Searching For Trouble With Google

achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."

this was on cryptome

[jabella]

This was on bugtraq a week or two ago:

Check it out [securityfocus.com] and there was a discussion of it a few days later.

Someone actually has a whole forum dedicated to finding things you can do with google here. [ihackstuff.com]

Apparently this was even a DEFCON speech subject.

I blame the Google Toolbar for a lot of this

[twoshortplanks]

It used to be the case that If you put something temporarily in a directory on your webserver (that didn't have indexes turned) on you could simply give the URL of the file to a couple of people to have a quick look at and not have to worry about putting a password on the file. Because it wasn't linked from anywhere unless someone could guess the URL then no-one else wouldn't be able to find it.

This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

Googledorks

[tb()ne]

I think there was a similar /. article a while back. Do a google search for "googledorks" to find out what additional kinds of data are accessible.

Re:Nothing wrong with this...

[stromthurman]

This may be seen as a nitpick, but it's actually an important point. It's survival of the "fit", not fittest. Evolution is about being *good enough*, not the best.

Re:I blame the Google Toolbar for a lot of this

[Max Romantschuk]

The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

Nasty? Yes.

But then again, as far as I know Google does respect robots.txt. It's not hard to make a robots.txt file to exclude whatever dir you wish to use for temporary private viewing.

And it's not that hard (on Apache servers) to make an appropriate .htaccess file either.

Same for SSNs

[bcarl314]

Just tried google for a SSN search as well. Same thing, you get a list of results within that social security number range, along with names, and addresses.

I just can't figure out why people would be victim to identity theft.

Re:Liability

[Anonymous Coward]

They are not publishing anything. It was already published. Google just found it. Google should have NO liability whatsoever.

This does make it easier for me to search for MY credit card. I would never put my own in the search engine bar as the search would be cached in someone's computer. Now, I just put the range in to see if I am on some Russian mafia's list...

Re:I blame the Google Toolbar for a lot of this

[jsebrech]

This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.

If you want to share something without google indexing it, there are many strategies you can use, all outlined [google.com] on google.com itself.

Google does not index anything you have not allowed it to.

The problem is people putting private information in a public forum, not someone indexing that private information.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:this was on cryptome

[Anonymous Coward]

Someone actually has a whole forum dedicated to finding things you can do with google here.

Another good site is searchlores.org [searchlores.org]

It doesn't limit itself only to Google.

Re:What I'm more surprised by

[phreakv6]

That feature has been here for sometime.If you want a list of all such obscure features
of google check this [google.com]

Re:Nothing wrong with this...

[itsme]

none of the links found are from people who purposely put it online them selves, all you find are irclogs/hacker boards, where people exchange stolen card numbers.

Re:I blame the Google Toolbar for a lot of this

[xQx]

The only problem with that is that hackers have a tendency not to respect robots.txt .. in fact, it's a great index of stuff to have a look at on public websites.

try this

[circletimessquare]

convert 29 fahrenheit to celsius

or

pi=

or

define: hubris

google's got neat tricks [google.com]

Re: additionally

[BitterAndDrunk]

A post like the grandparent highlights the gap between tech savvy and those who aren't.

Guess what - someone who isn't a /. reader is:

Probably the ones most vulnerable to Google mining (for lack of a better term)

The ones least likely to know what a robots.txt is, what it does, and how to utilize it to prevent stuff like this.

/. readers for the most part are paranoid and cautious enough to minimize their risk of exposure on the net (even without robots.txt) - it is the group of users (increasing every day mind you) who are semi-literate and don't have the time or inclination to become well versed in security on the net. And really, who can blame them? Most of them don't embrace computers the way many here do and view them as a necessary evil that can occasionally help them find pornography.

Re:I blame the Google Toolbar for a lot of this

[AndroidCat]

But do hackers have access to the information snitched by the Google Toolbar? If not, then there might be no easy way to crawl to those pages. (No links from visible pages, no dir listings.)

Sure, the page is still there and accessible, but there's a difference between groping for it in the dark and having Google spotlight it.

This could be good

[phoey]

This could be good in finding websites that illegally publish this content.

With this search in google:
Mastercard 5000000000000000..5999999999999999

I found this russian site that published American credit card information with expiration dates, names and addresses:

http://kupi-cc.0golf.com/halyva.htm [0golf.com]

Scary stuff. I would prefer google to find this information so that I can type in a simple query and see where my information is being wrongly published then not knowing at all.

what an attitude

[Anonymous Coward]

I'm surprised at how easily you guys assume other net users are simply so dumb? Let's be a bit more humble and take any news/comment with a grain of salt. If you try the search suggested, you'll see some sites were russian forums exchanging credit card numbers they illegally obtained.

Besides, who would ever take the time to post one's own credit card numbers on the net? It's dumb to assume someone did that by themselves, frankly. I can only imagine someone might got card lost and the number got into those illegal forums, or someone put the number in an email to CS representative and the email got put into FAQ, or scenarios like that.

Suppositions

[AviLazar]

This person uses a lot of (paraphrase) "I haven't seen it myself, but I am sure real numbers are there."

Unless this person can site a real case then all he did was show us test files (as he claims he has seen)

Re:Trouble

[smooth wombat]

NOT WORK SAFE!

NOT WORK SAFE!

NOT WORK SAFE!

Gah! And I here I thought I wouldn't be so stupid as to not realize what kind of link that would be.

(pounds head on desk repeatedly)
(no one notices since it's part of my job requirement)

Re:Nothing wrong with this...

[$raim_n_reezn!]

They already did. http://www.omaha.bbb.org/news_phonyorders.html

AVS

[barcodez]

Any website that accepts credit card payments worth using will require an AVS number and address.

As for coding these numbers on to other cards and using them in bricks and mortar shops, you would hope that the shops check that the embossed number matches. If they have checked all this, under UK law anyway, the CC company is liable.

With chip and pin cards being introduced across Europe CC numbers are becoming more and more useless to criminals now.

Re:DoH!

[Jugalator]

actually, I didn't input the entire number, I omitted the last four.

In that case you won't find it even if it was there. Google uses exact matches, so 1234 won't match 123456789.

Re:Nothing wrong with this...

[the unbeliever]

Most terminals that are sold to merchants that have PIN pads encrypt the pin on the pad, then send it to the bank for authorization, or depending on your card, compare it to the hash written on the mag stripe. The merchant never knows your PIN, unless the clerk has a photographic memory and observes you entering it. Even then, it doesn't do them any good without your card.

Re:Nothing wrong with this...

[extra the woos]

It wont cost you anything (or $50) if someone steals your cc and uses it to buy shit.. your best protection is to keep up to date on your banks site with what you have and haven't boughten, and investigate and report anything you didn't do immediately.. you wont be liable.

Re:Nothing wrong with this...

[Shimbo]

isnt this whats happening in the UK now?

No, what is happening in the UK today [chipandpin.co.uk] is that the cards are being upgraded to smart cards, and the PIN is replacing the signature which is frequently not checked well.

Folks by and large understand the "never give away your PIN" rule. Disclosing your PIN to a web site other than your banks would completely subvert this.

It does not address "cardholder not present" fraud.

Re:Nothing wrong with this...

[the unbeliever]

So you can use it like a credit card, rather than a debit card, at places that don't take debit. (such as most online purchases)

You should also note that Debit transactions will typically show up instantly, and "credit" ones will take 2-3 business days, if you have an online method of checking your statement.

Re:Priceless

[interiot]

Visa and MasterCard use different prefixes though... so you have to change the number range to 5000000000000000..5699999999999999 [google.com].

Re:A couple more fun examples:

[zoeblade]

"index of mp3 parent directory" may be a bit more accurate, as the phrase "parent directory" appears on FTP sites being rendered as HTML. Of course, the same applies to ROMs and pr0n0r as well :)

So what if there are card numbers on the web...

[mrjb]

There are banks offering special 'web credit card' services. They issue credit card numbers that are valid only for a single transaction. After the transaction has taken place, the number expires. Even if a site would have serious security issues, allowing someone to see all the credit card numbers they ever received from people, these single-transaction numbers would be worthless to anyone finding them. Of course ultimately a website shouldn't ever receive credit card numbers, but instead relay credit card payment to a bank and then communicate with that bank to see if all went well, but that is another issue.

Re:A couple more fun examples:

[zoeblade]

Ah, perfected :)

"index of mp3" "Parent Directory" -filetype:html -filetype:asp -filetype:php -filetype:htm -filetype:shtml

It works quite well :) [google.com]

Re:Nothing wrong with this...

[MikeDX]

We have this in a few uk banks, certainly the one I use called Cahoot webcard [cahoot.com] which is an online tool, you login into your online banking account, and request a card valid for 1 month with the amount you specify. Ive never had a problem with this and its perfect for online sales and even telephone credit card orders as they cant screw your account over and over for more money.

Re:Nothing wrong with this...

[Oddly_Drac]

"than I'd give out to anyone who's not an authorised government official"

A GP isn't an authorised government official, and you'd be scared if you saw the state of the records routinely passed around in the health service. BTW, the NI number is no longer used as a 'real' form of ID, requiring a better intersection of one or more pieces of ID. Again, it's not proof of your identity [inlandrevenue.gov.uk] despite being asked for on some forms.

"information is now potentially in the hands of someone unscrupulous."

More unscrupulous than the home office? Seriously, you can't escalate an NI number to anything other than paying taxes or finding out that your national insurance contributions are up to date, specifically it's tied to your address, name and earnings. It can be used to claim benefits, but the address would be redflagged if there are tax inputs using it.

"If anything untoward were to happen, I have virtually no recourse"

See above. Generally speaking there isn't a lot that can happen that wouldn't result in someone getting in contact with you.

"it's impossible to get a new NI number:"

It's difficult, not impossible. You have to attend a one-on-one interview and prove who you are, although it's not generally necessary because it's not an important piece of information except for tax records.

Re:The sad thing...

[ibennetch]

It's some sort of extra protection measure that isn't encoded in the magnetic strip and therefore needs to be entered manually...not used all of the time but when it is used it prevents someone from using a magnetic cardswipe to steal your number...the credit card company knows that number and sometimes requires it for authorization

Re:Nothing wrong with this...

[feargal]

"what are they called, CCV2 or something"

For the record, I looked this up when doing a shopping system once.

Visa uses the term Card Verification Value (CVV2), Mastercard calls it Card Verification Code (CVC2). I don't know what the "2" refers to, one assumes there was once a CVV and CVC. Some websites claim the initial "C" in both stands for "Credit Card", but the system is used for debit cards too, so it appears the authors in question were being stupid.

Amex has a Card Identification (CID) which is a four digit number that appears on the front of the card.

It annoys me when I see online forms providing options of Visa, Mastercard, and Amex, and then ask exclusively for the CVV2. Almost as much as the sites that insist I tell them what city I live in, ignoring the 50 odd percent of people who don't live in one.

The term Card Security Code (CSC) is used as a catch-all label, and it's what I use when building shop sites.

Re:One-time numbers are key

[EtherMonkey]

Actually, American Express used to have (until April of this year) something like a one-time-use account number. It was called Private Payments [americanexpress.com], and you could generate a new, temporary account number from their secure website. Although it wasn't truly one-time use, it was only valid for 30 days and could be cancelled at any time by the cardmember.

I used it religiously for all on-line, telephone and mail-order purchases until it was discontinued. If a merchant didn't take Amex I'd shop elsewhere.

Now that PrivatePayments has been discontinued, I purchase Visa Gift Cards (pre-paid Visa cards) and use them for my small/medium-ticket on-line purchases. For major purchases I use a Visa card with fraud protection and check the account activity on-line at least once a week.

But in any event, you should never be liable for a fraudulent credit card transaction. That doesn't mean you can be careless with your account information, but if there is a fraudulent charge you're not out any money if you pay attention and dispute the charge within the specified period of time.

The real danger is ACH (Automated Clearing House) transactions against your bank accounts. Any person or organization that has the ability to perform ACH transactions (and there are plenty of third-party processors with low scruples and high tolerence of unethical behavior) can suck money DIRECTLY from your bank account. All they need is your bank routing number and bank account number. They don't need your name, address, phone number or any password or PIN (they are supposed to get your written authorization first, but there's no mechanism to check or enforce this before the fact). There is no verification or fraud protection system for ACH, as there is on most credit cards. The merchant simply asks and he receives.

And unlike credit card disputes, where you don't pay until the dispute is settled, ACH immediately withdraws the money from your account and you have to wait for the dispute to be settled before getting your money back (if ever). Since there are no limits on ACH withdrawals, (other than having sufficient funds for payment), one fraudulent charge can lead to bounced checks, overdraft fees, returned check fees and more, increasing your loss by hundreds of dollars.

There's no mechanism to opt-out of ACH or limit transactions to only approved merchants. Once a fraudulent charge is made you may be able to block further transactions by that merchant, but possibly only for a limited time and with payment of a stop-payment processing fee. The only real relief is to close the account and open a new one (resulting in administrative hassles and costs for new checks and forms).

How hard it is for a bad guy to get your bank routing number and account number depends on how use your checks. The routing and account numbers are required on the bottom of each check. It takes a few seconds for a dishonest cashier, clerk or other employee to copy this info down and sell it later. The lock-box services used by large creditors often convert paper checks to ACH transactions themselves, then discard the paper checks; depending on how discarded checks are handled, they might be subject to unwanted access. Your own handling of unused and cancelled checks also comes into play.

Between credit-card fraud and ACH fraud, its the latter that scares me the most. I've been a victim of unauthorized ACH transactions twice: once through a mistake made by a merchant and just recently through outright fraud. I am still waiting for the return of $100 due to the most recent fraud, and it will cost me more than that by the time I'm done switching to a new checking account.

Unique/one-time use credit card numbers

[dstutz]

MBNA has ShopSafe [prnewswire.com]
Citibank has Virtual Account Numbers [citibank.com]
Discover has Discover Deskshop [discovercard.com]
even American Express... [com.com]

This is *nothing* new

Re:I blame the Google Toolbar for a lot of this

[Blakey Rat]

What's the problem here? If you don't want it indexed, say so in a robots.txt file... Google respects those if they're present.

Re:What I'm more surprised by

[cymen]

I don't see the number range listed on that page. Am I missing something?

Yahoo! has even more neat tricks...

[edsarkiss]

http://help.yahoo.com/help/us/ysearch/tips/tips-01 .html

* Airport Information
* Airline Registration Information
* Area Codes
* Calculator
* Dictionary Definitions
* Encyclopedia Lookup
* Exchange Rates
* Flight Tracker
* Gas Prices
* Hotel Finder
* ISBN Numbers
* Local Search[new]
* Maps
* Movie Showtimes
* News
* Packages
* Patents
* Sports Scores
* Stock Quotes
* Synonym Finder
* Time Zones
* Traffic
* UPC Codes
* VIN Number
* Weights, Measures and Temperatures
* Weather
* Zip Codes

how to remove things from google's cache

[sootman]

If you find something of yours that shouldn't be online, and you have access to the server, the best thing to do is put up an empty document with the same name.

Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.

However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.