Searching For Trouble With Google 506
achilles writes "From a recent eWeek article: 'Whether they realize it or not, many people leave sensitive information out in plain view on Web sites. But sooner or later, a Google search will dig it up.' The article goes on to list some examples such as 'a search for credit card numbers. Try this one, for "Visa 4366000000000000..4366999999999999' and other 'risky data' from careless users, such as QUICKEN files etc."
this was on cryptome (Score:5, Informative)
Check it out [securityfocus.com] and there was a discussion of it a few days later.
Someone actually has a whole forum dedicated to finding things you can do with google here. [ihackstuff.com]
Apparently this was even a DEFCON speech subject.
Re:this was on cryptome (Score:3, Informative)
Another good site is searchlores.org [searchlores.org]
It doesn't limit itself only to Google.
And why it isn't a big deal.. (Score:3, Insightful)
For one the the valid credit cards numbers will be rapidly be made useless as 3rd parties use them and they are cancelled. The bottom line is very few customers will be liable for any of these fraudulent transactions.
The majority of the credit card numbers are on semi underground script kiddy sites. Where they are posted to gain cred or access to pr0n. I'd like to bet that most of these are invalid or the product of a credit card n
I blame the Google Toolbar for a lot of this (Score:5, Informative)
This is no longer the case. The Google toolbar reports home to Google about sites people visit. Within a couple of minutes of someone viewing a URL that was private and only meant for them with a browser with the google toolbar installed the googlebot will come along to the site and grab the file for indexing. Nasty if you're not expecting it.
Re:I blame the Google Toolbar for a lot of this (Score:5, Insightful)
In the long run, thus, we'll have real security and ease of use.
Re:I blame the Google Toolbar for a lot of this (Score:5, Interesting)
If you mean security through obscurity then you're describing the current situation on the net, but the article states that Google is removing the obscurity aspect by making the entire net accessible. We no longer have any kind of assurance than a given nook or cranny is too obscure to bother with.
I agree that people shouldn't leave their personal data lying around, but to simply assume that the general public can adopt security measures that we, the
Re:I blame the Google Toolbar for a lot of this (Score:5, Informative)
Nasty? Yes.
But then again, as far as I know Google does respect robots.txt. It's not hard to make a robots.txt file to exclude whatever dir you wish to use for temporary private viewing.
And it's not that hard (on Apache servers) to make an appropriate
Re:I blame the Google Toolbar for a lot of this (Score:5, Informative)
Re:I blame the Google Toolbar for a lot of this (Score:5, Informative)
If you want to share something without google indexing it, there are many strategies you can use, all outlined [google.com] on google.com itself.
Google does not index anything you have not allowed it to.
The problem is people putting private information in a public forum, not someone indexing that private information.
Re:I blame the Google Toolbar for a lot of this (Score:5, Insightful)
People still 'hide' house keys under their doormat. Try explaining to them why they shouldn't do it on the Internet.
Re:I blame the Google Toolbar for a lot of this (Score:3, Interesting)
Try out these searches on Google:
Lots and lots of people is reckless with their data.
Re:I blame the Google Toolbar for a lot of this (Score:3, Interesting)
Nice links. In the same vein, try variations of this:
"company confidential" filetype:ppt [google.com]
Re:I blame the Google Toolbar for a lot of this (Score:4, Funny)
Re:I blame the Google Toolbar for a lot of this (Score:5, Funny)
maybe it's a new security hole? q:
Re:I blame the Google Toolbar for a lot of this (Score:3, Funny)
Quicken files (Score:5, Insightful)
Simon
Re:Quicken files (Score:3, Funny)
Can I mirror these files on my web site?
I've downloaded a few but don't plan on doing anything dirty. Maybe I'll send out a few letters telling people that they should watch what they post on-line
I can see the reponse:
"Honey, do you know anyone named 'ImaLamer'?"
"No dear"
"Well, he or she claims that your bank information is online"
"Must be some sort of scam sweetie, toss it"
FBI use? (Score:5, Insightful)
Priceless (Score:5, Funny)
Re:Priceless (Score:4, Informative)
What I'm more surprised by (Score:5, Interesting)
Re:What I'm more surprised by (Score:5, Informative)
of google check this [google.com]
Re:What I'm more surprised by (Score:4, Informative)
try this (Score:5, Informative)
or
pi=
or
define: hubris
google's got neat tricks [google.com]
Re:try this (Score:5, Funny)
Googledorks (Score:5, Informative)
Liability (Score:5, Interesting)
Also, maybe those numbers are traps to catch people? Surely you need those goods to be sent to an address and someone has to eventually pick it up.
Re:Liability (Score:3, Insightful)
If neighbour's window wasn't closed, it doens't mean you can take his naked photo and put it on the website?
Bad analogy. A better one: If the neighbor posts his naked photo on a public bulletin board, does that mean you can show other people where it is?
Stuff that's on the web is there because someone put it there, i.e. they published it. The fact that they may not have *meant* to publish it doesn't change the fact that they did. If you place an ad in the newspaper, but screw up and give the paper
Try phpMyAdmin (Score:5, Interesting)
This will give you some nice databases to browse through.
Re: (Score:3, Informative)
eBooks (Score:3, Interesting)
How many of you... (Score:5, Funny)
myself.
Re:How many of you... (Score:5, Funny)
Re:How many of you... (Score:3, Interesting)
given one erases the browser history rather quick ?
Google stores all searches somewhere ?
Re:How many of you... (Score:3, Interesting)
But, given that they must already have your card number in order to turn up on the list, this isn't actually a problem.
This is supposed to be wrong? (Score:3, Insightful)
Same for SSNs (Score:4, Informative)
I just can't figure out why people would be victim to identity theft.
Time to join the 21st Century (Score:5, Insightful)
Obfusacation may have allowed people to be sloppy with their data exposure until now. But that is no excuse for people being lax with their own data security.
The Internet is built by it's users. The responsibility for protecting data lies squarely with the users at the edges.
W00t! (Score:5, Funny)
Thanks Slashdot!
Terrifying (Score:5, Interesting)
It's way too late to warn these people about the files. Their current identity is toast. So is their credit for the next seven or so years.
Is there anything we can advise these people to do to minimize the damage at this point?
Re:Terrifying (Score:4, Insightful)
Is there anything we can advise these people to do to minimize the damage at this point?
That's a nice thought, but how can you word it so it doesn't sound like you're either threatening them or selling them something? People have been called illegal hackers for trying to help other people out by pointing out blatantly obvious security holes before.
Re:Terrifying (Score:3, Interesting)
Notify them via a phone call, using the Relay phone system [att.com] for the deaf.
Not exactly a good use of the service that we all pay for, but it's fairly anonymous, and you can be non-threatening.
Just Call Them and help them out. (Score:5, Interesting)
A couple more fun examples: (Score:5, Funny)
Who needs P2P? [google.com]
Re:A couple more fun examples: (Score:3, Informative)
Re:A couple more fun examples: (Score:4, Informative)
Ah, perfected :)
"index of mp3" "Parent Directory" -filetype:html -filetype:asp -filetype:php -filetype:htm -filetype:shtml
It works quite well :) [google.com]
The funniest part... (Score:5, Funny)
The sad thing... (Score:5, Insightful)
Re:The sad thing... (Score:3, Insightful)
Without the signature a cardholder can repudiate the transaction. So if you didn't buy the stuff, just tell the Issuing Bank that you didn't and just don't pay for that transaction.
Then either the Merchant loses or the Bank loses. You, the cardholder don't unless you use a crappy card company that charges you to reissue a new card. Of course there's the inconvenience of being short of one usable credit card. But it's not as b
Re:The sad thing... (Score:3, Insightful)
No, the merchant loses. The bank never loses.
Re:The sad thing... (Score:3, Funny)
--
A N Other.
Re:The sad thing... (Score:3, Informative)
That depends... (Score:5, Funny)
It actually depends on what the name is on the front of the card. It has different meanings for different names.
Yours would be.... ?
--LordPixie
Re:DoH! (Score:3, Informative)
In that case you won't find it even if it was there. Google uses exact matches, so 1234 won't match 123456789.
Introducing... (Score:5, Funny)
Norton DumbWall 2004
Featuring:
Order now and get a free drool-bib.
Dammit! (Score:5, Funny)
Re:Dammit! (Score:5, Funny)
Thanks! Just did!
P2P is Worse (Score:5, Interesting)
I'm pretty laissez faire on this one. If you leave your keys in the car and car running, the insurance company won't cover its theft (or at least, so goes the lore). Same principle applies here, I think.
-db
Suppositions (Score:4, Informative)
Unless this person can site a real case then all he did was show us test files (as he claims he has seen)
Some of them plants? (Score:5, Insightful)
AVS (Score:3, Informative)
As for coding these numbers on to other cards and using them in bricks and mortar shops, you would hope that the shops check that the embossed number matches. If they have checked all this, under UK law anyway, the CC company is liable.
With chip and pin cards being introduced across Europe CC numbers are becoming more and more useless to criminals now.
TWO WORDS!!!!!! (Score:5, Interesting)
Hardware vendor accounts (Cisco, Enterasys) (Score:3, Funny)
Google rocks! Don't forget to google for your FLEXLM license files for your Solaris and similar systems, or your crusty Digital licenses for VMS, OSF/1, etc.
Will Visa numbers get slashdotted? (Score:5, Funny)
I got over 10,000 pages of credit card listings! (Score:5, Interesting)
For Visa, I did this one [google.com] and got 2450 pages of listings of credit card numbers. Doing the same for Master Card [google.com] returns only another 481 pages - not just card numbers, but web pages containing numbers - and some are test pages to demonstrate how LUHN codes work, but I don't think they all are. Oh, let's not leave home without American Express [google.com], where we can find a whopping 7,780 pages of listings!
I don't think they are all tests. Some include the number, expiration date, plus the name, address and telephone number of some people who apparently placed orders on-line. A great way to commit fraud or implement identity theft, wouldn't you say?
My guess is that if you called some of these people you would find out that yes, that is their credit card number and they had no idea it had been exposed.
Oh, I forgot to troll for Social Security Numbers [google.com]. Now that returns 7 million pages, most being things like zip codes and such, but it wouldn't be hard to do that by redoing the search on an automated basis by inserting the '-' where appropriate and generating several thousand searches. At random I picked a range and tried all Social Security 301-01 numbers [google.com], and got 115 pages. Not only that, but the text ad from Google was for a company that offered on-line searches of social security information! Very helpful too!
Paul Robinson
how to remove things from google's cache (Score:5, Informative)
Contacting google to remove their 'hit' on it could take a while, and remember--there *are* other search engines out there. If the doc just disappears, it'll stay in Google's cache (and who knows who else's) for who knows how long.
However, if a doc with the same name and same location still exists but has little, no, or bogus data, the engines will suck up this new worthless copy the next time they come 'round and the good copy in their cache will be overwritten with the new worthless copy.
Re:Nothing wrong with this... (Score:5, Informative)
Re:Nothing wrong with this... (Score:5, Funny)
Re:Nothing wrong with this... (Score:5, Insightful)
Agreed, and to further narrow it down, it's being *good enough* at only 1 thing: reproduction.
Unfortunately, this doesn't usually have a lot to do with intelligence.
Re:Nothing wrong with this... (Score:5, Insightful)
It quickly becomes your problem if you have done business with someone else and *they* are stupid enough to leave stuff in plain view.
It would be nice if we knew that everyone we did business with was intelligent enough not to do this, but realistically we probably can't
Re:Nothing wrong with this... (Score:5, Insightful)
Re:Nothing wrong with this... (Score:4, Insightful)
And then you give the PIN to the business to complete the transaction and now they have that. Exactly how does this improve security when you transact business with a company? It might improve security if someone were to steal your wallet, but without some complicated and difficult to verify one time hash scheme. Which has been done and tried (Amex gave me a smart card reader, Visa has tried 1-time CC numbers picked up their site.
Re:Nothing wrong with this... (Score:5, Informative)
Re:Nothing wrong with this... (Score:4, Insightful)
However, "Even then, it doesn't do them any good without your card" is flat wrong, cards can be forged, magnetic stripes rewritten (Ever see a cashier verify the numbers that got approved are the numbers on the card? They rarely confirm the signature, and I've even used other peoples Photo Visa's).
Also, video cameras can record pin numbers, electronic eavesdropping tricks could "hear" the PIN number, etc. Heck, what guarantee do you have walking into any store that the CC terminal is legitimate, and not a fake designed to capture your CC number and PIN before passing it on to a legitimate machine in the back? Dig around for ATM fraud to see what is actively going on.
Unless your PIN... (Score:5, Funny)
Re:Nothing wrong with this... (Score:3, Interesting)
One-time numbers are key (Score:3, Interesting)
I'd like to see more of that kind of thing, preferrably all of the following as options:
Re:One-time numbers are key (Score:5, Informative)
Actually, American Express used to have (until April of this year) something like a one-time-use account number. It was called Private Payments [americanexpress.com], and you could generate a new, temporary account number from their secure website. Although it wasn't truly one-time use, it was only valid for 30 days and could be cancelled at any time by the cardmember.
I used it religiously for all on-line, telephone and mail-order purchases until it was discontinued. If a merchant didn't take Amex I'd shop elsewhere.Now that PrivatePayments has been discontinued, I purchase Visa Gift Cards (pre-paid Visa cards) and use them for my small/medium-ticket on-line purchases. For major purchases I use a Visa card with fraud protection and check the account activity on-line at least once a week.
But in any event, you should never be liable for a fraudulent credit card transaction. That doesn't mean you can be careless with your account information, but if there is a fraudulent charge you're not out any money if you pay attention and dispute the charge within the specified period of time.
The real danger is ACH (Automated Clearing House) transactions against your bank accounts. Any person or organization that has the ability to perform ACH transactions (and there are plenty of third-party processors with low scruples and high tolerence of unethical behavior) can suck money DIRECTLY from your bank account. All they need is your bank routing number and bank account number. They don't need your name, address, phone number or any password or PIN (they are supposed to get your written authorization first, but there's no mechanism to check or enforce this before the fact). There is no verification or fraud protection system for ACH, as there is on most credit cards. The merchant simply asks and he receives.
And unlike credit card disputes, where you don't pay until the dispute is settled, ACH immediately withdraws the money from your account and you have to wait for the dispute to be settled before getting your money back (if ever). Since there are no limits on ACH withdrawals, (other than having sufficient funds for payment), one fraudulent charge can lead to bounced checks, overdraft fees, returned check fees and more, increasing your loss by hundreds of dollars.
There's no mechanism to opt-out of ACH or limit transactions to only approved merchants. Once a fraudulent charge is made you may be able to block further transactions by that merchant, but possibly only for a limited time and with payment of a stop-payment processing fee. The only real relief is to close the account and open a new one (resulting in administrative hassles and costs for new checks and forms).
How hard it is for a bad guy to get your bank routing number and account number depends on how use your checks. The routing and account numbers are required on the bottom of each check. It takes a few seconds for a dishonest cashier, clerk or other employee to copy this info down and sell it later. The lock-box services used by large creditors often convert paper checks to ACH transactions themselves, then discard the paper checks; depending on how discarded checks are handled, they might be subject to unwanted access. Your own handling of unused and cancelled checks also comes into play.
Between credit-card fraud and ACH fraud, its the latter that scares me the most. I've been a victim of unauthorized ACH transactions twice: once through a mistake made by a merchant and just recently through outright fraud. I am still waiting for the return of $100 due to the most recent fraud, and it will cost me more than that by the time I'm done switching to a new checking account.Re:Nothing wrong with this... (Score:5, Insightful)
You do realize that to do business on line, you would still have to give them your pin, right?
It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.
Re:Nothing wrong with this... (Score:3, Insightful)
It would be up to them if they wanted to store that info or not, but at some point, you will have to enter your pin into a web page.
No, I do not realize this. You are not using your imagination.
During the checkout phase, you get a code. You log on to your bank/credit card/whatever account, paste that code into a field to authorize the funds, and get an order confirmation from the place where you bought your stu
Comment removed (Score:5, Insightful)
Re:Nothing wrong with this... (Score:3, Informative)
For the record, I looked this up when doing a shopping system once.
Visa uses the term Card Verification Value (CVV2), Mastercard calls it Card Verification Code (CVC2). I don't know what the "2" refers to, one assumes there was once a CVV and CVC. Some websites claim the initial "C" in both stands for "Credit Card", but the system is used for debit cards too, so it appears the authors in question were being stupid.
Amex has a Card Identification (CID) which is a f
Re:Nothing wrong with this... (Score:3, Interesting)
Perhaps this is an area where the likes of third-party merchant services such as 2checkout.com, Paysystems, and iBill can really shine. Ignoring the problems these specific merchant services have had, the model of passing the user to a secure page provided by a "trusted" company to enter credit card details could be a good
Re:Nothing wrong with this... (Score:3, Interesting)
One drawback was that th
Re:Nothing wrong with this... (Score:5, Informative)
No, what is happening in the UK today [chipandpin.co.uk] is that the cards are being upgraded to smart cards, and the PIN is replacing the signature which is frequently not checked well.
Folks by and large understand the "never give away your PIN" rule. Disclosing your PIN to a web site other than your banks would completely subvert this.
It does not address "cardholder not present" fraud.
Re:Nothing wrong with this... (Score:5, Informative)
You should also note that Debit transactions will typically show up instantly, and "credit" ones will take 2-3 business days, if you have an online method of checking your statement.
Re:Nothing wrong with this... (Score:5, Interesting)
That lost letter contains more information than I'd give out to anyone who's not an authorised government official (policeman, doctor, etc). Through no fault of my own, and despite my vigilance (I shred and burn every bit of correspondence that has my name and address on it, let alone financial or other personal details) that information is now potentially in the hands of someone unscrupulous.
If anything untoward were to happen, I have virtually no recourse, as it would be nigh on impossible to actually prove where my details were obtained and (as far as I know) it's impossible to get a new NI number: I'm stuck with the one that's issued to me at 16 until the day I die.
Re:Nothing wrong with this... (Score:4, Informative)
A GP isn't an authorised government official, and you'd be scared if you saw the state of the records routinely passed around in the health service. BTW, the NI number is no longer used as a 'real' form of ID, requiring a better intersection of one or more pieces of ID. Again, it's not proof of your identity [inlandrevenue.gov.uk] despite being asked for on some forms.
"information is now potentially in the hands of someone unscrupulous."
More unscrupulous than the home office? Seriously, you can't escalate an NI number to anything other than paying taxes or finding out that your national insurance contributions are up to date, specifically it's tied to your address, name and earnings. It can be used to claim benefits, but the address would be redflagged if there are tax inputs using it.
"If anything untoward were to happen, I have virtually no recourse"
See above. Generally speaking there isn't a lot that can happen that wouldn't result in someone getting in contact with you.
"it's impossible to get a new NI number:"
It's difficult, not impossible. You have to attend a one-on-one interview and prove who you are, although it's not generally necessary because it's not an important piece of information except for tax records.
Re:Nothing wrong with this... (Score:5, Insightful)
Re:Nothing wrong with this... (Score:5, Insightful)
Think about this as somebody with some technical background. What is more secure?
1. Giving your credit card to the waiter at Mafia Pizza, who takes it into a back room before he brings it back to you.
2. Providing your credit card number to Amazon.
So here is a better idea. Get one credit card and use it for everything. Watch your statement carefully. Complain loudly if you see any charges you didn't make.
I'd still avoid buying anything from Mr. Mbuthu at Nigeria Exports, but other than that why allow paranoia to keep you from the convenience of the internet? Remember, you are NOT liable for any fraud losses on a credit card other than the first $50. The bank takes risk in return for the fees the merchant pays and because they want you to run up a huge debt and pay them loads of interest.
Re:Nothing wrong with this... (Score:3, Funny)
Comment removed (Score:5, Insightful)
Re:Nothing wrong with this... (Score:3, Insightful)
Re:Nothing wrong with this... (Score:5, Interesting)
Re:Nothing wrong with this... (Score:3, Insightful)
You don't have to be dumb to make mistakes like this, a single typo can do it. Being dumb just helps.
My favourite.. (Score:5, Funny)
Pwned!
Re:My favourite.. (Score:3, Funny)
So what if there are card numbers on the web... (Score:5, Informative)
Re:only few matches (Score:3, Interesting)
Re:robots.txt (Score:4, Insightful)
I can't tell if you're being ironic or just stupid.
You're suggesting that you "secure" you sensitive information by listing where it is in robots.txt? I think I want to have a look in your robots.txt, now.
The purpose of robots.txt is not to secure your information, it is to avoid getting eaten alive by bandwidth-hogging search spiders, and to prevent spiders from indexing irrelevant or out of date information.
If you want your information to be secure, here's a hint: don't put it on a fricking web server.