is compliant, cross their hearts and hope to die, just like all the tiny companies that can't afford PCI DSS consulting do.

Hmmm. Good lord.

Re:PCI DSS

[MadMidnightBomber]

What, now Google is meant not to index pages which have card data on them? How exactly is that even possible?

You can bet your boots that Google Checkout is PCI DSS-compliant.

Re:PCI DSS

[lurcher]

Ok, by your logic all I have to do to make slashdot fail compliance is post my credit card details.

No: 5434 6625 8876 1272
CVV: 854
Exp 09/12

So how would slashdot know if that post contains valid card info or not?

Or even better, I could email this information to my competetor, then ring them and point out that they have failed compliance, as they have unsecured card information stored on their systems.

Re:PCI DSS

[Macthorpe]

Cheers for the Phenom 2 :)

Re:PCI DSS

[lurcher]

Cheers for the Phenom 2 :)

Happy to help, if I every find who the card belons to I will say thanks from you.

Re:PCI DSS

[Macthorpe]

Damn you, sir! You win this round...

Re:PCI DSS

[yttrstein]

1. Yeah, that actually doesn't technically break any level of PCI DSS. You're missing at least one of two bits of information.

2. I'm sorry you missed the subtle reference to the inevitable litigation surrounding issues like this.

Re:PCI DSS

[lurcher]

Well, YMMV, but from what I can read, it breaks validation types 1 to 4 at least on the no CHD storage rquirement. And the information I supplied is enough to auth a CHNP transaction.

But I think you get my point.

It seems to me that PCI DSS is this generations version of BS5750, just another excuse to create a market for over paid consultants who claim to understand the requirements.

Re:PCI DSS

[Inda]

I don't know if that was a serious question but I'm going to answer it anyway. Using regex for card numbers is childs play. Baby-play for the likes of Google.

Re:PCI DSS

[MadMidnightBomber]

Oops, you just killed a valid webpage:
http://www.merriampark.com/anatomycc.htm

*grumble* trigger-happy regexp jockeys *grumble*

Re:PCI DSS

You seem to be under the impression that PCI actually makes things more secure. My employer is in a never-ending race for PCI compliance, which mainly seems to involve lots of trivial rules that make it nearly impossible to do our jobs.

Re:PCI DSS

If you do, let me know. There is currently no issuing bank that would give that number.

Re:PCI DSS

[pbhj]

The industry could of course have a valid example CC number like using example.com as a placeholder domain.

Or just ignore the fact and rely on links to that page being in the index. One could reissue the page with all CC numbers excised (or with the first 4 numbers replaced with AAAA or whatever) and a link at the top to a page with the CC numbers still in. It wouldn't really hurt any genuine use of CC numbers it would just require a little alteration if you wanted the precise page with the CC numbners to be indexed by Google.

Re:PCI DSS

Well, it passed the Luhn check, so there's a big chance at least the number is valid

Who are the lucky ones?

[MikeOtl67of]

How can you know that your card was not among those?

Re:Who are the lucky ones?

google you credit card and CVV here, and post a link to the results here. It's the best way you can be sure you card is compromised.

Re:Who are the lucky ones?

[aix+tom]

But google for it WITH quotes, or you get an heart attack when you see the "Results 1 - 10 of about 2,000,000" that get's returned when you Google without quotes.

Re:Who are the lucky ones?

Actually, I received yesterday a letter informing me that my credit card information - through no negligence of the card provider - has been compromised, and that I can expect to receive a new card, with new cc# and ccv in the mail.

Re:Who are the lucky ones?

Send me your credit card number and I'll tell you if you were on the list.

Re:Who are the lucky ones?

No results found for "4552 6178 4154 6932".
Phew.

captcha: cleared.

Re:Who are the lucky ones?

Information about that number (Full number not validated):
A card with that number would be a Visa issued by Caja de Ahorro Provincial de Guadalajara in Guadalajara, Spain.

It could possibly be a merchant account, though (through the same bank).

Re:Who are the lucky ones?

Haha yes, for the love of God, you should immediately send your full credit card number in plaintext in a Google search. Only THEN can you be absolutely certain that it's secure.

Re:Who are the lucky ones?

[atraintocry]

Fool me seven times, shame on you. Fool me eight or more times, shame on me.

I hardly think there's an issue with Google.

[TractorBarry]

> The cause appears to be a known issue with the Google search engine

More like the usual issue with idiots who fail to adequately protect, secure and dispose of this sort of data in the first place. "Sensitive directories" have absolutely no business ever being readable from the web.

Company executives and IT administrators who allow this sort of security breach need to start doing hard jail time. Until this happens we'll be reading more and more of these stories by the week.

Re:I hardly think there's an issue with Google.

[Sockatume]

From the sounds of things, I reckon the gateway was creating a web page for every transaction that included the card details, and those pages were not only unsecured and publicly viewable but indexable. They probably auto-deleted the pages after the transaction was completed but obviously not quick enough. GCache? It's probably all in the internet archive at this stage. It's not a Google issue, it's staggering security error on the part of the gateway that every internet crawler saw. No wonder the gateway's defunct.

Re:I hardly think there's an issue with Google.

[stray]

From what I can see the unprotected directory is a *deliberate* setup by perpetrators who compromised a number of merchant sites.

The compromised servers send the CC transaction details to the unprotected site (now suspended by the registrar) for easy retrieval by the perps.

The security breach obviously happened on the individual merchant sites, the leaking unprotected directories on the hackers' drop box is just a symptom.

Somebody check if all merchant sites use a common web shop application?

Re:I hardly think there's an issue with Google.

I, for one, blame Al Gore. As we all know, he invented the Internet and is thus responsible.

Misplacing blame on google

[Confuse+Ed]

From both the article and the summary re:

The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone

This makes it sound like the issue is with google's search engine and makes light of the real issue which is that at some point this information was published for all the world to see (or search engines to index) and anyone to cache (or write-down, or memorize).

Insisting on search engines removing removing this information from their indexes and remove it from their caches is just sweeping the problem under the rug : you or I taking a quick peek on the internet to see if our credit-card infomation has been published anywhere would get a false sense of security if the search engines pretended it wasn't there and that security breaches had never happened.

*tin-foil-hat-time* It seems analogous to re-writing history books to cover up prior misdeeds.

Re:Misplacing blame on google

[atraintocry]

Seriously. If you don't want it online, or you're not allowed to put it online: don't put it online.

Us techs increasingly sound like grizzled frontiersmen by saying this. But it's just how the internet works. Do I care that after '95 a bunch of guys with MBAs showed up and thought you could slap a Terms of Use on something and change the laws of physics?

Material on a server should be expected to be served, hypertext should be expected to be hyperlinked to.

Internet Finance

[unlametheweak]

The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).

Re:Internet Finance

Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.

Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...

Re:Internet Finance

[Fallus+Shempus]

Sorry but that particular tin foil hat is actually a sieve

See here

Call centres are manned by people, who can write down anything you say.

Re:Internet Finance

[unlametheweak]

Of course, the same with any place that you have to give your credit card too (like restaurants). The point is that these transactions are more transparent than dealing only with complex automated software systems that can easily store, copy, and manipulate data. It is harder for example, to have a cross-site scripting attack with a (non-M$ Windows, programmable, Internet) telephone.

Re:Internet Finance

Do you realize that those people who answer the phone call may just be (and in fact, most times they are) using just a web browser and the same web page you would use to place your order?

Re:Internet Finance

[awyeah]

When you call an 800 number to place an order or walk into a store, unless you hear a modem dial out, your account information is *probably* being sent over the public internet.

That doesn't mean it's necessarily insecure (the industry has serious standards they have to follow - see PCI-DSS), but it's likely that your details are going over an encrypted connection to a processor.

Many web sites use the exact same protocols to talk to the payment processors as brick and mortar stores do.

Re:Internet Finance

Amazon's stock must go up every time one of these stories is posted.

Sure, anyone can do eCommerce by putting up a website. Except for a very few, though, these are going to be run by businesspeople for whom security for their customers is somewhere on Page 3 of a To-Do list that is two pages long.

Re:Internet Finance

[gmack]

But much easier for someone to simply make a copy of the details. I find that my credit card info is treated much more carelessly during card present transactions. Credit card is printed on a bill. Where does the business owner keep their copy? Who all can see it? I've even had my card number written on the top of my order. In some of the places I've done tech support I've seen sheets laying around with credit card numbers. It's nice to know that even the janitor can steal my credit card info.

Also larger retail stores feed your numbers into "complex automated software". Think TG max who was a huge source of stolen credit cards and guess what? As of last summer they still hadn't bothered to secure anything.

I make a ton of transactions online and only once have I had fraudulent transactions on my credit card. That once was the local pizza place

Re:Internet Finance

[houghi]

I am less paranoid and use the "Internet Credit Card Number" provided by my bank. That creates a Credit Card Number that will be valid for 2 months with the amount I decide to put on it. So if I buy some service for 10EUR, I put 10EUR on that card. When then somebody else steals that number, it will be useless as the 10EUR is already used.

For my credit card company it is then pretty easy to find out where I used that number and then know who caused the leak and punish them if they so wish. To me this is an extra step and it gives me as much security as I need for now.

Also you are aware that ATM machines are not foolproof and there are even other ways of getting your credit card number.

Re:Internet Finance

[Jason+Levine]

Yes, because buying things over the phone or in store will never result in a breach.

Oh, wait...

Those three stood out in my mind since we were affected by all of them. There are others, I'm sure. In the first two cases, our credit card information was compromised despite the fact that we shopped in-store and not online. In the third case, our information was compromised at the processor level, so it really didn't matter where we shopped. Face it, no matter where you shop, your information is in the hands of other companies and can/will get compromised. The only way to prevent this is to only shop using cash. (Something that is becoming an impossibility more and more.)

Re:Internet Finance

if you live in the USA, your credit card number should not be on the receipt. That is not legal.

http://www.privacyrights.org/fs/fs6a-facta.htm

Re:Internet Finance

[Uzuri]

... which results in the person on the other end of the phone tapping your credit card number into the company's website, probably while using IE.

I used to do that, too, until I realized that it was all going to the same spot anyway, and at least I could have some idea of the security of my own box.

Exactly

[Chrisq]

Its like if you make a credit card payment and someone videos you then a "known issue with the video camera" will allow people to see the data you entered.

Re:Exactly

[ilo.v]

Its like if you make a credit card payment and someone videos you then a "known issue with the video camera" will allow people to see the data you entered.

No. It's as if you are sleeping with your best friend's wife and someone videos you then a "known issue with the video camera" will allow people to see the "data" you entered.

That was a joke!

[gravos]

That was a joke! A play on words!

Seriously though, caches are good. Worrying about credit card numbers being cached is as bad as promoting security through obscurity. We should be moving to a system that doesn't rely on "secret numbers," but instead makes use of multiple factors from the time-tested triumvirate of "something you have," "something you know," and "something you are." Something you know alone just isn't good enough for this day and age.

Google is just doing what Google does.

Can some American please explain to me...

[Hurricane78]

...why anyone would use a payment system, with no safety at all?

What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...

Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?
I'd rather go back to bartering goods, than something like that.

When I do payments, I either do it with a bag of fixed-value credits. Like real cash in a wallet, or digital cash in a digital wallet (what we in Germany call "Geldkarte"). (Both can be filled/loaded like you fill your wallet, and when it's empty, it is empty. Additionally both are detached from the bank account. Unlike a credit card.)

Or I do it with a secure system that needs what I have, what I know, and who I am. Like a cash card. Or secure online banking with a keycard. (Both use a keyfile, that you decrypt by entering a code into a secured device with its own keyboard [and display], to create a secure channel, to transmit payment instructions, that only result in payment, if the server allows payment for that account at that moment.)

Or is it, because you have not much of a choice?

Please do not see this as a rant (it isn't one), because I really am interested in understanding this.

Re:Can some American please explain to me...

[Ihlosi]

What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card.

No - in order to actually get paid, the merchant must also wait a few weeks in case the customer disputes the charge (and issues a chargeback).

Hence, the person using the credit card doesn't bear much risk, but the merchant that accepts them does (if he delivers goods and services, gets "paid" by credit card, and the charge gets disputed, he's out the money and the goods and possibly gets slapped with extra fees from the credit card company). Of course, this risk needs to go into the merchants price calculation. :P

Additionally both are detached from the bank account. Unlike a credit card.)

A credit card is not attached to bank account (at least not in the US). A debit card is.

Re:Can some American please explain to me...

I can't speak for any other countries, but I can tell you why that's not done in America. Two reasons: One, it would cost the banks money to implement such a system. That goes against their core ideals of charging us as much as possible at all times (some banks charge extra for depositing coins now). Two, Americans wouldn't stand for such "complexity". Too many of them would feel that a system like you described is incomprehensible, an they'd rather take their risks with ID theft. Sad but true.

Re:Can some American please explain to me...

[Tx]

In the UK at least, your transactions are guaranteed by the credit card company. So it's often actually recommended that you purchase things online with a credit card, because if you get ripped off, the goods are defective, or the merchant goes bankrupt etc, the card company has to refund you. This is enshrined in law under the Consumer Credit Act. On the other hand, if you pay with a debit card or other direct payment, your money is gone.

Re:Can some American please explain to me...

[jimicus]

I'm not American, but I can explain the idea to you.

Every decision that introduces a system or process of some sort (doesn't have to be a computerised one, just a system or process) inevitably means that you make a compromise between risk and benefit.

If nobody ever exchanged goods, the risk of losing goods in dishonest transactions or from being mugged would be much lower. However, we'd all be living in caves gathering berries and hunting animals.

Along comes bartering and suddenly those who have an unusual talent for making weapons but are lousy at doing the actual hunting can exchange food for weapons with someone who's a great hunter but a lousy weapon maker. Of course, the hunter could just take the weapon and kill the man who made it (so the risk is slightly higher) but what would he do when the when the weapon eventually wears out?

Fast forward to today and while we're no longer talking about spears and woolly mammoth, the same basic concepts apply.

Not everyone wants to carry lots of cash - mainly because if it gets stolen you're stuck. By making it easier for people to do this (using credit/debit cards), society can move faster because money is spent faster. Banks make money on per-transaction charges so they want to encourage as many as possible; companies make a sale where otherwise they may not have.

The risk is obvious - if card details are stolen, they can be abused. But the risk is reduced with things like online approval for purchases - which ensures that stolen cards aren't useful for very long.

The banks and merchants make money on the difference between (number of transactions) and (number of dishonest transactions). Provided the first is substantially higher than the second and the net figure is greater than what you'd get by just accepting cash, you're doing better.

You'll never invent a system which is 100% risk free, all you can do is reduce the risk. Everyone wants to reduce the risk, but making changes to reduce the risk requires man-hours and equipment, both of which cost money. If you can effectively eliminate US$100,000 of fraudulent charges per year with a change that will cost US$10,000,000, then that change is not going to happen.

If the numbers are the other way around, however, you should patent them and speak to your bank.

Re:Can some American please explain to me...

>Because if yes, then why in the word does anyone even consider using something like that?

Because it's convenient, and they don't take the hit if something goes wrong. If your credit card details get stolen by some third party because a merchant processed them insecurely, you're not liable for any activity on the card.

Even many debit cards carry the same protection against fraud - if someone uses it who's not you, you get your more back.

Re:Can some American please explain to me...

On the other hand, if you pay with a debit card or other direct payment, your money is gone.

However, some debit cards (e.g. my Lloyds TSB Visa debit card) count as credit cards for the purposes of the consumer credit laws, and *are* covered (I know because I read and signed some document to this effect).

Re:Can some American please explain to me...

[toQDuj]

For about a year now, I have signed (where requested) the credit card transactions with fake signatures (something that looks like a sig, but isn't mine). No-one cares enough, as I haven't been caught at it even once.

Money still gets withdrawn from my account, though.

Re:Can some American please explain to me...

[toQDuj]

p.s. That's in Denmark.

Re:Can some American please explain to me...

[psicic]

I'm not American - and I wonder about the op's premise as I thought most countries had moved (or were moving) to PIN-numbers rather than signatures to verify in-store transactions.

Regardless, credit cards are very safe for Europeans because of the extra protection they provide to consumers.

In Ireland as well as the UK - and most other European countries - there is a version of the Consumer Credit Act. It treats all purchases on the card as, unsurprisingly, a type of credit agreement. This is a very powerful and pro-Consumer thing, providing lots of protection for any who cares to look into it, e.g. chargeback.

True, a lot of these 'safeties' was introduced in an attempt to make the cards more secure - don't forget the premise of credit cards has been around for many, many decades and, during that time, the type of fraud perpetrated against credit card users has become more and more complex.

It's also well documented that Germans (culturally/in general) have an aversion to credit cards for a number of reasons; from 'all credit is borrowing - and borrowing is bad' (note the low rate of borrowing in Germany) to a series of pre-existing methods of paying for goods and services easily at a distance (e.g. in Germany, there is the long standing inter-bank transfer system; very cheap and secure to use inside the borders of Germany but, until very recently, was astronomically expensive for anyone in another country to transfer money to).

So why do I use a credit card? A large number of international traders accept credit cards, doesn't cost me any extra and I get points on my Sony card for every purchase I make. I am not liable for any fraud/misuse of my card. I suspect it's the same for Americans and most people who use credit card. Having the advantage of being European, I also have a lot of legally enforceable extra protections that I'm not sure Americans have in the Consumer Credit Act.

I also do use bank transfers to pay for stuff. Usually only to Germany because Germany is one country where their banks are pretty secure. And only in recent years - because, thanks to an EU Directive, the astronomical cost of transferring money across borders to another member state of the Eurozone has plummeted (note: UK not member of Eurozone, so a UK consumer could still face high charges).

I also have the protections of the Distance Selling Regulations when buying from Germany, but I would never transfer money via bank account outside of Europe.

As for 'reloadable' cards, for me they are slightly more expensive and don't offer me any incentive or attractiveness to use, and are not universally accepted.

Debit cards don't seem to be standarised internationally - or even across the EU - so are not really viable as a payment method.

Re:Can some American please explain to me...

[smoker2]

Debit cards are protected too. I've had my card details stolen and used, and I got my money back. I've had bad (non-existent) service from a few companies, and the bank has given me my money back. In no case has my money just been "gone". I don't have a credit card at all, and I've never lost money from an online transaction. Less FUD please.

Re:Can some American please explain to me...

[Tony+Hoyle]

Not by law.. a debit card has no more protection than a cheque.

The bank *may* choose to reimburse you for such thing, but you're far safer using a credit card.

Re:Can some American please explain to me...

[INeededALogin]

I am pretty sure that your signature is an after-the-fact paper trail. Meaning that if you complained you didn't purchase something then they have your signature to analyze. I always find it funny watching old people sign those electronic signature pads. They do it so careful thinking that if they don't, the transaction won't complete.

Re:Can some American please explain to me...

[Corbets]

We're liable - by federal law - for a maximum of $50 if our cards get misused. So it's not a terribly big deal in that sense.

More troubling are the difficulties you have to go through to undo identity theft, but that has little to do with the credit card payment system you're referring to.

Re:Can some American please explain to me...

[Tony+Hoyle]

Nobody checks signatures.. that's why many countries went to pin entry.

Of course pins are just as bad..

1. If someone gets your pin they can reproduce it 100% accurately every time, unlike a signature. Since a pin is only 4 characters it's trivial to remember.
2. Many transactions don't use the pin - the local supermarket auto checkout doesn't require a pin, only the card. Also all the cities car parks are the same.
3. When you're paying for something how do you know they aren't skimming the card (90% of shops still take the card off you an scan it through the till, even though apparently they're not supposed to any more) and storing the pin in a computer under the till?

IMO the pin should be a string of beetween 10 and 20 digits. Much harder to for someone to shoulder surf. All transactions should require the pin, otherwise the transaction isn't valid.

Re:Can some American please explain to me...

[locofungus]

Debit cards are protected too. I've had my card details stolen and used, and I got my money back. I've had bad (non-existent) service from a few companies, and the bank has given me my money back. In no case has my money just been "gone". I don't have a credit card at all, and I've never lost money from an online transaction. Less FUD please.

It's not FUD.

Under the consumer credit act, when credit is extended for a purchase by a consumer, (for at least 100GBP) the credit company becomes jointly and severally liable for the completion of the contract.

That means that if the supplier goes bankrupt you can still get your money back from the credit company. Even if the supplier doesn't go bankrupt but just doesn't supply the goods you can still sue the credit company for your loss and then leave it up to them to get the money back from the supplier.

This automatically applies to all credit cards. It also applies to debit cards if you extend an overdraft in order to do the purchase. (It is the use of credit that is important)

Some visa debit cards also provide the same protection when not using an overdraft. This is a courtesy from the bank and is not required by law. (AIUI Visa is moving to requiring anyone supplying a visa debit card to offer this protection. I do not know if that has completed yet.)

This is independent of any redress you might have if your card is stolen and/or used fradulently. In that case the card supplier has a duty of care to you (e.g. verify signatures etc) and so you have a potential claim against the card supplier independent of the consumer credit act.

Tim.

Re:Can some American please explain to me...

[master811]

In the UK at least debit cards DON'T have the same protection as using credit cards, so it's not FUD at all.

Your bank MAY reimburse you, but they don't have to. However when you use a credit card, the company in effect owes the bank rather than you as it has been bought on 'credit' (from the bank). So it's generally guaranteed to get any money back as long as the value is above £50.

For the same reason you actually have more protection if your debit card goes into your overdraft resulting in a negative balance (as it's 'credit' from the bank), rather than if you had a positive balance and you didn't owe the bank anything.

Re:Can some American please explain to me...

[Xest]

"Not by law.. a debit card has no more protection than a cheque."

Which is probably more than you think. For one, a bank can't just hand your money away to someone for a fraudulent debit card transaction or a faked cheque. If you wish to argue that you didn't authorise a transaction then they have to be able to prove otherwise if they want to avoid giving you your money back.

You can't fiddle the system because say your card was used without your permission to buy a flatscreen TV online, the bank could contact the company the purchase was made from and ask if they can prove it was delivered to you for example. If the company couldn't prove it went to your address and that you signed for it then the bank couldn't prove you made the transaction and so you'd be legally entitled to have your money returned. If people tried getting things sent to other addresses and have other people sign for it for them then claim they never got it that'd work, but the bank would also be able to call the police on your for a fraud investigation if they suspected that this was the case. If you got caught, it would also be fraud.

Regarding charge backs it depends on the card issuer but Visa have the Visa Debit Chargeback scheme which all Visa debit cards are covered by. Whilst charge back isn't something that's forced by law on companies it is something that's forced as part of Visa and part of your terms and conditions of having a visa debit card, so even if your bank, say, Barclays, refused to do a charge back for you you could still take them to court for breaking terms and conditions and get the money back anyway. You could also issue a complaint to Visa to try and push action there too. Other payment schemes like Maestro don't offer the same protection however but they do have similar offerings but perhaps not quite as well enforced.

Realistically then, credit, or debit card, you're pretty well protected. The only difference is with debit card the onus is on you a bit more if they're difficult in that you'd have to initiate a court case as a last resort if they were being stuborn, but this is I understand a very rare occurance because when it hits court, the banks could lose more money having to pay court fees etc. too. Credit cards have protection that's written in to law by the government, whereas debit cards have protection that's written into law by the government for fraudulent use, or made legally binding through the contract as part of receiving a Visa debit card for charge backs. Charge backs are valid under Visa debit cards upto 120 days after the transaction and for damaged or undelivered goods.

The real reason we're told not to use debit cards in the UK is because banks can make less off of them as there's always the hope they'll get people to spend beyond their means and then try and rack in the interest. It's certainly not for consumer protection.

Re:Can some American please explain to me...

[Linker3000]

Only if the amount is over 100GBP but no more than 30,000GBP, or you use a VISA debit card as there is a voluntary scheme for them and I have used it sucessfully to claim back 75GBP for mis-sold items (so, actually, a VISA debit card is better for low value transactions!) There's also an issue with purchases for multiple items - they all have to be worth > 100GBP so, for example, if you buy two budget airline tickets for 99GBP outbound and 99GBP return, they're not covered! Here you go: http://www.newsoftheworld.co.uk/lifestyle/money/52717/Its-plastic-fantastic.html

Re:Can some American please explain to me...

[Jason+Levine]

In America, if your card is used fraudulently you are only liable (by Federal law) for the first $50 and even that is waived by all of the major credit card companies. Debit cards have no such protection enshrined in Federal law. Many banks have started to offer similar protections on their debit cards, but you would be dealing with bank policy as opposed to Federal law.

Re:Can some American please explain to me...

[maxume]

The card agreement provides safety for purchasers by limiting their exposure to $50 (and most of the companies wave that...). The card companies then use the huge numbers of people who use credit cards to, let's say, 'encourage' merchants to write down the costs of fraudulent transactions.

So people use it because it is convenient and not really all that risky, and merchants use it because (for most of them) not accepting credit cards would cost them far more than fraudulent transactions cost.

Re:Can some American please explain to me...

[maxume]

The first step is to call it what it is -- undo "banks casually opening credit accounts based on fraudulent information".

Keeping magic secret numbers as private as possible helps, but there really isn't an individual can do to prevent it, so describing the individual as the victim is nonsense.

Re:Can some American please explain to me...

[NeoSkandranon]

I would love to move to a fob system, but unfortunately (as another poster mentioned) that's just too damn complicated for many of my countrymen.

Re:Can some American please explain to me...

[rfunches]

Your money is gone until you call the bank and they replace the funds pending an investigation. If you have $1000 in a checking account and someone fraudulently charges $1000 to that account's debit card, of course you can dispute the charge and likely get your money back. Your balance, however, is $0 *until* the bank replaces the money. E.g. if you had auto bill-pay run the same day for $200 and didn't see the $1000 fraudulent charge until the next day or received an overdraft notice, you'd overdraft by $200.

I would never use a debit card on my primary checking account for that very reason. At least if I need to dispute a fraudulent charge on my credit card, I don't have to worry about being temporarily out of $1000 and waiting a day or two for the bank to replace my money.

Re:Can some American please explain to me...

[hab136]

What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...
Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?

That's really how it works.

From the consumer perspective:
If my card is stolen, my maximum liability is $50 or less. It's usually $0. It's annoying to have your card stolen and put a stop on everything, but it's also very rare.
It's very, very convenient to pay by credit card.

From the bank perspective:
Paying out the fraud is cheaper than paying for anti-fraud infrastructure (chip and PIN for example).

Re:Can some American please explain to me...

[Blakey+Rat]

What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...

Are you talking about online only? Typically, that's correct. Some sites also require that your ship-to address be in your credit card company's database before they'll let the transaction go through.

Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?
I'd rather go back to bartering goods, than something like that.

You don't *have* to use that, if you don't want to. You can get pre-paid credit cards for use on online purchases, which have all the advantages you mention. In addition most, if not all, credit card companies have additional security levels available that you can sign up for if you like. And if that's not enough for you, you can always just choose not to buy things online.

When I do payments, I either do it with a bag of fixed-value credits. Like real cash in a wallet, or digital cash in a digital wallet (what we in Germany call "Geldkarte"). (Both can be filled/loaded like you fill your wallet, and when it's empty, it is empty. Additionally both are detached from the bank account. Unlike a credit card.)

So... a pre-paid credit card, like one available in the US?

Or I do it with a secure system that needs what I have, what I know, and who I am. Like a cash card. Or secure online banking with a keycard. (Both use a keyfile, that you decrypt by entering a code into a secured device with its own keyboard [and display], to create a secure channel, to transmit payment instructions, that only result in payment, if the server allows payment for that account at that moment.)

Like the higher security systems you can get from pretty much any US credit card issuer?

Also, are you saying it's *impossible* in Germany to make an online purchase with a plain-old "type-in-the-numbers" credit card? Because it really sounds like you're complaining about absolutely nothing here.

Please do not see this as a rant (it isn't one), because I really am interested in understanding this.

There's a strong undercurrent of "God Americans suck", whether or not you intended it. Of course, it doesn't help that Slashdot gets so many "God Americans suck" posts that it's kind of hard to tell the difference anyway.

Re:Can some American please explain to me...

[edp]

"What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card."

No, there are other safeguards. For one thing, you need to know some address information associated with the card, such as house number and postal code. If the product is not being shipped to an address the credit card issuer knows is associated with the card, then there may be additional checks. There is a three-digit verification code that the purchaser may be asked to supply. This code is not printed in raised lettering, so it is not recorded on old-style physical imprints of the card, and merchants are not supposed to keep a record of it once the transaction has been approved. (They have the credit card number and an approval number unique to the transaction.)

As another respondent mentions, the credit card holder is responsible for reviewing their statements and notifying the credit card issuer of fraudulent transactions. Then the issuer can withhold the money from the merchant or otherwise get it back.

In Germany, you can send money to people by writing some information about your account and about the payee and their account on a bank form and depositing it into a box at your bank. What prevents that from being used fraudulently? I wondered about that when I lived there. I suppose the fact that the money goes to account provides some safety, as the destination back should have some knowledge of their customer.

Re:Can some American please explain to me...

[skeeto]

...why anyone would use a payment system, with no safety at all?

In terms of getting ripped off online, credit cards are probably the safest thing. In the US, the law says that you are not responsible for any charges you didn't make as long as you still have the physical card in your possession. And then there are protections on top of that for defective products and stuff. From what I have read, and in my experience and my friend's experiences, credit card companies honor this without giving you any trouble.

As long as you keep an eye on your charges, you are very safe. Because the credit card companies carry the responsibility, it is in their interest to have good security on credit card information.

Re:Can some American please explain to me...

[skeeto]

We're liable - by federal law - for a maximum of $50 if our cards get misused.

That's only if the physical card is stolen. If the just the number is being used fraudulently, you are responsible for $0, which is what is happening here. See Credit, ATM and Debit Cards: What to do if They're Lost or Stolen.

Re:Can some American please explain to me...

[skeeto]

The card agreement provides safety for purchasers by limiting their exposure to $50

That's only if the physical card is stolen. If the just the number is being used fraudulently, you are responsible for $0. See Credit, ATM and Debit Cards: What to do if They're Lost or Stolen.

Re:Can some American please explain to me...

[Hurricane78]

But in reality, if your goods never got sent to you, or are defective... Don't they just simply say that you got them but hide them, and that you destroyed them and now want new ones, and therefore, you will get nothing?

Because from what I know, Credit Card companies want to screw you, wherever they can. I can't imagine that this would be an exception.

So how is it ensured, that you actually get a refund? Even if it is a brand-new Lamborghini (random ultra-expensiv good X) that either never gets delivered, or looses its motor trough the back, on the first drive.

Re:Can some American please explain to me...

[Hurricane78]

A large number of international traders accept credit cards, doesn't cost me any extra and I get points on my Sony card for every purchase I make. I am not liable for any fraud/misuse of my card.

So the reason is to ignore huge safety issues (which are patched and patched and patched, instead of doing it right from the beginning, because of the greed of bangs), for comfort?

Hmm... Not my thing. There are places, where comfort is just mis-placed.

And "point systems" is another thing, that I never "got". To me is it like being frauded (is that a word?), because when you calculate it, always costs more in investment, than it saves you in money. Or in other words: It is there, to animate you, to buy more, so you can "save" money. Yeah. Right. How stupid do they think I am??

As for 'reloadable' cards, for me they are slightly more expensive and don't offer me any incentive or attractiveness to use, and are not universally accepted.

Yeah. In Germany, the whole system of the Geldkarte, was an "epic fail", because it could never grow is the places where it would be perfect. Like kiosks, small shops, pharmacies, fast-food restaurants, snack bars, clubs, and similar small payment places. The reason was the expensive device, and no real point in changing to it. There was no reason for a company to invest in the device. Which resulted in no reason for customers to get a card.
Of course, in theory, it is nice, to not have to have any paper money and coins anymore. But in reality, it simply does not add that much.

Additionally, you can't transfer money from one card to another just like you could give a friend a bank note. I heard that devices for this existed. But I never saw one in reality, or where you could buy one. And I even searched for them.

It would have to provide all the features of paper money and coins, and a big thing more, to be successful. And I don't see this happening... ever... Sadly. :(

Re:Can some American please explain to me...

[Hurricane78]

Wait. A debit card is useless without the PIN code, isn't it? Sure, you sometimes can calculate the code. But normally...?
Of course, if you let them get your PIN, that was your failure. In that case, I would not give you a cent, if I were a bank.

As such a bank, I would only pay, if I had not fulfilled the contract, by using bad security systems, or not fixing security holes.

Re:Can some American please explain to me...

[Hurricane78]

The real reason we're told not to use debit cards in the UK is because banks can make less off of them as there's always the hope they'll get people to spend beyond their means and then try and rack in the interest. It's certainly not for consumer protection.

Yeah. That's the main reason, why I will never ever in my life touch any credit card, or bank account with credit, ever again.
Also I do not put my money in saving accounts or something similar. Because they only give that money to some fund manager. But they take most of the money first. I think I can do that without giving them most of the money for doing nothing. ^^

Re:Can some American please explain to me...

[Hurricane78]

Please explain -- which was my first point -- how anyone can use a debit card without also having my PIN (or signature and appearance)?

At least is Germany, this is impossible. You have to tell someone your PIN and get your card stolen, and not instantly call the card locking phone number [that is printed on every ATM here], for this to happen. Which is so stupid, that you -- in my eyes -- would deserve to lose a ton of money. ^^

Re:Can some American please explain to me...

[Hurricane78]

Since a pin is only 4 characters it's trivial to remember.

That's the problem. 4 NUMBERS. Come on. That is i total failure in today's society.

2. Many transactions don't use the pin - the local supermarket auto checkout doesn't require a pin, only the card. Also all the cities car parks are the same.

Try that in Germany. They will laugh at you. And maybe call the cops.
Nearly every business has PIN-input terminals. And those who don't, require the usual signature. Which you can later appeal against. They than have to show you the receipt with the same signature as on your debit card or id card.

3. When you're paying for something how do you know they aren't skimming the card (90% of shops still take the card off you an scan it through the till, even though apparently they're not supposed to any more) and storing the pin in a computer under the till

Good point. But by law, they are required, to use class 3 pin entry devices. Those devices use a secure, highly encrypted, connection (eg via modem), right to the bank. Because of this, they have their own display, to show the amount you are about to pay, and their own keys to input the PIN and payment OK.
Of course, it would be your job, to check, if that device actually is a class 3 one. (Usually, you can't simply modify them. They are built in a way, that this is (in theory) impossible.)

I guess this is where the last problem still lies. And where in reality, there was not a single case that I ever heard of, of someone using a fake reader.

IMO the pin should be a string of beetween 10 and 20 digits. Much harder to for someone to shoulder surf. All transactions should require the pin, otherwise the transaction isn't valid.

I don't think digits alone are enough. Something more complex is needed. But something that nobody can take from you (like someone would take a fingerprint or eye). So a code in some more efficient form than entering 10 special characters into a full-sized keyboard, at the checkout. ;)

Re:Can some American please explain to me...

[techess]

It is useless as a debit card, but it can still be used as a credit card that automagically withdraws the money from your account (think instant electronic check). If you dispute the claim you will get your money back, but like several other posters mentioned if you have any automatic withdrawals or outstanding checks they can bounce/overdraft until the bank refunds your money. You'll probably be stuck paying any fees/penalties with the bank or vendor.

With a true credit card you aren't out any cash if you dispute a claim unless you actually made the purchase.

Re:Can some American please explain to me...

[psicic]

So the reason is to ignore huge safety issues (which are patched and patched and patched, instead of doing it right from the beginning, because of the greed of bangs), for comfort?

Hmm... Not my thing. There are places, where comfort is just mis-placed.

Nice interpretation, but that's not quite what I meant. It is not comfort, it is active protection.

If you follow this argument: have you ever bought anything online? If you bought it from inside the EU you have a lot of protection under the Distance Selling Regulations. This covers all sorts of things, like if your product is faulty, not as described and so on. The EU is brilliant for Consumer Protection.

However, if you intend to buy from outside the EU, the Distance Selling Regs do not apply. You have to resort to local law. No offence to non-EU citizens, but consumer protection is pretty lack-luster in most other jurisdictions, and sometimes overly complex. However, using a credit card, if something is wrong with an item or service, if it turns out that what you signed up to is a scam, if goods never arrive etc... the credit card company is obliged to help out/refund the cash.

This is a protection that doesn't exist if I use bank transfer or debit card without escrow.

And "point systems" is another thing, that I never "got". To me is it like being frauded (is that a word?), because when you calculate it, always costs more in investment, than it saves you in money. Or in other words: It is there, to animate you, to buy more, so you can "save" money. Yeah. Right. How stupid do they think I am??

I understand where you are coming from. Points systems are a red herring if you think they are there for the benefit of the consumer.

As already established, because of the protections afforded to me under the Sale of Goods Act by using a credit card (it counts as a proof of purchase for warranty purposes), I tend to buy all my goods bought in local physical shops on my credit card. Is that hifi I bought broken after 3 years? No problem, credit card records are proof of purchase to retailer, they have to repair item. Is that milk I bought today sour, but I didn't get a till receipt? No problem - back to the supermarket with my credit card and ask for refund.

For years I had a credit card without a points system, using it for most things for my own protection. Then I realised my card issuer gave points on certain cards. The main drawback is if you overspent or couldn't pay your bill you were charged a higher rate of interest. As I pay off on time each month, this was not an issue. I got the card but didn't change my spending habits. After three years I finally have enough points to get something I want from their catalogue. Something I would not have purchased if I had to pay. It's a nice gimmick. It's an incentive to have this card over an ordinary card.

The perfect payments system does not exist. There are a lot of reasons consumers may choose to pay via credit card - being theoretically perfect or technologically impressive may not be as important as practical protection.

It's Google's fault

And the Watergate was Washington Post's fault!

Re:It's Google's fault

No, The Roman Catholic Church as they were the owners of the building!

COD

[TheLink]

Regarding COD nowadays. I doubt most honest and sane people would like to be the postman carrying the $$$$.

Crooks already rob pizza delivery workers.

Re:COD

[partenon]

*That* is the main problem: trust and security, which turns out to be *respect* (a strong word for Japanese and other Asiatic cultures, and a weak word for "western"). Here in "western", we think in respect as up to the "is it legal?" level, while more advanced societies goes beyond that level.

Re:COD

[commodore64_love]

Perhaps we should revive the word "honor". At one time damaging an American's honor meant opening yourself to being murdered by duel. If you impugn my reputation or honor, your life may be forfeit. I nominate AIG executives for that. AIG versus the People in single-shot combat.

Re:COD

[partenon]

Not sure I missed some sarcasm, but I think there is a truth in your comment :-) If someone lacks respect to others, they should be accountable for that. I mean, it should suffer severe consequences instead of getting huge bonuses ;-)

Re:COD

[Xabraxas]

Here in "western", we think in respect as up to the "is it legal?" level, while more advanced societies goes beyond that level.

That's a little oversimplified don't you think? The basis for Western society is the rule of law. While it does have some downsides it has a lot of upsides too. I wouldn't call Western society "less advanced". It's just different.

Re:COD

[Ihmhi]

I sure as hell wouldn't want to try to mug a postman.

First, I've seen some of the crazy bastards outside in Winter in shorts. So they're tough as nails right there. Moreover, you could just be the unfortunate one to mug the postman that was gonna flip out at work with an uzi just as soon as he finished his shift.

teachers expose 2.* billion lost souls

mostly due to misinformation/hypenosys. some (un)knowingly give up their spirit, to experience the excesses/illusionary trappings of man'kind', without remorse over the less 'fortunate'.

our only purpose here is to take care of each other. failing that (& who hasn't?), we're simply passing through.

there's no need to confuse/compare 'religion', with being a spiritual being. the lights are coming up all over now.

known issue in Google

[Arancaytar]

What the FUCK?

There is a "defunct web site containing sensitive directories" that exposed secret information to the public for anyone to see, and now it's Google's fault that it cached that information?

Newsflash: Security that relies on "nobody knows this URL" is NOT SECURITY.

Re:known issue in Google

[Aladrin]

Not only that, but for Google to index it, Google had to know it was there! That means that either someone manually added that URL to Google, or it was linked from somewhere at some point.

Google isn't magic, and it isn't the source of the problem.

Re:known issue in Google

check dictionary for 'defunct'. consider this:

Company A hires company B to do web site. A week later, someone at Company A notices bad security of web site. Company A immediately takes down web site and get Company C to come in and do it right. The old, unsecure web site is deleted.

But Google still has it cached. Is there a good interface through which people can tell Google to clear the cache of their domain? Is there a good interface through which people can tell Google not to ever cache their domain?

Are you affected

[jlebrech]

in order to check if you are affected or not, please reply with your card number and security code on the back of your card. [/joke]

whirlpool discussion threat

[fluch]

ITNews links to a discussion threat at whirlpool.net.au which has been deleted because it is "handeled by the authorities".

And again it is a known issue of Google which reveals the deleted thread: http://209.85.229.132/search?q=cache:uf9L_DtjAzYJ:forums.whirlpool.net.au/forum-replies-archive.cfm/1165021.html+http://forums.whirlpool.net.au/forum-replies.cfm%3Ft%3D1165021&cd=1&hl=en&ct=clnk

- Martin ;-)

You are quite confused about the scope of PCI/DSS

The only part of Google that needs to comply is Google CheckOut. Nothing else.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Google Fault? needs a car analogy

[viperblades]

remember kids now that google isnt popular its their fault if you put sensitive customer data OPENLY ON YOUR SITE.

by the same logic thumb drive makers are the blame for data loss via thumb drives.

Now I know what happened...

[DiverDean]

Thank you google for giving out my CC number, luckily, I caught it fast enough...now I at least know what happened...

Problem with google?

[Hecatonchires]

Isn't it more a problem with websites that allow a spider to read what should be a secure directory?

19,000 Active US, UK Credit Card Consumers

[AHuxley]

Credit card security is for paying equals, the people you cannot not afford to upset.
Other banks or the people data mining you.
Paying a credit card consumer breach 'fine' every so often is still cheaper than the real expense of on going consumer security.
If congress looks, any credit card company can swear they have the best security in place..
A line of top university security experts and other independent experts would tell of how the company to company transactions are secure..
Just not for you as a consumer.

But Google does no Evil

[endeavour31]

Proof positive that Nobody is exempt from fucking up. I guess Google programmers no longer walk on water.

the answer is simple

[circletimessquare]

the cost of setting up a new system is higher than the cost of paying for all of exploits

for the companies that is. for the individuals, your credit is destroyed, you have to spend hours cleaning up the mess, etc.

unfortunately, not enough have been victimized to make much of a ruckus. nor have the exploits been of the scale (yet) that really cost the providers dearly

but that day will come. then we will get a more secure payment system

the consumer is ignorant. the providers are content. and the tsunami is over the horizon

some huge exploit will happen in the future. and only then things will change. classic human nature: put off and ignore the inevitable because you don't want to deal with it until it is too late

If it aint Dutch...

it aint much.

The problem, actually, is with credit cards and their safety protocol.
In the Netherlands, most people use debit cards. To pay online, we use iDeal. The system takes you to the secure internet banking environment of the bank - backed by confirmation SMS / hardware devices generating a hash for each transaction dependent on PIN-code, account number and a seed from the online environment, and user/password combination. I think this is much safer and i don't even know why anyone would ever want to use a credit card instead of a debet card; spending money you don't have is stupid anyway...

CC #'s in Google Search Cache?

[iceT]

Just out of curiosity, how was Google's Crawler allowed to FIND the information in the first place to put it in the cache?

You don't suppose that maybe the problem is in the ORIGINAL server allowing too much access, do you?

Google just "remembers" your mistake for a LONG time.

Re:CC #'s in Google Search Cache?

Google just "remembers" your mistake for a LONG time.

And that is not nice. In some cases, you might even say it is evil.

Single Use Number

[Andy_w715]

I always use single use card numbers, or generated numbers for different vendors. Although one problem I can think of is returns, I don't know how those are treated.

Re: instant phone verification

[macraig]

OpenID has instant telephone verification even for simple site logins NOW, and it works. I just enabled it the other day and tested it.

Note the "CVV Numbers part"

[BrianRoach]

CVV numbers. Which VISA/MC tell you as a merchant you are never ever to store (it's only supposed to be sent to the payment/verification gateway in real time with the transaction).

The merchants involved should have their agreements revoked.

- Roach

Re:Note the "CVV Numbers part"

[Pervaricator+General]

Violation of CISP is a BIG deal. No one needs this information unless they are running your card. It has no other use than verification (kind of how a drivers license should only be produced for ID purposes)

Blaming Google?

[Demonantis]

I have not read the article, but it sounds like the author of this post is suggesting that google is to blame for data leaks. I think google is an effective tool for indicating data leaks. What stops someone from accessing the data if a web crawler can. I mean the crawl does not have credentials for accessing the data. That means evil people without credentials can access the data. Google just happens to cache it for latter access by evil people.

Re:Blaming Google?

[cyber-dragon.net]

I whole heartedly agree. As much as Google is the scapegoat of the year, and even I have my own axe to grind with them, this is clearly not their fault.

If the data was never publicly available, Google cannot cache it. Whoever set up the sites security is at fault for making it possible to reveal this information.

pnorth, how much you get from Microsoft for spinning this?

Re:Blaming Google?

[Pervaricator+General]

How much does Peter North usually get for his services to the Ladies?

To find out if YOUR credit card was yoinked, ...

... just visit this fancy bank-like website and enter the appropriate information: http://online-servicing.branch1.area42.bankofamericas.com

Thank you, and enjoy your evidence of debt.

Bank of America Online Servicing Division

google could fix it (if they wanted to)

Remember that "miserable failure" google-bomb on the whitehouse when Bush was in office. Google claimed that it couldn't do anything about it and it was impossible to fix. However, the bomb richochet'ed when Obama took over, but somehow since Obama has an "in" with the googleplex, so in moments somehow an "impossible" fix was created...

Google plays favorites, and unfortuantly for these credit card holders fixing this just isn't high on their priority list, they'd rather be jetting around in their private Nasa Jets and knocking elbows with the Obamas...

Re:google could fix it (if they wanted to)

Couldn't possibly be a Google bombing to give it favourable rating, cause not, there's only zillions of people who seem to love him on the internet.

So what?

[cdrguru]

So some credit card numbers were stolen. So what? Nobody, except the merchants accepting them, lose anything from this. Certainly not the card holders. It is a minor hassle to get the cards reissued - and maybe the credit card company can actually take some action and do this in advance.

Is this "identity theft"? No. It certainly isn't IDENTITY THEFT!!! It is credit card fraud and it happens every day. I regularly get fraudulent charges on credit cards - using the card creates this risk. There are lots and lots of merchants out there both online and brick-and-mortar that think nothing of selling credit card numbers to thieves. It is obvious, because "stolen" credit card numbers are so incredibly common.

Quit floggin google

[mrmojo42666]

I am so sick of folks blaming Google Its not a FLAW in Google its a flaw in who ever left their e-buggery site insecure Google behaved as designed,It Cached and searched and archived a web page.

not exactly

[slew]

A possible analogy is like you make a credit card payment with a gas station and the gas station video security system records you typing in your PIN-code and doesn't handle the recording securely. Is that a known issue with the video camera (an inanimate object), or a known issue with the person that put up the security system who is too lazy to secure potentially harmful recordings?

Perhaps we can put this into a bigger question: is there a safe harbor for google to archive things accidentally put on the web forever, or are they required to do something when someone points this out something bad that their creation has done?

As a silly example, is that imagine there was a coal-burning plant built that provided electricity. Some time later it is discovered that mercury was being billowed in the air. Does the plant have the safe harbor that all it was doing was burning coal and providing electricity, both perfectly legal and standard activities and can continue to do this forever? I think not, new information about devastating side effects of their operation have been revealed. They have a duty to change their operations even though it may not have been forseen. If they do not change their operations, they can be held liable... IANAL, but this seems reasonable to me...

All I got were porn sites

I tried it just now with a friend's credit card, but all I got were porn sites.

It'll take a little more than that

[hackiavelli]

You'll also need an htaccess file. Otherwise you're telling any spiders who don't obey robots.txt and malicious users exactly where to go (though you shouldn't be storing credit card numbers on a web server anyway).

Re:It'll take a little more than that

[phayes]

Really? All that is needed is a well placed .htaccess file to secure an IIS server?

Or, could it be that you completely missed the point of "idiot sites that let unprotected critical information out on a public accessible net". Could it possibly mean that implementing appropriate access restrictions for both the website & the server implementation are good things to do, in particular for ecommerce sites?

Does the expression "go teach your grandmother to suck an egg" have any meaning for you?

Re:It'll take a little more than that

[hackiavelli]

Really? All that is needed is a well placed .htaccess file to secure an IIS server?

No. Why would you jump to that conclusion?

Re:It'll take a little more than that

[phayes]

My initial post mocked idiot webadmins who neither implement access restrictions nor setup robot.txt files. The web server used by the entity that exposed the data to the web is unknown so I was deliberately abstract and did not mention .htaccess files which are specific to the apache family of web servers.

You, using your masterful powers of reading comprehension reply to my post saying "yeah, but you need a .htaccess file too".

I reply asking you if you if a .htaccess file will secure an IIS server (hoping that this would push you into wondering whether the web server had been identified) & clearly stating that you missed the point of half my initial post.

Your reply once again misses the point. You cannot assume that using .htaccess files would have prevented the data breach because the web server used is unknown.

How big a clue stick do I have to whack you over the head with to get it through your skull that you attempt to correct people who visibly know more than you do at the peril of being judged an idiot? We're beyond baseball bat size at this point...

What would you do?

Say (hypothetically) you had found the site and wanted to warn the people whose details had been listed. How would you do it: would you go to the issuer, the compromised site, or just phone/email the people in question?

Actually, yes, Google is at fault.

First, I should say- in my opinion, what is commonly called identity theft is really just theft made easy by failure to identify. So, the credit industry's poor procedures are the real problem.

But- Google, if it is to be a responsible corporate citizen, must have quick, easy and effective procedures for purging sensitive data from the cache. Arguably, they should do this without being asked in some cases (like this one).

I stand by my post

[hackiavelli]

I won't make any apologies for a two sentence post on Slashdot not being a comprehensive guide to website security. It was a simple, common example. You presented robots.txt as some kind of solution to what happened when it not only *isn't*, it could have easily made the situation much worse by pointing a big, blinking arrow to where the sensitive information is. I'm not the only person who interpreted it that way and your overreaction to it suggests you aren't as confident in your knowledge as you pretend to be.