Slashdot Mirror

← Back to Stories (view on slashdot.org)

Breach Exposes 19,000 Active US, UK Credit Cards

Posted by timothy on from the need-two-part-authentication dept.

pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."

12 of 232 comments (clear)

  1. Cashless Society by Anenome · · Score: 5, Interesting

    It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

    I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.

    The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.

    --
    "I Don't Have Enough Faith to be an Atheist"
    1. Re:Cashless Society by Anonymous Coward · · Score: 1, Interesting

      All credit card security is bullshit.
      The credit card system is built wrong from the ground up, and we'll be applying patches for ever.

      What is good for people is e-cash grounded in sound cryptographic principles. This isn't good for governments though, so it will never ever happen.

    2. Re:Cashless Society by Cyberax · · Score: 2, Interesting

      Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).

      Currently, credit cards are absolutely insecure.

    3. Re:Cashless Society by gzipped_tar · · Score: 3, Interesting

      Here in China, not only is cash on delivery very common, but also the option of debit card on delivery. Last time I ordered a wireless NIC, it was carried to my door by a postman with a frickin' mobile debit card reader. I swept the card through the reader, checked the sums, entered my password and it was done.

      Debit cards are much safer -- you'll always need to enter the password to draw money from your account.

      --
      Colorless green Cthulhu waits dreaming furiously.
  2. Re:I hardly think there's an issue with Google. by Sockatume · · Score: 5, Interesting

    From the sounds of things, I reckon the gateway was creating a web page for every transaction that included the card details, and those pages were not only unsecured and publicly viewable but indexable. They probably auto-deleted the pages after the transaction was completed but obviously not quick enough. GCache? It's probably all in the internet archive at this stage. It's not a Google issue, it's staggering security error on the part of the gateway that every internet crawler saw. No wonder the gateway's defunct.

    --
    No kidding!!! What do you say at this point?
  3. Internet Finance by unlametheweak · · Score: 4, Interesting

    The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).

    1. Re:Internet Finance by Anonymous Coward · · Score: 5, Interesting

      Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.

      Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...

  4. Re:PCI DSS by lurcher · · Score: 2, Interesting

    Ok, by your logic all I have to do to make slashdot fail compliance is post my credit card details.

    No: 5434 6625 8876 1272
    CVV: 854
    Exp 09/12

    So how would slashdot know if that post contains valid card info or not?

    Or even better, I could email this information to my competetor, then ring them and point out that they have failed compliance, as they have unsecured card information stored on their systems.

  5. Re:Can some American please explain to me... by Anonymous Coward · · Score: 1, Interesting

    I can't speak for any other countries, but I can tell you why that's not done in America. Two reasons: One, it would cost the banks money to implement such a system. That goes against their core ideals of charging us as much as possible at all times (some banks charge extra for depositing coins now). Two, Americans wouldn't stand for such "complexity". Too many of them would feel that a system like you described is incomprehensible, an they'd rather take their risks with ID theft. Sad but true.

  6. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  7. Re:Whirlpool thread by pallmall1 · · Score: 3, Interesting

    This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however

    Ironically, the Whirlpool page is still available in the google cache of the thread.

    What I want to know is why the CVV numbers were there and for what merchants, as they are not supposed to be cached according to the Payment Application Data Security Standard (PA-DSS).

    --
    3 things about computers: they're alive, they're self-aware, and they hate your guts.
  8. Re:er what by skeeto · · Score: 2, Interesting

    For my website, I share a server with a bunch of other sites. I was poking around /tmp one day and came across dumps of credit card information. I forget the website, but apparently they thought /tmp, with global read permissions, was a safe place to generate HTML after a transaction. I reported it to the hosting service and the offending website fixed their scripts.

    Luckily, credit cards have strong protections, so you aren't responsible for any fraud charges due to these leaks. Just check the charges every month.