Slashdot Mirror

← Back to Stories (view on slashdot.org)

Credit Card Numbers Still Google-able

Posted by Soulskill on from the information-is-not-good-at-judging-when-it-should-want-to-be-free dept.

Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.

If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.

In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.

The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.

So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)

It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."

After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."

Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."

(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)

Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.

39 of 157 comments (clear)

  1. Thanks USPTO by rodrigoandrade · · Score: 5, Funny

    Thankfully, the first few digits of my credit card are the same as a rather important USPTO patent #, so all Google results link to that.

    1. Re:Thanks USPTO by Qzukk · · Score: 5, Funny

      Which patent number would that be? (Just out of curiosity of what you consider important patent numbers, of course :)

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    2. Re:Thanks USPTO by nxcho · · Score: 4, Funny

      That's amazing. I've got the same combination on my luggage.

      --
      When asked why, the answer is almost always: "It's 2014".
  2. Many are Fake by Anonymous Coward · · Score: 5, Interesting

    There are thousands of pages of fake credit card numbers, SSNs, etc. This is done intentionally to dilute the value, and some are probably honeypots. The numbers are bogus, expired, etc. that pass the checksum.

    1. Re:Many are Fake by game+kid · · Score: 4, Insightful

      Any prospective user of them should assume the Slashdot poll disclaimer: "If you're using these numbers to do anything important, you're insane."

      --
      You can hold down the "B" button for continuous firing.
    2. Re:Many are Fake by ArbitraryName · · Score: 2

      As the OP specifically said, the numbers all pass the checksum. The checksum just tells you if it is a potentially valid number. It doesn't tell you if its expired, cancelled or even leaked deliberately as a honeypot. It's a very basic check that is only there to catch errors in card readers or transcription/typing.

    3. Re:Many are Fake by Anonymous Coward · · Score: 4, Interesting

      It's called a Luhn check, and it's so dirt simple, you can do it in your head if you passed 4th grade math.

      1) Reverse the number (this is not actually necessary, but it's part of the "official" algorithm).
      2) Now, treating the number as an array of digits, take the even-indexed digits and double their values. Don't worry if they overflow to double digits yet. (If you skipped step 1, you'd simply do this operation to the odd-indexed digits.)
      3) Add any double-digit values' digits together (e.g. 12 -> 1+2 = 3) and use these in place of the double-digit values in the array.
      4) Sum the contents of the array.
      5) Sum of the array, modulo 10. If this is 0, it's a valid CC number.

      The easiest way to remember a test card is to remember Visa 4111 1111 1111 1111. All Visa cards start with 4, fill the rest of the digits with 1. When you apply the Luhn check:
      1) 1111 1111 1111 1114
      2) 1212 1212 1212 1218
      3) 1212 1212 1212 1218
      4) 30
      5) 30 % 10 = 0, pass.

      Any competent programmer should be able to reverse this process to generate numbers that pass this test. In fact, a reasonably good program could probably generate all valid Luhn-able numbers in a few seconds, and store them in whatever format you wanted. Like pushing them out to a Google docs spreadsheet that's open to the world. Then, everyone's credit card is "compromised", while no one's credit card is actually compromised. Now the "bad guys" have to come up with a noise filter on their searches.

  3. I typed my entire Visa number... by Anonymous Coward · · Score: 5, Funny

    ...and google replied "thank you"!

    1. Re:I typed my entire Visa number... by H0p313ss · · Score: 3, Funny

      The bastards, they could have at least given him a Nexus.

      --
      XML is a known as a key material required to create SMD: Software of Mass Destruction
  4. So what by hannson · · Score: 5, Insightful

    Google is not responsible for your CC info. Find the merchants and tell on them.

    1. Re:So what by Joining+Yet+Again · · Score: 2

      So if A gives something to B, and then B passes on to C without A's permission, and C profits from it, C has no responsibility?

      Hmm, if only there were a way of compartmentalising my activities... some sort of limited.. liability.. thing... I could make a mint out of this!

    2. Re:So what by amicusNYCL · · Score: 5, Interesting

      What merchants? Searching for the first 8 digits of a Wells Fargo Mastercard brings up an Excel file with several worksheets in it, including one that lists a bunch of websites and login information (including bank websites). It's on a user's FTP share at their job. So someone decided to put their important file there and they have no clue it's publicly available.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  5. Nothing for me... by yakatz · · Score: 4, Interesting

    I tried with the first 8 digits of 6 different cards and founds nothing but Australian phone numbers.

    1. Re:Nothing for me... by Anonymous Coward · · Score: 5, Interesting

      I tried this with the first eight digits that I got out of a credit card generator (I'm not going to type in my own). The second result as a Word document that contained a full credit card number, expiration date, security code, and name. The .doc was hosted on a website (csonet.org) that claims to be part of the United Nations. So, I did the usual whois lookup and it started looking fishy, like a honeypot: registered to a company that sounded like a front company ("anywhere design" and "computeragent.net"), and really, why would someone post on the web a Word document with exactly the information you need to make a fraudulent transaction? And isn't the UN a bit more competent?

      Then I visited the UN's web page and, son of a bitch, csonet.org is plastered everywhere on the actual UN site: it' s apparently how you apply to get money out of the UN. See http://www.un.org/womenwatch/daw/csw/NGO.html for an example. Holy fucking diplomatards, BanKiman! If they're posting credit card info with full validation information online there, what's the rest of their security awareness like? No fucking wonder the UN is a playground for the NSA, CIA, KGB, GCHQ, and everyone with unjustifiable budgets that match only their unjustifiable egos.

    2. Re:Nothing for me... by YoungManKlaus · · Score: 2

      link or it did not happen ;)

    3. Re:Nothing for me... by Anonymous Coward · · Score: 2, Interesting

      It's their database manager/web monkey, a Swede named Ola Göransson. He's apparently been using the NGO Committee directory for his personal files. His name is on the whois registration and on the Word document (I'll leave it to the reader to figure out how to google for "credit card" info on the site csonet.org).

      Here's his resume, along with a dolichocephalic, tired-eyed photo: http://csonet.org/ngocommittee/content/documents/app_form_4913.pdf. His skills include PHP, ASP, and doxing himself, with full credit card info, like an international boss on a United Nations server.

  6. I tried this and found an interesting page by bigHairyDog · · Score: 4, Interesting

    It seems that people are deliberately creating millions of fake identities and putting them online just to screw with the bulk data collectors.

    Read the explanation on this page: http://xdduk.org/nino/BT889440D

    --

    foo mane padme hum

    1. Re:I tried this and found an interesting page by Joining+Yet+Again · · Score: 4, Funny

      Anyway, if there's one thing I've learnt from giving my name as Sir Handjob Sausage-thief, it's that nothing seems to check your name. Gives the postman a laugh, too.

  7. If it's don't work. Try this by indybob · · Score: 5, Funny

    If you want to be sure that you find your number on Google, do the following thing: 1) Write a message here with your first 8 digits here on slashdot. 2) Send me in a private message your last 8 digits. And the 3 digits number at the back of your card. 3) Wait 2-3 weeks After that, you can try to Google your number with success! ;o)

    1. Re:If it's don't work. Try this by NotSanguine · · Score: 2

      If you want to be sure that you find your number on Google, do the following thing: 1) Write a message here with your first 8 digits here on slashdot. 2) Send me in a private message your last 8 digits. And the 3 digits number at the back of your card. 3) Wait 2-3 weeks After that, you can try to Google your number with success! ;o)

      Public service at its best! Thank you for supporting our civil society, Bob!

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
    2. Re:If it's don't work. Try this by viperidaenz · · Score: 3, Funny

      4777 6632

  8. another solution by a2wflc · · Score: 3, Insightful

    Credit card companies could google all of the numbers for cards they have issued and take care of it themselves. Why would this be google's responsibility?

  9. Don't drill down through the CC number lists! by Anonymous Coward · · Score: 2, Informative

    If you google around for the first 8 digits of your credit card number, you will undoubtedly come across this link:

    In this link is a generated list of all possible combinations of Visa, MasterCard, American Express, etc... credit card numbers and PINs. Each group of card numbers is shown in a range... for instance 1234 4600 through 1234 4699....

    If you click through the ranges until you find your card number, and PIN, and it will be in there, you will have given the website owner your credit card number and PIN!

  10. It Used to Be Even Easier by Anonymous Coward · · Score: 4, Interesting

    Google has a little-known search operator for finding numbers within a range. To find all numbers between two numbers, you Google the two numbers separated by two dots. For example, to find all numbers between 87600 and 89061, you'd Google "87600..89061" as shown below.

    https://www.google.com/search?q=87600..89061

    It used to be that you could simply Google a large range of possible credit card numbers using this operator and find tons of numbers. However, a few years ago, Google put a stop to this by forbidding number range searches involving large numbers.

    For example: https://www.google.com/search?q=8760000000000..89061000000000

    It's unfortunate and disappointing that Google crippled its search engine to solve the problem, as there are lots of legitimate reasons for searching number ranges involving large numbers.

  11. reserved for the media industry by Revek · · Score: 3, Insightful

    One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results.

    That right is reserved for mpaa to censor my subtitles to my video files and other important stuff like that.

  12. Summay of the summary by Obfuscant · · Score: 4, Insightful
    Eleven words: "People put shit on the web. Google lets you find it."

    The suggestion that Google should pounce upon any 16 digit numbers it finds that meet the single-digit checksum test is just ridiculous. Oh, and start with "all known 8 digit prefixes". Now, the first four identify the card type, so there's a natural limit there. But the next four are 10,000 possibilities.

    We'd complain loudly if someone scanned the web looking for things that LOOK like they shouldn't be there and issue takedown notices. No, people here DO complain loudly when the "someone" matches ??AA and the target is digital media. But credit card companies should scan for their prefixes and issue take downs for anything that matches a possible credit card number?

    I can see a wonderful jimmy to the system along the lines of anti-meth and other anti-this or that campaigns. Create "web pages" for Google to index that are pseudo-random number generators so Google or the credit card companies can find tons of "credit cards" to cancel. People who don't want you to find meth recipes through google already pollute the namespace so you can't do that; people who want to put a monkey wrench into the credit card system can do the same thing.

    1. Re:Summay of the summary by houghi · · Score: 2

      all known 8 digit prefixes

      From http://en.wikipedia.org/wiki/Bank_card_number
      An ISO/IEC 7812 card number is most commonly 16 digits in length,[1] and consists of:
      - a six-digit Issuer Identification Number (IIN) (previously called the "Bank Identification Number" (BIN)) the first digit of which is the Major Industry Identifier (MII),
      - a variable length (up to 12 digits) individual account identifier,
      - a single check digit calculated using the Luhn algorithm

      So the first 6 numbers are known. Adding two digits to those known numbers should be not that hard.

      The problem is that it is still legal to keep the card number on file. In Belgium it isn't for the merchant. When I worked in retail, there was no way that we could keep the number for a repeat sale. We had the first four and the last 4 together with a bit of other data (transaction number) to handle fraud (from real thieves and from people pretending they did not make the buy), but never the whole number.

      That was the law.

      The real problem for the USofA concerning fraud is swiping instead of pin coding. The rest of the word already does it with a chip and a pincode and it works. Reduces fraud significantly (No, it does not take it away completely)

      --
      Don't fight for your country, if your country does not fight for you.
  13. I reported a similar issue to BofA in 2008 by Havokmon · · Score: 2
    Completely against PCI Compliance, they were using your 'account number' (full card number) as your identifier when downloading your statement in PDF form. So their web server logs would have been chock full of credit card numbers in clear text. Doh!

    The biggest problem was finding someone to report it to. Customer Service doesn't know dick about Compliance - I had to to cross my fingers that it would get escalated properly. It took about 6 months for that to change.

    When I did this 'search test', Most of my hits were PDFs of credit card statements.

    --
    "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
  14. Re:I'd love to give it a try by paiute · · Score: 2

    I have had the same Amex, Visa and MC credit card numbers since around 1999. I have not once received a fraudulent charge. Where am I going right?

    Herd immunity.

    --
    If Slashdot were chemistry it would look like this:Cadaverine
  15. Different incentives by minstrelmike · · Score: 5, Interesting

    The main reason credit card companies don't care that much is the same reason you probably wouldn't crawl under a car for a quarter that you dropped.
    The value ain't worth the time spent.

    If you have to spend 1% of your time/money fighting fraud, well once the amount of fraud drops below that 1%, it isn't worth fighting fraud.
    To you.
    The problem is that a company might loose only .05% to fraud and seriously, that's irrelevant.
    But to the .05% of the customers who are subject to fraud, especially identity theft, they lose 100% of their stuff.
    The incentives for the corporations are different from those for individuals. Imagine that.

    1. Re:Different incentives by minstrelmike · · Score: 2

      Identity theft _is_ different from standard credit card theft which is why I specifically mentioned it instead of just inferring it is all one big steaming pile of electronic theft--the way most citizens/voters and therefore congresscritters 'think.'
      Apparently, that's not obvious enough here on /.

  16. Re:Whats the point by lgw · · Score: 4, Informative

    Trying all the reasonable expiration dates will quickly get a card locked down for fraud. It's reliable DOS attack.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  17. Re:Didn't work for me. by tlhIngan · · Score: 3, Informative

    All my credit cards apparently have a unique 8-digit beginning.

    The first six digits of a card number identify the type of card and the issuing financial institution. The next 9 are the actual number and the last is a check digit via Luhn's method.

    There are 100 different numbers once you identified the first 6 (Wikipedia has a nice list). That will get you the first 8 digits quite easily.

    And yes, it seems to be a standard format, like Visa begins with 4, MC with 5, and Amex with 6, then the next 5 digits uniquely identify a financial institution that issued that card.

  18. Re:Comment Subject: by pspahn · · Score: 4, Interesting

    A bit of anecdote from a client's site I used to work on...

    Client was complaining of some random issue and I went to take a look. Right away I was prevented from doing so because he changed his FTP/SSH permissions and I wasn't able to access the files.

    I decided to poke around the front-end to try and find clues while I waited for him to respond with a fresh set of credentials. Eventually, I came across a server log that was mistakenly made available to the public at large (though you would have to know the URL to find it). Inside the log file were hundreds... probably thousands of records of customer information, including last four digits of their CC used for payment (if they had one).

    I immediately got back to him about to tell him this information was available on his site to anyone and said that I could fix the permissions once he allowed me access. Unfortunately, he never did get back to me and it was a short time afterward that I was fired from that job (thank god).

    I didn't develop his site, but I do know the person who did, and he happens to be a director at the company. Out of curiosity, I just checked, and the information is still openly available on his site, and it's been like 8 months. Now, though, there seem to be some additional logs of juicyness. 'authorize_net.log', 'google_checkout.log'....

    To top all this off, he used to (not sure if he's come around by now by I doubt it) store customer's CC info in the store database. Before he started using this, I warned him that it was not a good idea, but he said it was the best way. There can be no way his site is PCI complaint, so in all likelihood an audit would completely put him out of business.

    --
    Someone flopped a steamer in the gene pool.
  19. Skroob here by Sperbels · · Score: 3, Funny

    1234 5678

    That's amazing! I got the same combination on my luggage.

  20. What a "discover"y by Megane · · Score: 2

    I used the first 8 of my discover card (all DC start with 6011, FWIW, so there really were only 4 unique digits being searched) and found a couple of hits. One was from 2004 with a list of some students going to Korea for something, and someone put up a public web page with ALL their CC numbers.

    Then I found another page somewhere with a big list of people apparently ordering take-out food three years ago. It was HTML without ".html" at the end, so it came up as a wall of tags. There was a credit card number, exp date in 2014, name, address, phone, AND CVN of someone in there. Holy identity theft, Batman! The CC, CVN, and address had been entered manually into a "notes" field. And someone made it public viewable by google bot. Good work, morons. And that was just five minutes of looking around.

    Searching for Discover 6011, I also found an official test card number for Discover, and a check digit validator page.

    But I still think googling for web cams in other countries was much more fun.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  21. Re:Whats the point by Buzer · · Score: 2

    This small time player called Amazon doesn't ask for them.

  22. Re:Didn't work for me. by Rukia · · Score: 2

    6 is for discover cards. link: http://money.howstuffworks.com/personal-finance/debt-management/credit-card1.htm

  23. Re:google cashes SSNs, CC#s google will not remov by NotSanguine · · Score: 2

    If they cache them, and it is viewable, they DO have a responsibility.

    Actually, the US Safe Harbor regs say that's not true. Why don't you do a little research before exposing your ignorance to the world? The link I posted took me less than five seconds to find. Sheesh!

    From the link:

    Subsection (b), service provider caching, exempts service providers’ making local copies of Web pages so that the pages don’t have to be fetched repeatedly over the Internet. Instead the cached copy is sent to their users. Service providers must honor any cache control requests provided by the communications protocol being used so that pages are not cached longer than desired by their creators, must not prevent the returning of information to the page creator about page usage, must honor password or other access controls, and must remove allegedly-infringing material if the material has been removed from its originating site. [Emphasis added]

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr