Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blippy Exposes Credit Card Numbers Through Simple Google Search

Posted by Soulskill on from the making-it-easy-on-the-scammers dept.

An anonymous reader writes "In an unfortunate data breach, social media site Blippy has left credit card numbers in clear text, searchable via a simple Google query. The results show the amount spent on a transaction, the location, and the full card number. As of this submission, the issue still hasn't been resolved." The company's co-founder, Philip Kaplan, told the NY Times, "... when people link their credit cards to Blippy, merchants pass along their raw transaction data – including some credit card numbers – and the site scrubs that information to present just the merchant and the dollar amount spent. But several months ago, when Blippy was being publicly tested, that raw transaction data was present in the site's HTML code, where it was retrieved by Google. Mr. Kaplan said that early on, Blippy started disguising the raw transaction data behind the scenes, but it did not know about the breach until today."

30 of 95 comments (clear)

  1. Looks bad... for 4 people by alain94040 · · Score: 5, Informative

    As of this submission, the issue still hasn't been resolved

    Not true. If I read the explanation carefully, what really happened is that some credit card companies sometimes add the CC number to the description of the purchased item. Bad! Which also means that on your printed statement for instance, your full CC number will appear. During beta testing of Blippy, they were not aware of that "feature", so they let through the full CC number of 4 beta testers. Once they figured it out, they easily added a filter.

    If you were a beta tester for a service like Blippy, you can't be too shocked that this might happen. A better discussion would be what is Blippy really good for? I can see why I might like to browse other people's purchases once in a while, but why would I want to broadcast mine?

    --
    better than an internship in a startup: become a founder!

    1. Re:Looks bad... for 4 people by boneclinkz · · Score: 3, Funny

      *browses to google, searches for full credit card number* No results. Whew!

    2. Re:Looks bad... for 4 people by Anonymous Coward · · Score: 5, Funny

      Offtopic, I know, but do any of you know of any sites better than slashdot? Or does (mostly) intelligent discussion just not exist on the internet..

      You might try here

    3. Re:Looks bad... for 4 people by blair1q · · Score: 3, Interesting

      Which CC companies do this, so we can avoid them and let them rot?

    4. Re:Looks bad... for 4 people by FrankSchwab · · Score: 4, Insightful

      So Google, who probably knows your name, your IP address, your Email address, all of your friends and family, all of the search terms you've ever used under any alias, and by pwning your wireless at home knows your street address and your MAC address, now knows your credit card number.

      Funny, perhaps, but in a bit of a horrifying way.

      --
      And the worms ate into his brain.
    5. Re:Looks bad... for 4 people by maxume · · Score: 3, Funny

      Google Checkout seems to have a few users...

      --
      Nerd rage is the funniest rage.
    6. Re:Looks bad... for 4 people by natehoy · · Score: 2, Informative

      There are two pieces of good news here.

      1) Credit card companies only do this for "disposable" credit card numbers, which are usually only used for one transaction. No credit card company I've ever done business puts the full CC# of your master account on every line of your statement,

      2) The REALLY good news is that such numbers only appear on your credit card statement,

      So this information is relatively harmless, since most credit cards revealed this way would be invalid by the time they were revealed. Plus, of paramount importance here, the only way this information could possibly get out is if you gave your credit card account username and password to some strange website or something so they could see your credit card statement. And no one would be dumb enough to do that, right? I mean, that's insanity, giving out the username and password to your credit card accounts. Right? ummm, right?

      Number of beta users: More than 5,000

      Source: http://www.netbanker.com/2010/01/blippy_demonstrates_the_power_of_real-time_streaming_of_financial_transaction_data.html

      Oh. Never mind. Some people are that stupid.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    7. Re:Looks bad... for 4 people by rliden · · Score: 2, Funny

      -- Off Topic --

      Uh oh, I replied in the same topic (posted just above) as the person I stole the sig from. I didn't see your post until I had hit the submit button. That has to be like crossing the streams.

      --
      Don't think of it as a flame, more like an argument that does 3d6 fire damage.
    8. Re:Looks bad... for 4 people by SnEptUne · · Score: 2, Insightful

      Wow, I didn't realize 4chan has a tech section. Thanks.

  2. Already Resolved, people should think next time... by ProdigyPuNk · · Score: 2, Insightful

    This issue seems to be resolved already. Maybe this incident was a Good Think (TM). People need to be aware that what they put on social media sites can come back to bite them. Most people shouldn't be putting near the amount of information on the sites as they already do, without even mentioning credit card numbers and recent purchases. If it takes a few people's credit history to make the point to a wider audience, maybe this sort of thing should happen more often...

  3. Nothing to hide by Sir+Holo · · Score: 5, Funny

    If you have nothing to hide, then why not?

    /sarcasm (see NYT article)

  4. Don't test with customer data by mwvdlee · · Score: 2, Insightful

    Every idiot knows this; you don't test with customer private data.
    You may randomize/one-way-scramble the real data to anonimize it, but you never, ever use the actual data for tests.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  5. In even more shocking news... by Anonymous Coward · · Score: 2, Interesting

    Blippy exposed as existing.

  6. Are these guys f-cked? by Anonymous Coward · · Score: 3, Funny

    I wonder if this company is F-cked. If there was only a web site that would tell me that...

    1. Re:Are these guys f-cked? by jonbryce · · Score: 4, Informative

      And for those who don't get the joke, Philip Kaplan, the founder of this site, previously had a site called fuckedcompany.com which charted the demise of dot.com and other companies following the collapse of the internet bubble at the beginning of the century. A f*ckup of this proportion would have probably earned about 60 points out of a total of 100. You get 100 points for bankruptcy proceedings.

  7. Why would I WANT this? by nweaver · · Score: 4, Insightful

    Who cares about revealing credit card numbers. The bigger question is, why would I want to deal with a business or "social media" site which snitches all my transactions from the businesses, and (i'm presuming) somehow makes them public?

    And WTF are the businesses giving the full credit card number to the social media site at all? That just seems, umm, stupid?

    --
    Test your net with Netalyzr
    1. Re:Why would I WANT this? by natehoy · · Score: 4, Insightful

      Some people are just exhibitionists. "Oooh! Look at me! I just bought a new XYZ phone!" and having that information fed to a social media site automatically means they have more time to, you know, buy more crap.

      As far as the credit card information, it all depends on who is feeding it. According to several articles on the subject, users give Blippy access to their credit card accounts (as in, access to log in to their credit card web site), and Blippy extracts the data it wants from your actual credit card transactions. If you use "temporary" credit card numbers like I do, then quite often the transaction will show up as (for example) "AMAZON.COM CARD#9999-9999-9999-9999". If Blippy is actually getting that data, then it's your credit card company that's revealing the data, not Blippy. If you signed up with Amazon, then you'll probably just get a list of items and it's unlikely a credit card will show through.

      So, the actual credit cards revealed were probably "disposable" numbers that were likely useless by the time they were revealed. However, that does lead to a different point. Who in the hell is giving Blippy their logins for their credit card accounts, or their merchant accounts? I mean, c'mon, really, we're well into April, it's nowhere near the first. Is this some form of sick stupid joke?

      Of course, if one were to, say, GIVE THEIR GODDAMNED CREDIT CARD OR MERCHANT LOGIN INFORMATION TO A GODDAMNED BUNCH OF STRANGERS, then their concept of "security" differs too greatly from mine for us to have a coherent conversation on the matter.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    2. Re:Why would I WANT this? by maken · · Score: 2, Insightful

      If you dont give your CC# "TO A GODDAMNED BUNCH OF STRANGERS" then how do you buy anything?

    3. Re:Why would I WANT this? by rudy_wayne · · Score: 2, Interesting

      Somebody had the bright idea that people would want every purchase they ever made available to their friends. Like you, I consider this idea demented, though it wouldn't surprise me if there were a lot of people who would find it kind of cool.

      The idea behind Blippy, as best as I can figure, is that your friends can see all the cool stuff you buy and then leave comments telling you how cool you are. However, if you look at Blippy, what you actually see is an endless list of Taco Bell, Wendys, Exxon, Trader Joes and other mundane purchases. The truth is, the average person doesn't buy a lot of cool stuff.

      What is more amazing than the existence of Blippy, is the fact that Blippy has obtained more than $12 million in VC money, despite the fact that they currently have no way of generating any revenue. It's almost like the dotcom bust of 10 years ago never happened.

  8. If you use any of those "Disposable" card # by ub3r+n3u7r4l1st · · Score: 2, Informative

    Most bank offer single-use or single-merchant "virtual" card number, which allow for only single use or for use within the same merchant. In the statement, it will show the name of the merchant, along with which "virtual" card number you used.

    Even if you picked up one of these numbers, there is no use.

    --
    New Economic Perspectives
  9. Virtual Credit Card Numbers by hedley · · Score: 2, Informative

    Use them. Don't *ever* use a 2yr+ plastic #!

    Citibank has this feature, other cards must nowadays also.

    1. Re:Virtual Credit Card Numbers by NerdyLove · · Score: 2, Informative

      Anybody with a paypal account can do this as well. It is in the Paypal Toolbar section, but you don't actually need the toolbar to be installed to generate them.

  10. Re:Clearly Google is to blame! by natehoy · · Score: 2, Funny

    Well, duh! He's right there when I got the news! What in the hell would you expect me to do? Go out and find who actually did it and shoot THEM?

    Geez, if I had that kind of patience I'd probably lose my American citizenship. Plus then I probably wouldn't be allowed to have a gun so I could shoot someone.

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  11. Philip Kaplan? by rekoil · · Score: 2, Informative

    The same Philip Kaplan that ran F*ckedcompany.com?

  12. Re:Clearly Google is to blame! by WrongSizeGlass · · Score: 2, Funny

    Normal logic? You mean "shoot the messenger"?

    Google doesn't have a "messenger", that's MS & Yahoo you're thinking of. You must mean "shoot the search engine" ;-)

  13. Blippy and social media by wsuschmitt · · Score: 2, Interesting
    Users of Blippy want people to know about what they are buying... one more step towards having your entire life open to the world.

    This brings up a point that needs to be looked in to a bit further as our personal information becomes digitized: at what point do you just let go of trying to hide personal numbers (such as credit card and social security) and make them as public as possible and force the system to make sure that YOUR numbers are really your numbers? Honestly, if the banking systems that we use for credit transactions notified me EVERY TIME that my SS# went through their systems , then I would know when it is being used and wouldn't worry so much about someone "stealing" my identity. It's a 9 digit number that will NEVER be reissued as long as I live; credit card numbers are 16 digits long and are 'throw-away'. As soon as the systems are in place that link me directly to my SS, I won't be worrying about trying to hide these numbers.

    I'll be worrying about Big Brother watching my every move...

  14. That's the nature of the internet by HalAtWork · · Score: 2, Insightful

    It just goes to show that if you put information somewhere online, anywhere, it's as good as writing it on bits of confetti and throwing it to the wind. Some will land in mud or in the grass, bushes and trees and be obscured, others may land in the garbage and be ignored or thrown out, but if anyone wants to look hard enough, they'll be able to find it, and some may even come across it without any pretense or forethought. Computers can help people, especially by aggregating large amounts of data, and the more data you put in, the greater the benefit can be to streamlining things for you and helping you discover the best opportunities. But that can also be turned against them since the data is somehow somewhere available.

    --
    Twinstiq, game news
  15. Blippy article on NY Times by yuna49 · · Score: 4, Informative

    Coincidentally, the Times is running a a story today about this new generation of "social" media sites like Blippy. Not only does Blippy want to compile a list of your purchases, they'd like to read your e-mail, too, if you don't mind. From the article:

    The spirit of sharing has already run into some roadblocks. Amazon.com was so wary of the security ramifications of Blippy's idea of letting consumers post everything they bought that, for several months, it blocked the site from allowing people to publish their Amazon purchases.

    In March, Blippy sidestepped Amazon by asking its customers for access to their Gmail accounts, and then took the purchase data from the receipts Amazon had e-mailed them. Blippy says thousands of its users have supplied the keys to their e-mail accounts; Amazon declined to comment.

    Sigh....

    1. Re:Blippy article on NY Times by TooMuchToDo · · Score: 3, Insightful

      You can't fix stupid. +1 to Amazon for trying though.

  16. Why doesn't Google apply a global filter for CC#s? by Xoc-S · · Score: 2, Interesting
    All CC numbers have a particular pattern, and there is even a check digit. Why doesn't Google provide a global filter in their search index so that any keyword that matches a credit card number is not indexed? And pages with CC numbers not cached, or blanked in the cache?

    Sites such as bulletin boards frequently get somebody being stupid and posting their credit card number. The mods fix it, but the Google spider gets there first.