Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Businesses Security The Almighty Buck News

Blippy Exposes Credit Card Numbers Through Simple Google Search 95

Posted by Soulskill from the making-it-easy-on-the-scammers dept.
An anonymous reader writes "In an unfortunate data breach, social media site Blippy has left credit card numbers in clear text, searchable via a simple Google query. The results show the amount spent on a transaction, the location, and the full card number. As of this submission, the issue still hasn't been resolved." The company's co-founder, Philip Kaplan, told the NY Times, "... when people link their credit cards to Blippy, merchants pass along their raw transaction data – including some credit card numbers – and the site scrubs that information to present just the merchant and the dollar amount spent. But several months ago, when Blippy was being publicly tested, that raw transaction data was present in the site's HTML code, where it was retrieved by Google. Mr. Kaplan said that early on, Blippy started disguising the raw transaction data behind the scenes, but it did not know about the breach until today."
This discussion has been archived. No new comments can be posted.

Blippy Exposes Credit Card Numbers Through Simple Google Search More

Blippy Exposes Credit Card Numbers Through Simple Google Search

Comments Filter:

  • Looks bad... for 4 people (Score:5, Informative)

    by alain94040 ( 785132 ) * on Friday April 23, 2010 @03:25PM (#31959318) Homepage

    As of this submission, the issue still hasn't been resolved

    Not true. If I read the explanation carefully, what really happened is that some credit card companies sometimes add the CC number to the description of the purchased item. Bad! Which also means that on your printed statement for instance, your full CC number will appear. During beta testing of Blippy, they were not aware of that "feature", so they let through the full CC number of 4 beta testers. Once they figured it out, they easily added a filter.

    If you were a beta tester for a service like Blippy, you can't be too shocked that this might happen. A better discussion would be what is Blippy really good for? I can see why I might like to browse other people's purchases once in a while, but why would I want to broadcast mine?

    --
    better than an internship in a startup: become a founder! [fairsoftware.net]

  • If you use any of those "Disposable" card # (Score:2, Informative)

    by ub3r n3u7r4l1st ( 1388939 ) * on Friday April 23, 2010 @03:54PM (#31959726)

    Most bank offer single-use or single-merchant "virtual" card number, which allow for only single use or for use within the same merchant. In the statement, it will show the name of the merchant, along with which "virtual" card number you used.

    Even if you picked up one of these numbers, there is no use.

  • Virtual Credit Card Numbers (Score:3, Informative)

    by hedley ( 8715 ) <hedley@pacbell.net> on Friday April 23, 2010 @03:56PM (#31959754) Homepage Journal

    Use them. Don't *ever* use a 2yr+ plastic #!

    Citibank has this feature, other cards must nowadays also.

  • Philip Kaplan? (Score:3, Informative)

    by rekoil ( 168689 ) on Friday April 23, 2010 @04:02PM (#31959858)

    The same Philip Kaplan that ran F*ckedcompany.com?

  • Re:Virtual Credit Card Numbers (Score:2, Informative)

    by NerdyLove ( 1133693 ) on Friday April 23, 2010 @04:06PM (#31959898)
    Anybody with a paypal account can do this as well. It is in the Paypal Toolbar section, but you don't actually need the toolbar to be installed to generate them.

  • Re:Are these guys f-cked? (Score:5, Informative)

    by jonbryce ( 703250 ) on Friday April 23, 2010 @04:09PM (#31959932) Homepage

    And for those who don't get the joke, Philip Kaplan, the founder of this site, previously had a site called fuckedcompany.com which charted the demise of dot.com and other companies following the collapse of the internet bubble at the beginning of the century. A f*ckup of this proportion would have probably earned about 60 points out of a total of 100. You get 100 points for bankruptcy proceedings.

  • Blippy article on NY Times (Score:5, Informative)

    by yuna49 ( 905461 ) on Friday April 23, 2010 @04:15PM (#31960026)

    Coincidentally, the Times is running a a story today [nytimes.com] about this new generation of "social" media sites like Blippy. Not only does Blippy want to compile a list of your purchases, they'd like to read your e-mail, too, if you don't mind. From the article:

    The spirit of sharing has already run into some roadblocks. Amazon.com was so wary of the security ramifications of Blippy's idea of letting consumers post everything they bought that, for several months, it blocked the site from allowing people to publish their Amazon purchases.

    In March, Blippy sidestepped Amazon by asking its customers for access to their Gmail accounts, and then took the purchase data from the receipts Amazon had e-mailed them. Blippy says thousands of its users have supplied the keys to their e-mail accounts; Amazon declined to comment.

    Sigh....

  • Re:Looks bad... for 4 people (Score:3, Informative)

    by natehoy ( 1608657 ) on Friday April 23, 2010 @04:40PM (#31960356) Journal

    There are two pieces of good news here.

    1) Credit card companies only do this for "disposable" credit card numbers, which are usually only used for one transaction. No credit card company I've ever done business puts the full CC# of your master account on every line of your statement,

    2) The REALLY good news is that such numbers only appear on your credit card statement,

    So this information is relatively harmless, since most credit cards revealed this way would be invalid by the time they were revealed. Plus, of paramount importance here, the only way this information could possibly get out is if you gave your credit card account username and password to some strange website or something so they could see your credit card statement. And no one would be dumb enough to do that, right? I mean, that's insanity, giving out the username and password to your credit card accounts. Right? ummm, right?

    Number of beta users: More than 5,000

    Source: http://www.netbanker.com/2010/01/blippy_demonstrates_the_power_of_real-time_streaming_of_financial_transaction_data.html [netbanker.com]

    Oh. Never mind. Some people are that stupid.

  • Re:Don't test with customer data (Score:1, Informative)

    by Anonymous Coward on Friday April 23, 2010 @04:43PM (#31960400)

    Actually you do NOT test with real data. I work in the processing industry. Card issuing companies have designated card numbers for testing. They are not generally published but even if they were used they would not work on a production system.

    Additionally, all processors we have worked with have production and testing systems so when you test, not only are you using a test card number, you are also using a test processing system.

    Beta testing in this case should NOT have included this problem. The card processing should have been tested apart from whatever a client "beta-tester" would need to play with. This is either the result of someone who is lazy or incompetent, period.

  • Re:Don't test with customer data (Score:1, Informative)

    by Anonymous Coward on Saturday April 24, 2010 @01:56AM (#31965016)
    This is, quite simply, not true. If you doubt me, please check http://www.pcicomplianceguide.org/pcifaqs.php#19 [pcicomplianceguide.org]. Retention of the full credit card number is allowed so long as certain safeguards are in place. The rule about last four is primarily guidance about what should be printed on a receipt.

Slashdot Top Deals

"Plastic gun. Ingenious. More coffee, please." -- The Phantom comics

Close