Slashdot Mirror

← Back to Stories (view on slashdot.org)

Breach Exposes 19,000 Active US, UK Credit Cards

Posted by timothy on from the need-two-part-authentication dept.

pnorth writes "A defunct payment gateway has exposed as many as 19,000 credit card numbers of US and UK consumers in a major worldwide breach. The data, held in Google cache, includes credit card numbers, CVVs, expiry dates, names and addresses. The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus. Within the address bars of the cached pages are URLs of e-commerce sites that have become victims of the breach. They include clothing, science, health, sports and photo imaging stores. The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."

37 of 232 comments (clear)

  1. Cashless Society by Anenome · · Score: 5, Interesting

    It's gonna be interesting when we finally move to a cashless society. Things like this will be unforgivable in such a society. That is, we will have to have solved this problem, by and large, of card theft and purchase fraud.

    I know that the card companies have been working on a method of reducing fraud by doing something like linking your card to your phone and texting you for verification when they detect suspicious activity. Or perhaps requiring you to send your picture back to them or something as a verification.

    The person who can create a secondary verification system like that will make a lot of money by solving the great problem that is card-fraud.

    --
    "I Don't Have Enough Faith to be an Atheist"
    1. Re:Cashless Society by zoney_ie · · Score: 5, Insightful

      Cashless society gives control to others. OK cash is under the control of others, but not so much or in the same way.

      People will not give up their cash without a fight, particularly in the current circumstances (not that anyone ever trusted banks, private companies or government).

      I for one sincerely hope we never have a cashless society.

      --
      -- *~()____) This message will self-destruct in 5 seconds...
    2. Re:Cashless Society by gravos · · Score: 5, Funny

      Cashless is old hat. What we really need is a cacheless society.

      --
      This game will waste your life. Don't clicky!
    3. Re:Cashless Society by sakdoctor · · Score: 3, Insightful

      People will not give up their cash without a fight,

      Oh I don't know. I think it's pretty much down to culture that one.
      I see people putting their credit cards behind the bar and drinking to the limit. Seems especially common for young professional women.

      Japan on the other hand, is all cash only. And else where in Asia, it's cool that you can order computer hardware, plane tickets etc, and it turns up at your door, THEN you hand over the cash.

      Cash on delivery seems quite alien to me now, having grown up in the UK with credit cards for everything. Yet what can be a more secure way of paying online, than not paying online at all.

    4. Re:Cashless Society by unlametheweak · · Score: 2, Funny

      I'm not sure how many people realize that the vast majority of wealth is not in paper form, nor could it be.

      Yeah, it's in the imaginations of people who buy financial instruments like stocks and bonds.

    5. Re:Cashless Society by Cyberax · · Score: 2, Interesting

      Nope. A real cashless society is going to require stronger means of authentication for financial transactions (like public-key cryptography to sign billing statement, etc).

      Currently, credit cards are absolutely insecure.

    6. Re:Cashless Society by Jane_Dozey · · Score: 2, Insightful

      Perhaps you should think about organising your money a little differently. I have 3 accounts: Savings, Dumping account (where my pay cheque gets "dumped" into) and my spending account. I pay rent and bills from my dumping account when I get paid. I then put some into my savings account and then pay myself what I need for the month into my spending account. The only debit card I use is for my spending account, ensuring that if anyone manages to commit fraud on that card, the maximum I lose is 1 month plus whatever was left over from the previous month (if the amount starts building up I just move it to savings).

      It works quite well since I know I'm not spending money that I don't have or is meant for something else and I don't have to worry about someone nicking everything I have.

      To me, walking around with a debit card with access to all of your money is like walking around with your life savings in your wallet: stupid.

      I also have a credit card on my spending account but that's just so I can boost my credit rating. That and buying things like plane tickets or any service that is at risk of not materialising is protected. In that case credit cards are indeed better.

      --
      Silly rabbit
    7. Re:Cashless Society by billcopc · · Score: 2, Informative

      The loss didn't come from VISA's wallet either, it is the merchant that got stiffed. Credit card companies are completely unaccountable, despite charging through the nose for their services. It's right there in the contract everybody has to sign to deal with them...

      --
      -Billco, Fnarg.com
    8. Re:Cashless Society by gzipped_tar · · Score: 3, Interesting

      Here in China, not only is cash on delivery very common, but also the option of debit card on delivery. Last time I ordered a wireless NIC, it was carried to my door by a postman with a frickin' mobile debit card reader. I swept the card through the reader, checked the sums, entered my password and it was done.

      Debit cards are much safer -- you'll always need to enter the password to draw money from your account.

      --
      Colorless green Cthulhu waits dreaming furiously.
  2. Shoot the messenger! by phayes · · Score: 5, Insightful

    It's not a problem with the idiot sites that let unprotected critical information out on a public accessible net and in addition omitted to place a well placed robots.txt, no...

    IT'S GOOGLE'S FAULT!!!

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    1. Re:Shoot the messenger! by sakdoctor · · Score: 5, Funny

      Google should take SOME blame.

      I held a robots.txt poster up at my window and google streetmap still photographed it.

  3. er what by Idimmu+Xul · · Score: 5, Insightful

    How is putting all your customer's credit card information online so it is publicly available, and crawlable, Google's fault? What is the known issue? People are stupid?

    --
    The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
    1. Re:er what by skeeto · · Score: 2, Interesting

      For my website, I share a server with a bunch of other sites. I was poking around /tmp one day and came across dumps of credit card information. I forget the website, but apparently they thought /tmp, with global read permissions, was a safe place to generate HTML after a transaction. I reported it to the hosting service and the offending website fixed their scripts.

      Luckily, credit cards have strong protections, so you aren't responsible for any fraud charges due to these leaks. Just check the charges every month.

  4. Whirlpool thread by shird · · Score: 2, Informative

    This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however:

    http://forums.whirlpool.net.au/forum-alert.cfm?a=priv-deleted&t=1165021&v=0

    --
    I.O.U One Sig.
    1. Re:Whirlpool thread by pallmall1 · · Score: 3, Interesting

      This was first mentioned on Whirlpool, I was reading the thread. It appears to be deleted now however

      Ironically, the Whirlpool page is still available in the google cache of the thread.

      What I want to know is why the CVV numbers were there and for what merchants, as they are not supposed to be cached according to the Payment Application Data Security Standard (PA-DSS).

      --
      3 things about computers: they're alive, they're self-aware, and they hate your guts.
  5. Who are the lucky ones? by MikeOtl67of · · Score: 4, Insightful

    How can you know that your card was not among those?

    1. Re:Who are the lucky ones? by Anonymous Coward · · Score: 3, Funny

      google you credit card and CVV here, and post a link to the results here. It's the best way you can be sure you card is compromised.

    2. Re:Who are the lucky ones? by atraintocry · · Score: 2, Funny

      Fool me seven times, shame on you. Fool me eight or more times, shame on me.

  6. I hardly think there's an issue with Google. by TractorBarry · · Score: 4, Insightful

    > The cause appears to be a known issue with the Google search engine

    More like the usual issue with idiots who fail to adequately protect, secure and dispose of this sort of data in the first place. "Sensitive directories" have absolutely no business ever being readable from the web.

    Company executives and IT administrators who allow this sort of security breach need to start doing hard jail time. Until this happens we'll be reading more and more of these stories by the week.

    --
    Sky subscribers are morons. They pay to be advertised at !
    1. Re:I hardly think there's an issue with Google. by Sockatume · · Score: 5, Interesting

      From the sounds of things, I reckon the gateway was creating a web page for every transaction that included the card details, and those pages were not only unsecured and publicly viewable but indexable. They probably auto-deleted the pages after the transaction was completed but obviously not quick enough. GCache? It's probably all in the internet archive at this stage. It's not a Google issue, it's staggering security error on the part of the gateway that every internet crawler saw. No wonder the gateway's defunct.

      --
      No kidding!!! What do you say at this point?
  7. Re:PCI DSS by MadMidnightBomber · · Score: 3, Insightful

    What, now Google is meant not to index pages which have card data on them? How exactly is that even possible?

    You can bet your boots that Google Checkout is PCI DSS-compliant.

    --
    "It doesn't cost enough, and it makes too much sense."
  8. Misplacing blame on google by Confuse+Ed · · Score: 5, Insightful

    From both the article and the summary re:

    The cause appears to be a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone

    This makes it sound like the issue is with google's search engine and makes light of the real issue which is that at some point this information was published for all the world to see (or search engines to index) and anyone to cache (or write-down, or memorize).

    Insisting on search engines removing removing this information from their indexes and remove it from their caches is just sweeping the problem under the rug : you or I taking a quick peek on the internet to see if our credit-card infomation has been published anywhere would get a false sense of security if the search engines pretended it wasn't there and that security breaches had never happened.

    *tin-foil-hat-time* It seems analogous to re-writing history books to cover up prior misdeeds.

  9. Internet Finance by unlametheweak · · Score: 4, Interesting

    The only time I "buy" anything on the Internet is when or if the company has a 1-800 number so that I can place an order over the phone. Same with banking, which I do over the phone or at an ATM that I know. It's too easy for things to go wrong over the Internet, and too many incompetents that are running businesses (on the Internet).

    1. Re:Internet Finance by Anonymous Coward · · Score: 5, Interesting

      Yes, but more frequently the sales people on the end of the phone are using the same web-based system as is on the internet. I even went into an electrical store the other day and the customer service chap went onto a website to check stock.

      Just because you're not buying over the internet, doesn't mean there isn't a computer system somewhere storing details you didn't expect in a place you didn't expect...

    2. Re:Internet Finance by gmack · · Score: 5, Insightful

      But much easier for someone to simply make a copy of the details. I find that my credit card info is treated much more carelessly during card present transactions. Credit card is printed on a bill. Where does the business owner keep their copy? Who all can see it? I've even had my card number written on the top of my order. In some of the places I've done tech support I've seen sheets laying around with credit card numbers. It's nice to know that even the janitor can steal my credit card info.

      Also larger retail stores feed your numbers into "complex automated software". Think TG max who was a huge source of stolen credit cards and guess what? As of last summer they still hadn't bothered to secure anything.

      I make a ton of transactions online and only once have I had fraudulent transactions on my credit card. That once was the local pizza place

  10. Re:PCI DSS by lurcher · · Score: 2, Interesting

    Ok, by your logic all I have to do to make slashdot fail compliance is post my credit card details.

    No: 5434 6625 8876 1272
    CVV: 854
    Exp 09/12

    So how would slashdot know if that post contains valid card info or not?

    Or even better, I could email this information to my competetor, then ring them and point out that they have failed compliance, as they have unsecured card information stored on their systems.

  11. Can some American please explain to me... by Hurricane78 · · Score: 4, Insightful

    ...why anyone would use a payment system, with no safety at all?

    What I mean, is that to pay with credit cards, from what I know, you only need the data that is written right on the card. And maybe sign the payment, like you sign any contract...

    Is that really how it works? Because if yes, then why in the word does anyone even consider using something like that?
    I'd rather go back to bartering goods, than something like that.

    When I do payments, I either do it with a bag of fixed-value credits. Like real cash in a wallet, or digital cash in a digital wallet (what we in Germany call "Geldkarte"). (Both can be filled/loaded like you fill your wallet, and when it's empty, it is empty. Additionally both are detached from the bank account. Unlike a credit card.)

    Or I do it with a secure system that needs what I have, what I know, and who I am. Like a cash card. Or secure online banking with a keycard. (Both use a keyfile, that you decrypt by entering a code into a secured device with its own keyboard [and display], to create a secure channel, to transmit payment instructions, that only result in payment, if the server allows payment for that account at that moment.)

    Or is it, because you have not much of a choice?

    Please do not see this as a rant (it isn't one), because I really am interested in understanding this.

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.
    1. Re:Can some American please explain to me... by Tx · · Score: 4, Informative

      In the UK at least, your transactions are guaranteed by the credit card company. So it's often actually recommended that you purchase things online with a credit card, because if you get ripped off, the goods are defective, or the merchant goes bankrupt etc, the card company has to refund you. This is enshrined in law under the Consumer Credit Act. On the other hand, if you pay with a debit card or other direct payment, your money is gone.

      --
      Oh no... it's the future.
    2. Re:Can some American please explain to me... by psicic · · Score: 3, Informative

      I'm not American - and I wonder about the op's premise as I thought most countries had moved (or were moving) to PIN-numbers rather than signatures to verify in-store transactions.

      Regardless, credit cards are very safe for Europeans because of the extra protection they provide to consumers.

      In Ireland as well as the UK - and most other European countries - there is a version of the Consumer Credit Act. It treats all purchases on the card as, unsurprisingly, a type of credit agreement. This is a very powerful and pro-Consumer thing, providing lots of protection for any who cares to look into it, e.g. chargeback.

      True, a lot of these 'safeties' was introduced in an attempt to make the cards more secure - don't forget the premise of credit cards has been around for many, many decades and, during that time, the type of fraud perpetrated against credit card users has become more and more complex.

      It's also well documented that Germans (culturally/in general) have an aversion to credit cards for a number of reasons; from 'all credit is borrowing - and borrowing is bad' (note the low rate of borrowing in Germany) to a series of pre-existing methods of paying for goods and services easily at a distance (e.g. in Germany, there is the long standing inter-bank transfer system; very cheap and secure to use inside the borders of Germany but, until very recently, was astronomically expensive for anyone in another country to transfer money to).

      So why do I use a credit card? A large number of international traders accept credit cards, doesn't cost me any extra and I get points on my Sony card for every purchase I make. I am not liable for any fraud/misuse of my card. I suspect it's the same for Americans and most people who use credit card. Having the advantage of being European, I also have a lot of legally enforceable extra protections that I'm not sure Americans have in the Consumer Credit Act.

      I also do use bank transfers to pay for stuff. Usually only to Germany because Germany is one country where their banks are pretty secure. And only in recent years - because, thanks to an EU Directive, the astronomical cost of transferring money across borders to another member state of the Eurozone has plummeted (note: UK not member of Eurozone, so a UK consumer could still face high charges).

      I also have the protections of the Distance Selling Regulations when buying from Germany, but I would never transfer money via bank account outside of Europe.

      As for 'reloadable' cards, for me they are slightly more expensive and don't offer me any incentive or attractiveness to use, and are not universally accepted.

      Debit cards don't seem to be standarised internationally - or even across the EU - so are not really viable as a payment method.

      --
      Concrete analysis...
    3. Re:Can some American please explain to me... by Jason+Levine · · Score: 2, Informative

      In America, if your card is used fraudulently you are only liable (by Federal law) for the first $50 and even that is waived by all of the major credit card companies. Debit cards have no such protection enshrined in Federal law. Many banks have started to offer similar protections on their debit cards, but you would be dealing with bank policy as opposed to Federal law.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  12. It's Google's fault by Anonymous Coward · · Score: 3, Insightful

    And the Watergate was Washington Post's fault!

  13. known issue in Google by Arancaytar · · Score: 2, Insightful

    What the FUCK?

    There is a "defunct web site containing sensitive directories" that exposed secret information to the public for anyone to see, and now it's Google's fault that it cached that information?

    Newsflash: Security that relies on "nobody knows this URL" is NOT SECURITY.

  14. whirlpool discussion threat by fluch · · Score: 4, Funny

    ITNews links to a discussion threat at whirlpool.net.au which has been deleted because it is "handeled by the authorities".

    And again it is a known issue of Google which reveals the deleted thread: http://209.85.229.132/search?q=cache:uf9L_DtjAzYJ:forums.whirlpool.net.au/forum-replies-archive.cfm/1165021.html+http://forums.whirlpool.net.au/forum-replies.cfm%3Ft%3D1165021&cd=1&hl=en&ct=clnk

    - Martin ;-)

  15. Comment removed by account_deleted · · Score: 3, Interesting

    Comment removed based on user account deletion

  16. Re:PCI DSS by MadMidnightBomber · · Score: 3, Insightful

    Oops, you just killed a valid webpage:
    http://www.merriampark.com/anatomycc.htm

    *grumble* trigger-happy regexp jockeys *grumble*

    --
    "It doesn't cost enough, and it makes too much sense."
  17. Problem with google? by Hecatonchires · · Score: 2, Insightful

    Isn't it more a problem with websites that allow a spider to read what should be a secure directory?

    --

    Yay me!

  18. CC #'s in Google Search Cache? by iceT · · Score: 2, Insightful

    Just out of curiosity, how was Google's Crawler allowed to FIND the information in the first place to put it in the cache?

    You don't suppose that maybe the problem is in the ORIGINAL server allowing too much access, do you?

    Google just "remembers" your mistake for a LONG time.

    --
    -- You can't idiot-proof anything, because they're always coming out with better idiots.