Slashdot Mirror
Credit Card Numbers Still Google-able
If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.
In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.
The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.
So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)
It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."
After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."
Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."
(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)
Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.
Thankfully, the first few digits of my credit card are the same as a rather important USPTO patent #, so all Google results link to that.
There are thousands of pages of fake credit card numbers, SSNs, etc. This is done intentionally to dilute the value, and some are probably honeypots. The numbers are bogus, expired, etc. that pass the checksum.
...and google replied "thank you"!
Google is not responsible for your CC info. Find the merchants and tell on them.
I don't see why this is Google's problem; if users' credit card numbers are visible to robot crawlers, then they are not being handled correctly by web sites to begin with.
I tried with the first 8 digits of 6 different cards and founds nothing but Australian phone numbers.
"using the simple trick of Googling the first 8 digits of your credit card number" What are the first 8 digits of your credit cart number?
The more incentive there is to build an alternative. I say, keep up the good work. Maybe I'll make my raspberry into a web crawler, since it's always running anyway.
“He’s not deformed, he’s just drunk!”
It seems that people are deliberately creating millions of fake identities and putting them online just to screw with the bulk data collectors.
Read the explanation on this page: http://xdduk.org/nino/BT889440D
foo mane padme hum
What use is a CC # without an expiration date or security code?
All my credit cards apparently have a unique 8-digit beginning.
If you want to be sure that you find your number on Google, do the following thing: 1) Write a message here with your first 8 digits here on slashdot. 2) Send me in a private message your last 8 digits. And the 3 digits number at the back of your card. 3) Wait 2-3 weeks After that, you can try to Google your number with success! ;o)
Credit card companies could google all of the numbers for cards they have issued and take care of it themselves. Why would this be google's responsibility?
If you google around for the first 8 digits of your credit card number, you will undoubtedly come across this link:
In this link is a generated list of all possible combinations of Visa, MasterCard, American Express, etc... credit card numbers and PINs. Each group of card numbers is shown in a range... for instance 1234 4600 through 1234 4699....
If you click through the ranges until you find your card number, and PIN, and it will be in there, you will have given the website owner your credit card number and PIN!
To generate a list that long, you'd need a computer!
Google has a little-known search operator for finding numbers within a range. To find all numbers between two numbers, you Google the two numbers separated by two dots. For example, to find all numbers between 87600 and 89061, you'd Google "87600..89061" as shown below.
https://www.google.com/search?q=87600..89061
It used to be that you could simply Google a large range of possible credit card numbers using this operator and find tons of numbers. However, a few years ago, Google put a stop to this by forbidding number range searches involving large numbers.
For example: https://www.google.com/search?q=8760000000000..89061000000000
It's unfortunate and disappointing that Google crippled its search engine to solve the problem, as there are lots of legitimate reasons for searching number ranges involving large numbers.
One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results.
That right is reserved for mpaa to censor my subtitles to my video files and other important stuff like that.
The suggestion that Google should pounce upon any 16 digit numbers it finds that meet the single-digit checksum test is just ridiculous. Oh, and start with "all known 8 digit prefixes". Now, the first four identify the card type, so there's a natural limit there. But the next four are 10,000 possibilities.
We'd complain loudly if someone scanned the web looking for things that LOOK like they shouldn't be there and issue takedown notices. No, people here DO complain loudly when the "someone" matches ??AA and the target is digital media. But credit card companies should scan for their prefixes and issue take downs for anything that matches a possible credit card number?
I can see a wonderful jimmy to the system along the lines of anti-meth and other anti-this or that campaigns. Create "web pages" for Google to index that are pseudo-random number generators so Google or the credit card companies can find tons of "credit cards" to cancel. People who don't want you to find meth recipes through google already pollute the namespace so you can't do that; people who want to put a monkey wrench into the credit card system can do the same thing.
For those of you who don't want to have to RTFA, the steps below outline how to verify whether or not your credit card no. is Google-able:-
STEP 1: Navigate to google.com and focus on the Search text box.
STEP 2: Enter the first 8 digits of your credit card number. Remember to surround it with double quotes. Also, add a space after the first 4 digits
STEP 3: Press Enter
STEP 4: If you see more than one result, also include the last 8 digits of the card. Remember to use a space after every 4 digits.
STEP 5: Add another space, type EXP_DATE: where Date is the non-confidential date at the front of your card (usually labelled Valid thru)
STEP 6: Add another space, type CHKSM: where Num is the 3 digit checksum used to verify that the search engine's result is correct.
STEP 7: Press Enter
Example: "4956 6543 2789 6969" EXP_DATE: 2018/02/31 CHKSM: 911
STEP 8: If you still don't see any results, drop me an email along with the search query at: yours@truly.me I will make sure your problems (all of them) are resolved.
I am also working on a REST based web service for this.
One where the token has a keypad on it and requires a password to be entered in order to obtain an authorization number. That would authenticate the end-user and prevent spyware key loggers / password theft. Something all other methods are vulnerable to. Then to ensure the card holder has authorized the amount and not just the use of the card with a merchant the financial institution could ping the device via wifi/GSM. The user could then 'accept' or 'decline' the authorization based on the merchant name being shown. Then there is no question who the liable party should be. There could also still be limits on the transaction size (say $5,000-$10,000 USD +) or limits to the amount per day which can be charged. This should probably be a variable number that the customer acknowledges they are willing to accept liability on and should be 'in-person' authorized (at the bank when signing up for the card, with ID checked, etc). That way it's near impossible for card holders to deny purchases or for criminals to put a gun to anothers head in an effort to extort large sums of cash. The card holder would then be liable and at the same time there would be so little risk it didn't matter.
The biggest problem was finding someone to report it to. Customer Service doesn't know dick about Compliance - I had to to cross my fingers that it would get escalated properly. It took about 6 months for that to change.
When I did this 'search test', Most of my hits were PDFs of credit card statements.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
It works. You won't find them on the first page of Google results. Jump to the eighth page of results or beyond. Just searched on my Chase card and found merchant sites displaying complete name, address and credit card information for their customers. Very nice...
Why should google censor/block information that is public knowlege? Credit card numbers (not the CVV/expire date) can be generated using public information e.g. using BIN database and the knowledge of the luhn algorithm.
The main reason credit card companies don't care that much is the same reason you probably wouldn't crawl under a car for a quarter that you dropped.
.05% to fraud and seriously, that's irrelevant. .05% of the customers who are subject to fraud, especially identity theft, they lose 100% of their stuff.
The value ain't worth the time spent.
If you have to spend 1% of your time/money fighting fraud, well once the amount of fraud drops below that 1%, it isn't worth fighting fraud.
To you.
The problem is that a company might loose only
But to the
The incentives for the corporations are different from those for individuals. Imagine that.
There is a serious lack of Bennett Haselton hatred going on right now. Have we all forgotten so soon?
50 years ago, it was understandable that people were flinging account numbers back and forth because there wasn't much else feasible.
Now, probably 95% of transactions could easily be handled using a scheme where private key is used to sign transactions and the merchant is never ever privy to info that could be used multiple times.
If credit card companies did something to encourage point of sale equipment, internet merchants, and so on to work toward a scheme where private keys are kept private to the consumer rather than a loosely shared 'secret' scheme as it exists today...
XML is like violence. If it doesn't solve the problem, use more.
So that the search itself doesnt look like a SS search
I just tried all 16 digits of mine, plus the exirey date and name, and found nothing
Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.
Then you should revisit the idea - a more secure payment protocol was invented in 2009 and is now gaining popularity.
Unless the credit cards come together with some more data (name, ccv, expire date...) there is not such thing as a leakage, as those numbers can be randomly generated. Look at this: uppsss I just leaked this valid visa card number 4716105173066360, upsss now an Amex card 370279315276420. It makes no sense to report those, they will be found anyways. Credit card number + owner info is a totally different thing...
This site has a ton of them. It must be someone's excel file laying on a web server share or something.
Join the Slashcott! Feb 10 thru Feb 17!
Neither social security numbers nor credit card numbers are secrets. We give them out to innumerable people we don't know personally with easily spoofable signatures and all.
It's easy to make up a valid card # if you have the first 8 digits. Eg. "5424 1800" is always a Citibank gold card. Most statements print the last 4 numbers of a card.
Also interesting that some of the docs leaking card #s are from legal cases. http://www.leagle.com/decision/19941489843FSupp646_11406
Search engines should be content agnostic at the search results level. I'm tired of seeing copyright removal notices when i search for, um, linux iso torrents.
People post pictures of their credit and debit cards all the freakin' time.
https://twitter.com/NeedADebitCard
It doesn't mean much now, it's built for the future.
weev
1234 5678
That's amazing! I got the same combination on my luggage.
caches, not cashes... typo
I used the first 8 of my discover card (all DC start with 6011, FWIW, so there really were only 4 unique digits being searched) and found a couple of hits. One was from 2004 with a list of some students going to Korea for something, and someone put up a public web page with ALL their CC numbers.
Then I found another page somewhere with a big list of people apparently ordering take-out food three years ago. It was HTML without ".html" at the end, so it came up as a wall of tags. There was a credit card number, exp date in 2014, name, address, phone, AND CVN of someone in there. Holy identity theft, Batman! The CC, CVN, and address had been entered manually into a "notes" field. And someone made it public viewable by google bot. Good work, morons. And that was just five minutes of looking around.
Searching for Discover 6011, I also found an official test card number for Discover, and a check digit validator page.
But I still think googling for web cams in other countries was much more fun.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
If the po-po could take five minutes and stop spying on *everyone* they could use google searches to identify such breaches. They could contact the website owners about the CC leaks, which would actually be a public service. They could also partner with the CC companies to see if any of these cards were used in fraud. Any large scale use of exposed CC numbers could then be investigated with the support of the website owners and CC companies, potentially resulting in the apprehension of fraudsters.
Unfortunately, law enforcement is too busy spying on those who speak out against the status quo to do anything so breathtakingly rational. Sigh.
No, no, you're not thinking; you're just being logical. --Niels Bohr
I bought something in a Best Buy the other day, yes, a "brick and mortar" store, and they needed to type in my CVN to make the sale. (It used to just be typing in the last 4 digits from the front of the card to ensure it matched the mag stripe.) Okay, so they were a big chain, but imagine what an unscrupulous small fly-by-night place could do if they kept those around.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
I have spent the last six months trying to get google to de-index an identity theft website that is also full of stolen credit card numbers, and google ignores me pointedly.
Google seems to have no problem at all with a TOR/P2P 'darkweb' silk road type website with no real WHOIS publishing the social security numbers, DOB and contact information of thousands of American citizens plus a horde of other illegal material. Google search is publishing this material live, AND caching it.
I have exchanged over 400 emails with google support on this topic, and they _refuse_ to to anything to stop publishing this criminal activity and blatant identity theft.
For a while, they WERE de-indexing this site, and now they utterly ignore me, we are talking 6 weeks of my ticket being open now with no attention.
here is the google search to get to this foul, illegal black hat hacker/identity theft website:
https://www.google.com/search?q=%22doxbin+social+security+number%22&oq=%22doxbin+social+security+number%22&aqs=chrome..69i57.7974j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8
and here is the page itself reached from that search:
https://npieqpvpjhrmdchg.onion.to/doxviewer.php?dox=1194_Americans_SSNs
also
https://doxbinumfxfyytnh.onion.lu/doxviewer.php
and here is a sample of what is on that website:
(excised)
I am including the SSN's in this post because GOOGLE NEEDS TO PAY SOME ATTENTION TO THIS MATTER!
google has inhumanly, cruelly and illegally IGNORED hundreds of emails about this issue!
google is monstrous, evil and vile to deal with!
google aids and abets SERIOUS CRIMINAL ACTIVITY!
and google doesn't give a damn who is harmed by it!
Actually, Google has no responsibility for this. If you see illegal activities, contact law enforcement or go vigilante. Going vigilante is really the only scenario which might get some results, but contacting law enforcement will allow you to convince yourself that you're doing something without actually doing something, FTW!
No, no, you're not thinking; you're just being logical. --Niels Bohr
https://www.google.com/search?q="4029+4450"&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=fflb
To: webmaster
From: Google
To whom it may concern. There are raw unprotected credit card numbers that can be crawled on your site.
As a service to the public at large, we're notifying you that you are too fucking stupid to be running a business that requires anyone to trust you. Please consider shutting your site down before you ruin too many lives. Also, may we suggest a new career path in the fast food industry?
If they cache them, and it is viewable, they DO have a responsibility.
If they cache them, and it is viewable, they DO have a responsibility.
Actually, the US Safe Harbor regs say that's not true. Why don't you do a little research before exposing your ignorance to the world? The link I posted took me less than five seconds to find. Sheesh!
From the link:
No, no, you're not thinking; you're just being logical. --Niels Bohr
I have spent the last six months trying to get google to de-index an identity theft website that is also full of stolen credit card numbers, and google ignores me pointedly.
Google seems to have no problem at all with a TOR/P2P 'darkweb' silk road type website with no real WHOIS publishing the social security numbers, DOB and contact information of thousands of American citizens plus a horde of other illegal material. Google search is publishing this material live, AND caching it.
I have exchanged over 400 emails with google support on this topic, and they _refuse_ to to anything to stop publishing this criminal activity and blatant identity theft.
For a while, they WERE de-indexing this site, and now they utterly ignore me, we are talking 6 weeks of my ticket being open now with no attention.
here is the google search to get to this foul, illegal black hat hacker/identity theft website:
https://www.google.com/search?q=%22doxbin+social+security+number%22&oq=%22doxbin+social+security+number%22&aqs=chrome..69i57.7974j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8
and here is the page itself reached from that search:
https://npieqpvpjhrmdchg.onion.to/doxviewer.php?dox=1194_Americans_SSNs
also
https://doxbinumfxfyytnh.onion.lu/doxviewer.php
and here is a sample of what is on that website:
(excised)
I am including the SSN's in this post because GOOGLE NEEDS TO PAY SOME ATTENTION TO THIS MATTER!
google has inhumanly, cruelly and illegally IGNORED hundreds of emails about this issue!
google is monstrous, evil and vile to deal with!
google aids and abets SERIOUS CRIMINAL ACTIVITY!
and google doesn't give a damn who is harmed by it!
Actually, Google has no responsibility for this. If you see illegal activities, contact law enforcement or go vigilante. Going vigilante is really the only scenario which might get some results, but contacting law enforcement will allow you to convince yourself that you're doing something without actually doing something, FTW!
ok thx
They were a group in his sf universe who flooded the net with incorrect personal data so that nobody could ever get reliable dirt on someone else with a web search.
you stupid asshole, EXPLAIN THEN WHY GOOGLE HAS A REMOVAL PAGE SPECIFICALLY FOR SOCIAL SECURITY NUMBERS?
https://support.google.com/websearch/contact/government_number?hl=en
google has no legal right to publish an SSN, google is breaking the law by serving live and caching an SSN!
that link is not remotely relevant to this situation! especially then this identity theft website IS ON TOR AND HAS NO REAL WHOIS!
Or maybe Visa and MC are the ones who should do the search and clean up their fraud mess. Since they just pass along the cost of fraud in the form of fees and usurious interest rates they have little incentive to clean up. Sad but true a business could be run this way.
I just got a lot of porn!
President Barak Hussein Obama needs CASH.
How better than to harvest from the "credit card agencies" who pay copious sums of cash to him.
Yes. Pity Pity. Obama has a black hole: Michael (aka Michel) Obama and his two adopted children (dogs).
Well. Lets cut to the chase.
The peoples of the United States of America WILL pay for the lives of Michel and the aka Dogs for their
entire lives!
And that monthly payment will be on the order of (total, all combined) $1.2 million per month.
Fancy that.
Expect that Michel is DOING Gen. Keith Alexander in order to DO BO and get his ass out of the picture.
That would be good for America and bad for BO.
But alas. Who cares for BO?
Nobody!
QED
you stupid asshole, EXPLAIN THEN WHY GOOGLE HAS A REMOVAL PAGE SPECIFICALLY FOR SOCIAL SECURITY NUMBERS?
https://support.google.com/websearch/contact/government_number?hl=en
google has no legal right to publish an SSN, google is breaking the law by serving live and caching an SSN!
Read the law. If you don't like it, call your congressman an asshole. I had nothing to do with it. Have a nice day.
that link is not remotely relevant to this situation! especially then this identity theft website IS ON TOR AND HAS NO REAL WHOIS!
Granted, generally the Safe Harbor provision applies to copyrighted materials, but it seems to me that the same should apply to personal information as well. Then again, IANAL so I could be wrong. As to the status of WHOIS entries for a domain, why would that be relevant in any case? It's not even illegal to give false information for WHOIS although doing so would likely violate the registrar's TOS.
No, no, you're not thinking; you're just being logical. --Niels Bohr
do you even have a clue how TOR p2p darkweb sites work? they don't have a registrar, they don't have a real host, the whois only points to an onion router which only routes encrypted P2P content!
do you even have a clue how TOR p2p darkweb sites work? they don't have a registrar, they don't have a real host, the whois only points to an onion router which only routes encrypted P2P content!
So what? What does that have to do with Google's responsibility under the law? Nothing. I'm going to leave you now. Goodbye.
you know diddley shit about the laws in question, you are a fucking fool.
YOU haven't read the damn law, you are talking out of your arsehole!