Searching For Trouble With Google 506
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
this was on cryptome (Score:5, Informative)
Check it out [securityfocus.com] and there was a discussion of it a few days later.
Someone actually has a whole forum dedicated to finding things you can do with google here. [ihackstuff.com]
Apparently this was even a DEFCON speech subject.
I blame the Google Toolbar for a lot of this (Score:5, Informative)
This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.
Googledorks (Score:5, Informative)
Re:Nothing wrong with this... (Score:5, Informative)
Re:I blame the Google Toolbar for a lot of this (Score:5, Informative)
Nasty? Yes.
But then again, as far as I know Google does respect robots.txt. It's not hard to make a robots.txt file to exclude whatever dir you wish to use for temporary private viewing.
And it's not that hard (on Apache servers) to make an appropriate
Same for SSNs (Score:4, Informative)
I just can't figure out why people would be victim to identity theft.
Re:Liability (Score:1, Informative)
This does make it easier for me to search for MY credit card. I would never put my own in the search engine bar as the search would be cached in someone's computer. Now, I just put the range in to see if I am on some Russian mafia's list...
Re:I blame the Google Toolbar for a lot of this (Score:5, Informative)
If you want to share something without google indexing it, there are many strategies you can use, all outlined [google.com] on google.com itself.
Google does not index anything you have not allowed it to.
The problem is people putting private information in a public forum, not someone indexing that private information.
Comment removed (Score:3, Informative)
Re:this was on cryptome (Score:3, Informative)
Another good site is searchlores.org [searchlores.org]
It doesn't limit itself only to Google.
Re:What I'm more surprised by (Score:5, Informative)
of google check this [google.com]
Re:Nothing wrong with this... (Score:2, Informative)
Re:I blame the Google Toolbar for a lot of this (Score:5, Informative)
try this (Score:5, Informative)
or
pi=
or
define: hubris
google's got neat tricks [google.com]
Re: additionally (Score:2, Informative)
Guess what - someone who isn't a /. reader is:
Probably the ones most vulnerable to Google mining (for lack of a better term)
The ones least likely to know what a robots.txt is, what it does, and how to utilize it to prevent stuff like this.
Re:I blame the Google Toolbar for a lot of this (Score:1, Informative)
Sure, the page is still there and accessible, but there's a difference between groping for it in the dark and having Google spotlight it.
This could be good (Score:2, Informative)
With this search in google:
Mastercard 5000000000000000..5999999999999999
I found this russian site that published American credit card information with expiration dates, names and addresses:
http://kupi-cc.0golf.com/halyva.htm [0golf.com]
Scary stuff. I would prefer google to find this information so that I can type in a simple query and see where my information is being wrongly published then not knowing at all.
what an attitude (Score:2, Informative)
Besides, who would ever take the time to post one's own credit card numbers on the net? It's dumb to assume someone did that by themselves, frankly. I can only imagine someone might got card lost and the number got into those illegal forums, or someone put the number in an email to CS representative and the email got put into FAQ, or scenarios like that.
Suppositions (Score:4, Informative)
Unless this person can site a real case then all he did was show us test files (as he claims he has seen)
Re:Trouble (Score:1, Informative)
NOT WORK SAFE!
NOT WORK SAFE!
Gah! And I here I thought I wouldn't be so stupid as to not realize what kind of link that would be.
(pounds head on desk repeatedly)
(no one notices since it's part of my job requirement)
Re:Nothing wrong with this... (Score:2, Informative)
AVS (Score:3, Informative)
As for coding these numbers on to other cards and using them in bricks and mortar shops, you would hope that the shops check that the embossed number matches. If they have checked all this, under UK law anyway, the CC company is liable.
With chip and pin cards being introduced across Europe CC numbers are becoming more and more useless to criminals now.
Re:DoH! (Score:3, Informative)
In that case you won't find it even if it was there. Google uses exact matches, so 1234 won't match 123456789.
Re:Nothing wrong with this... (Score:5, Informative)
Re:Nothing wrong with this... (Score:2, Informative)
Re:Nothing wrong with this... (Score:5, Informative)
No, what is happening in the UK today [chipandpin.co.uk] is that the cards are being upgraded to smart cards, and the PIN is replacing the signature which is frequently not checked well.
Folks by and large understand the "never give away your PIN" rule. Disclosing your PIN to a web site other than your banks would completely subvert this.
It does not address "cardholder not present" fraud.
Re:Nothing wrong with this... (Score:5, Informative)
You should also note that Debit transactions will typically show up instantly, and "credit" ones will take 2-3 business days, if you have an online method of checking your statement.
Re:Priceless (Score:4, Informative)
Re:A couple more fun examples: (Score:3, Informative)
So what if there are card numbers on the web... (Score:5, Informative)
Re:A couple more fun examples: (Score:4, Informative)
Ah, perfected :)
"index of mp3" "Parent Directory" -filetype:html -filetype:asp -filetype:php -filetype:htm -filetype:shtml
It works quite well :) [google.com]
Re:Nothing wrong with this... (Score:2, Informative)
Re:Nothing wrong with this... (Score:4, Informative)
A GP isn't an authorised government official, and you'd be scared if you saw the state of the records routinely passed around in the health service. BTW, the NI number is no longer used as a 'real' form of ID, requiring a better intersection of one or more pieces of ID. Again, it's not proof of your identity [inlandrevenue.gov.uk] despite being asked for on some forms.
"information is now potentially in the hands of someone unscrupulous."
More unscrupulous than the home office? Seriously, you can't escalate an NI number to anything other than paying taxes or finding out that your national insurance contributions are up to date, specifically it's tied to your address, name and earnings. It can be used to claim benefits, but the address would be redflagged if there are tax inputs using it.
"If anything untoward were to happen, I have virtually no recourse"
See above. Generally speaking there isn't a lot that can happen that wouldn't result in someone getting in contact with you.
"it's impossible to get a new NI number:"
It's difficult, not impossible. You have to attend a one-on-one interview and prove who you are, although it's not generally necessary because it's not an important piece of information except for tax records.
Re:The sad thing... (Score:3, Informative)
Re:Nothing wrong with this... (Score:3, Informative)
Visa uses the term Card Verification Value (CVV2), Mastercard calls it Card Verification Code (CVC2). I don't know what the "2" refers to, one assumes there was once a CVV and CVC. Some websites claim the initial "C" in both stands for "Credit Card", but the system is used for debit cards too, so it appears the authors in question were being stupid.
Amex has a Card Identification (CID) which is a four digit number that appears on the front of the card.
It annoys me when I see online forms providing options of Visa, Mastercard, and Amex, and then ask exclusively for the CVV2. Almost as much as the sites that insist I tell them what city I live in, ignoring the 50 odd percent of people who don't live in one.
The term Card Security Code (CSC) is used as a catch-all label, and it's what I use when building shop sites.
Re:One-time numbers are key (Score:5, Informative)
Actually, American Express used to have (until April of this year) something like a one-time-use account number. It was called Private Payments [americanexpress.com], and you could generate a new, temporary account number from their secure website. Although it wasn't truly one-time use, it was only valid for 30 days and could be cancelled at any time by the cardmember.
I used it religiously for all on-line, telephone and mail-order purchases until it was discontinued. If a merchant didn't take Amex I'd shop elsewhere.Now that PrivatePayments has been discontinued, I purchase Visa Gift Cards (pre-paid Visa cards) and use them for my small/medium-ticket on-line purchases. For major purchases I use a Visa card with fraud protection and check the account activity on-line at least once a week.
But in any event, you should never be liable for a fraudulent credit card transaction. That doesn't mean you can be careless with your account information, but if there is a fraudulent charge you're not out any money if you pay attention and dispute the charge within the specified period of time.
The real danger is ACH (Automated Clearing House) transactions against your bank accounts. Any person or organization that has the ability to perform ACH transactions (and there are plenty of third-party processors with low scruples and high tolerence of unethical behavior) can suck money DIRECTLY from your bank account. All they need is your bank routing number and bank account number. They don't need your name, address, phone number or any password or PIN (they are supposed to get your written authorization first, but there's no mechanism to check or enforce this before the fact). There is no verification or fraud protection system for ACH, as there is on most credit cards. The merchant simply asks and he receives.
And unlike credit card disputes, where you don't pay until the dispute is settled, ACH immediately withdraws the money from your account and you have to wait for the dispute to be settled before getting your money back (if ever). Since there are no limits on ACH withdrawals, (other than having sufficient funds for payment), one fraudulent charge can lead to bounced checks, overdraft fees, returned check fees and more, increasing your loss by hundreds of dollars.
There's no mechanism to opt-out of ACH or limit transactions to only approved merchants. Once a fraudulent charge is made you may be able to block further transactions by that merchant, but possibly only for a limited time and with payment of a stop-payment processing fee. The only real relief is to close the account and open a new one (resulting in administrative hassles and costs for new checks and forms).
How hard it is for a bad guy to get your bank routing number and account number depends on how use your checks. The routing and account numbers are required on the bottom of each check. It takes a few seconds for a dishonest cashier, clerk or other employee to copy this info down and sell it later. The lock-box services used by large creditors often convert paper checks to ACH transactions themselves, then discard the paper checks; depending on how discarded checks are handled, they might be subject to unwanted access. Your own handling of unused and cancelled checks also comes into play.
Between credit-card fraud and ACH fraud, its the latter that scares me the most. I've been a victim of unauthorized ACH transactions twice: once through a mistake made by a merchant and just recently through outright fraud. I am still waiting for the return of $100 due to the most recent fraud, and it will cost me more than that by the time I'm done switching to a new checking account.Unique/one-time use credit card numbers (Score:2, Informative)
Citibank has Virtual Account Numbers [citibank.com]
Discover has Discover Deskshop [discovercard.com]
even American Express... [com.com]
This is *nothing* new
Re:I blame the Google Toolbar for a lot of this (Score:3, Informative)
Re:What I'm more surprised by (Score:4, Informative)
Yahoo! has even more neat tricks... (Score:3, Informative)
* Airport Information
* Airline Registration Information
* Area Codes
* Calculator
* Dictionary Definitions
* Encyclopedia Lookup
* Exchange Rates
* Flight Tracker
* Gas Prices
* Hotel Finder
* ISBN Numbers
* Local Search[new]
* Maps
* Movie Showtimes
* News
* Packages
* Patents
* Sports Scores
* Stock Quotes
* Synonym Finder
* Time Zones
* Traffic
* UPC Codes
* VIN Number
* Weights, Measures and Temperatures
* Weather
* Zip Codes
how to remove things from google's cache (Score:5, Informative)
Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.
However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.