Forgot your password?
typodupeerror
Privacy Security

Credit Card Numbers Still Google-able 157

Posted by Soulskill
from the information-is-not-good-at-judging-when-it-should-want-to-be-free dept.
Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.

If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.

In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.

The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.

So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)

It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."

After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."

Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."

(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)

Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.

This discussion has been archived. No new comments can be posted.

Credit Card Numbers Still Google-able

Comments Filter:
  • by rodrigoandrade (713371) on Friday November 08, 2013 @12:47PM (#45369225)
    Thankfully, the first few digits of my credit card are the same as a rather important USPTO patent #, so all Google results link to that.
  • Many are Fake (Score:5, Interesting)

    by Anonymous Coward on Friday November 08, 2013 @12:47PM (#45369231)

    There are thousands of pages of fake credit card numbers, SSNs, etc. This is done intentionally to dilute the value, and some are probably honeypots. The numbers are bogus, expired, etc. that pass the checksum.

    • Re:Many are Fake (Score:5, Insightful)

      by game kid (805301) on Friday November 08, 2013 @12:55PM (#45369341) Homepage

      Any prospective user of them should assume the Slashdot poll disclaimer: "If you're using these numbers to do anything important, you're insane."

    • Hence the reason for the mathematical check mentioned in the TFA.

      • As the OP specifically said, the numbers all pass the checksum. The checksum just tells you if it is a potentially valid number. It doesn't tell you if its expired, cancelled or even leaked deliberately as a honeypot. It's a very basic check that is only there to catch errors in card readers or transcription/typing.
      • Re:Many are Fake (Score:4, Interesting)

        by Anonymous Coward on Friday November 08, 2013 @02:44PM (#45370747)

        It's called a Luhn check, and it's so dirt simple, you can do it in your head if you passed 4th grade math.

        1) Reverse the number (this is not actually necessary, but it's part of the "official" algorithm).
        2) Now, treating the number as an array of digits, take the even-indexed digits and double their values. Don't worry if they overflow to double digits yet. (If you skipped step 1, you'd simply do this operation to the odd-indexed digits.)
        3) Add any double-digit values' digits together (e.g. 12 -> 1+2 = 3) and use these in place of the double-digit values in the array.
        4) Sum the contents of the array.
        5) Sum of the array, modulo 10. If this is 0, it's a valid CC number.

        The easiest way to remember a test card is to remember Visa 4111 1111 1111 1111. All Visa cards start with 4, fill the rest of the digits with 1. When you apply the Luhn check:
        1) 1111 1111 1111 1114
        2) 1212 1212 1212 1218
        3) 1212 1212 1212 1218
        4) 30
        5) 30 % 10 = 0, pass.

        Any competent programmer should be able to reverse this process to generate numbers that pass this test. In fact, a reasonably good program could probably generate all valid Luhn-able numbers in a few seconds, and store them in whatever format you wanted. Like pushing them out to a Google docs spreadsheet that's open to the world. Then, everyone's credit card is "compromised", while no one's credit card is actually compromised. Now the "bad guys" have to come up with a noise filter on their searches.

        • by gronofer (838299)
          So 1/10th of the numbers are valid, and there are 15 significant digits? Then there are 10^14 valid numbers and each number is 16 digits long ... that's going to be a pretty big Google docs spreadsheet.
  • by Anonymous Coward on Friday November 08, 2013 @12:48PM (#45369235)

    ...and google replied "thank you"!

  • So what (Score:5, Insightful)

    by hannson (1369413) <hannson@gmail.com> on Friday November 08, 2013 @12:48PM (#45369239)
    Google is not responsible for your CC info. Find the merchants and tell on them.
    • by mythosaz (572040)

      They're not responsible for plenty of other (generally) good things they do either.

      Automating a service that warns about leaked data could be another of them...

    • So if A gives something to B, and then B passes on to C without A's permission, and C profits from it, C has no responsibility?

      Hmm, if only there were a way of compartmentalising my activities... some sort of limited.. liability.. thing... I could make a mint out of this!

      • by Anonymous Coward

        Well in your situation, B is Google. They did not ask A's explicit permission, and aren't knowingly passing you this information. A said it has searchable data, C said they wanted to look for data matching certain criteria, which just happens to have been provided by A. the fact that B has absolutely no real knowledge of the contents insulates them from liability to a very large degree.

        • No, B is who ever made it publicly available to be found by Google.
          A is the customer, B is the merchant, C is the thief who "stole" the credit card number that B promised both A and violated the contract they have with their payment provider to not let anyone else get the number.

      • Except that A is distributing it freely, so why should anyone downstream have liability?

      • by SeaFox (739806)

        So if A gives something to B, and then B passes on to C without A's permission, and C profits from it, C has no responsibility?

        Interesting... in this situation we're considering whether Google has a responsibility to do something about this issue because it happened to index all these search results, but when it comes to Google being able to help you find torrents we think they should just display the results like they're supposed to and not pick sides in the copyright cops little war.

    • Did you read the article AT ALL? He's not saying "it's Google's fault", he's saying "Google could handle this problem pretty efficiently, gaining some goodwill in the process."
    • Re:So what (Score:5, Interesting)

      by amicusNYCL (1538833) on Friday November 08, 2013 @01:16PM (#45369569)

      What merchants? Searching for the first 8 digits of a Wells Fargo Mastercard brings up an Excel file with several worksheets in it, including one that lists a bunch of websites and login information (including bank websites). It's on a user's FTP share at their job. So someone decided to put their important file there and they have no clue it's publicly available.

    • by Anonymous Coward

      They are not responsible for malware infected websites either but they still blacklist them...

    • The victim is the merchant, since they are out the goods and the price in the event of a stolen card claim chargeback. In some cases, they are also the leak.

      Payment processor is only out money if it is their fault, and usually those are future earnings, not the cost itself, and only if the credit card company can nail them with good proof.

      Large merchants can absorb the cost, and probably consider it a cost of doing business. Small merchants take a larger hit, as a percentage, since their profits are by de

  • by Anonymous Coward

    I don't see why this is Google's problem; if users' credit card numbers are visible to robot crawlers, then they are not being handled correctly by web sites to begin with.

    • Re:Comment Subject: (Score:5, Interesting)

      by pspahn (1175617) on Friday November 08, 2013 @02:04PM (#45370207)

      A bit of anecdote from a client's site I used to work on...

      Client was complaining of some random issue and I went to take a look. Right away I was prevented from doing so because he changed his FTP/SSH permissions and I wasn't able to access the files.

      I decided to poke around the front-end to try and find clues while I waited for him to respond with a fresh set of credentials. Eventually, I came across a server log that was mistakenly made available to the public at large (though you would have to know the URL to find it). Inside the log file were hundreds... probably thousands of records of customer information, including last four digits of their CC used for payment (if they had one).

      I immediately got back to him about to tell him this information was available on his site to anyone and said that I could fix the permissions once he allowed me access. Unfortunately, he never did get back to me and it was a short time afterward that I was fired from that job (thank god).

      I didn't develop his site, but I do know the person who did, and he happens to be a director at the company. Out of curiosity, I just checked, and the information is still openly available on his site, and it's been like 8 months. Now, though, there seem to be some additional logs of juicyness. 'authorize_net.log', 'google_checkout.log'....

      To top all this off, he used to (not sure if he's come around by now by I doubt it) store customer's CC info in the store database. Before he started using this, I warned him that it was not a good idea, but he said it was the best way. There can be no way his site is PCI complaint, so in all likelihood an audit would completely put him out of business.

      • Completely irrelevant, unless we can put the client in the role of merchant, processor, credit card company, intermediary, IT support, search engine, or something else.

        Bennett is attempting to place blame. Obviously someone is to blame, but to be helpful you need to tell us which.

        From your terms, I assume a merchant, but it would have to be a direct to customer merchant without an intermediary. From your mention of PCI compliance, it could be the processor.

        Either way, should Google in absence of other sea

  • Nothing for me... (Score:5, Interesting)

    by yakatz (1176317) on Friday November 08, 2013 @12:52PM (#45369305) Homepage Journal
    I tried with the first 8 digits of 6 different cards and founds nothing but Australian phone numbers.
    • accidentily modded parent flamebait... not on purpose! stupid touch screen
      • by yakatz (1176317)
        Off-topic, but I have done the same thing. Once upon a time, you had to click submit to moderate, it did not use this "fancy" javascript. I can't find any option to go back to that.
        • yep, responding to the thread seems to negate the mod point. so hey it all worked out.
        • You can block javascript for the site using something like noscript.
          It degrades quite decently. Or at least did when I was last trying to save my sanity on an underpowered box.

    • Re:Nothing for me... (Score:5, Interesting)

      by Anonymous Coward on Friday November 08, 2013 @01:25PM (#45369683)

      I tried this with the first eight digits that I got out of a credit card generator (I'm not going to type in my own). The second result as a Word document that contained a full credit card number, expiration date, security code, and name. The .doc was hosted on a website (csonet.org) that claims to be part of the United Nations. So, I did the usual whois lookup and it started looking fishy, like a honeypot: registered to a company that sounded like a front company ("anywhere design" and "computeragent.net"), and really, why would someone post on the web a Word document with exactly the information you need to make a fraudulent transaction? And isn't the UN a bit more competent?

      Then I visited the UN's web page and, son of a bitch, csonet.org is plastered everywhere on the actual UN site: it' s apparently how you apply to get money out of the UN. See http://www.un.org/womenwatch/daw/csw/NGO.html for an example. Holy fucking diplomatards, BanKiman! If they're posting credit card info with full validation information online there, what's the rest of their security awareness like? No fucking wonder the UN is a playground for the NSA, CIA, KGB, GCHQ, and everyone with unjustifiable budgets that match only their unjustifiable egos.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        It's their database manager/web monkey, a Swede named Ola Göransson. He's apparently been using the NGO Committee directory for his personal files. His name is on the whois registration and on the Word document (I'll leave it to the reader to figure out how to google for "credit card" info on the site csonet.org).

        Here's his resume, along with a dolichocephalic, tired-eyed photo: http://csonet.org/ngocommittee/content/documents/app_form_4913.pdf [csonet.org]. His skills include PHP, ASP, and doxing himself, with

    • same here ... australian phone numbers, most from sites selling wood (strange ô_0)

    • by sconeu (64226)

      Same for me.

      • Interestingly, I turned these [anonnews.org] up.

        These have been, obviously, publicly posted on purpose. Should Google not return this sort of thing in search results as well?

    • apparently my debit card is a popular clutch disc part!

      Nothing on the first 15 pages of Google results for me. I guess my bank should be happy.

  • "using the simple trick of Googling the first 8 digits of your credit card number" What are the first 8 digits of your credit cart number?
  • The more incentive there is to build an alternative. I say, keep up the good work. Maybe I'll make my raspberry into a web crawler, since it's always running anyway.

  • by bigHairyDog (686475) on Friday November 08, 2013 @01:03PM (#45369415)

    It seems that people are deliberately creating millions of fake identities and putting them online just to screw with the bulk data collectors.

    Read the explanation on this page: http://xdduk.org/nino/BT889440D [xdduk.org]

    • Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?

      • Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?

        No need to do that... spammers already do it to waste time and resources of anti-spam groups.

      • by Maow (620678)

        Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?

        It'd take some time to create the pages of addresses, even if automated, and the incidental cost to spammers of an extra million invalid email addresses would be negligible.

        Basically, good guys spend time to create these, bad guys don't notice much difference. I wish it were so easy, "sigh".

        The real question is, "why do people buy from spammers?" Or, "why does comment spam increase page rank scores?"

        Now, where's that "your idea won't work because..." form? That thing is hilarious.

      • by pspahn (1175617)

        ...cause spammers to waste time and resources?

        Don't they already waste enough of our time and resources? Whose side are you on?

    • by Joining Yet Again (2992179) on Friday November 08, 2013 @01:14PM (#45369531)

      Anyway, if there's one thing I've learnt from giving my name as Sir Handjob Sausage-thief, it's that nothing seems to check your name. Gives the postman a laugh, too.

    • They were a group in his sf universe who flooded the net with incorrect personal data so that nobody could ever get reliable dirt on someone else with a web search.

  • All my credit cards apparently have a unique 8-digit beginning.
  • by indybob (2731135) on Friday November 08, 2013 @01:05PM (#45369447)
    If you want to be sure that you find your number on Google, do the following thing: 1) Write a message here with your first 8 digits here on slashdot. 2) Send me in a private message your last 8 digits. And the 3 digits number at the back of your card. 3) Wait 2-3 weeks After that, you can try to Google your number with success! ;o)
  • another solution (Score:4, Insightful)

    by a2wflc (705508) on Friday November 08, 2013 @01:06PM (#45369449)

    Credit card companies could google all of the numbers for cards they have issued and take care of it themselves. Why would this be google's responsibility?

    • by MobyDisk (75490)

      Credit card companies could google all of the numbers for cards they have issued and take care of it themselves

      That was his first suggestion.

      Why would this be google's responsibility?

      As he said in his write-up, it isn't Google's responsibility.

    • Yeah, Google will be very happy with millions of automated queries...
  • by Anonymous Coward

    If you google around for the first 8 digits of your credit card number, you will undoubtedly come across this link:

    In this link is a generated list of all possible combinations of Visa, MasterCard, American Express, etc... credit card numbers and PINs. Each group of card numbers is shown in a range... for instance 1234 4600 through 1234 4699....

    If you click through the ranges until you find your card number, and PIN, and it will be in there, you will have given the website owner your credit card number and

  • To generate a list that long, you'd need a computer!

  • by Anonymous Coward on Friday November 08, 2013 @01:09PM (#45369479)

    Google has a little-known search operator for finding numbers within a range. To find all numbers between two numbers, you Google the two numbers separated by two dots. For example, to find all numbers between 87600 and 89061, you'd Google "87600..89061" as shown below.

    https://www.google.com/search?q=87600..89061

    It used to be that you could simply Google a large range of possible credit card numbers using this operator and find tons of numbers. However, a few years ago, Google put a stop to this by forbidding number range searches involving large numbers.

    For example: https://www.google.com/search?q=8760000000000..89061000000000

    It's unfortunate and disappointing that Google crippled its search engine to solve the problem, as there are lots of legitimate reasons for searching number ranges involving large numbers.

  • by Revek (133289) on Friday November 08, 2013 @01:09PM (#45369481) Homepage

    One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results.

    That right is reserved for mpaa to censor my subtitles to my video files and other important stuff like that.

    • If the po-po could take five minutes and stop spying on *everyone* they could use google searches to identify such breaches. They could contact the website owners about the CC leaks, which would actually be a public service. They could also partner with the CC companies to see if any of these cards were used in fraud. Any large scale use of exposed CC numbers could then be investigated with the support of the website owners and CC companies, potentially resulting in the apprehension of fraudsters.

      Unfortu

  • by Obfuscant (592200) on Friday November 08, 2013 @01:14PM (#45369529)
    Eleven words: "People put shit on the web. Google lets you find it."

    The suggestion that Google should pounce upon any 16 digit numbers it finds that meet the single-digit checksum test is just ridiculous. Oh, and start with "all known 8 digit prefixes". Now, the first four identify the card type, so there's a natural limit there. But the next four are 10,000 possibilities.

    We'd complain loudly if someone scanned the web looking for things that LOOK like they shouldn't be there and issue takedown notices. No, people here DO complain loudly when the "someone" matches ??AA and the target is digital media. But credit card companies should scan for their prefixes and issue take downs for anything that matches a possible credit card number?

    I can see a wonderful jimmy to the system along the lines of anti-meth and other anti-this or that campaigns. Create "web pages" for Google to index that are pseudo-random number generators so Google or the credit card companies can find tons of "credit cards" to cancel. People who don't want you to find meth recipes through google already pollute the namespace so you can't do that; people who want to put a monkey wrench into the credit card system can do the same thing.

    • Removing the ability to search for numbers would probably be a lot easier than removing links to some sex pages you don't want google to show anybody anymore.
      Not saying it would be effective in fighting credit card fraud. Just looking at the technical aspect.
    • by skiingyac (262641)

      Yeah somebody didn't think this article through all the way...

      1. Post credit card numbers a website's forum, etc...google would then de-list them for you
      2. ???
      3. Profit

      Not just 4111 1111 1111 1111 which is easy to ignore, but there is an endless supply http://www.getcreditcardnumbers.com/ (or just randomly guess, a decent percent of 16 digit numbers are valid).

    • by houghi (78078)

      all known 8 digit prefixes

      From http://en.wikipedia.org/wiki/Bank_card_number [wikipedia.org]
      An ISO/IEC 7812 card number is most commonly 16 digits in length,[1] and consists of:
      - a six-digit Issuer Identification Number (IIN) (previously called the "Bank Identification Number" (BIN)) the first digit of which is the Major Industry Identifier (MII),
      - a variable length (up to 12 digits) individual account identifier,
      - a single check digit calculated using the Luhn algorithm

      So the first 6 numbers are known. Adding two digits t

  • Completely against PCI Compliance, they were using your 'account number' (full card number) as your identifier when downloading your statement in PDF form. So their web server logs would have been chock full of credit card numbers in clear text. Doh!

    The biggest problem was finding someone to report it to. Customer Service doesn't know dick about Compliance - I had to to cross my fingers that it would get escalated properly. It took about 6 months for that to change.

    When I did this 'search test', Most of my hits were PDFs of credit card statements.

  • Different incentives (Score:5, Interesting)

    by minstrelmike (1602771) on Friday November 08, 2013 @01:26PM (#45369695)
    The main reason credit card companies don't care that much is the same reason you probably wouldn't crawl under a car for a quarter that you dropped.
    The value ain't worth the time spent.

    If you have to spend 1% of your time/money fighting fraud, well once the amount of fraud drops below that 1%, it isn't worth fighting fraud.
    To you.
    The problem is that a company might loose only .05% to fraud and seriously, that's irrelevant.
    But to the .05% of the customers who are subject to fraud, especially identity theft, they lose 100% of their stuff.
    The incentives for the corporations are different from those for individuals. Imagine that.
    • by Hulfs (588819)

      http://abcnews.go.com/Business/debit-credit-facts-fraud-liability/story?id=16090439 [go.com]

      You have a maximum liability of $50 for fraudulant credit card purchases - no liability if the phsyical card wasn't used to make the purchase (.ie online purchases). That's hardly losing "100% of [your] stuff" if someone rips off your card number.

      NOTE: Identity theft is WAY different than somoene using your CC#.

      • Identity theft _is_ different from standard credit card theft which is why I specifically mentioned it instead of just inferring it is all one big steaming pile of electronic theft--the way most citizens/voters and therefore congresscritters 'think.'
        Apparently, that's not obvious enough here on /.
        • by Raenex (947668)

          Apparently, that's not obvious enough here on /.

          Your statement was written incorrectly:

          "But to the .05% of the customers who are subject to fraud, especially identity theft, they lose 100% of their stuff."

          Adding "especially identity theft" doesn't indicate at all that you are limited to $50 in credit card fraud.

  • 50 years ago, it was understandable that people were flinging account numbers back and forth because there wasn't much else feasible.

    Now, probably 95% of transactions could easily be handled using a scheme where private key is used to sign transactions and the merchant is never ever privy to info that could be used multiple times.

    If credit card companies did something to encourage point of sale equipment, internet merchants, and so on to work toward a scheme where private keys are kept private to the consum

    • by Megane (129182)
      I bought something in a Best Buy the other day, yes, a "brick and mortar" store, and they needed to type in my CVN to make the sale. (It used to just be typing in the last 4 digits from the front of the card to ensure it matched the mag stripe.) Okay, so they were a big chain, but imagine what an unscrupulous small fly-by-night place could do if they kept those around.
  • So that the search itself doesnt look like a SS search
  • This site has a ton of them [bit.ly]. It must be someone's excel file laying on a web server share or something.

  • People post pictures of their credit and debit cards all the freakin' time.

    https://twitter.com/NeedADebitCard [twitter.com]

  • Skroob here (Score:4, Funny)

    by Sperbels (1008585) on Friday November 08, 2013 @02:10PM (#45370301)

    1234 5678

    That's amazing! I got the same combination on my luggage.

  • I used the first 8 of my discover card (all DC start with 6011, FWIW, so there really were only 4 unique digits being searched) and found a couple of hits. One was from 2004 with a list of some students going to Korea for something, and someone put up a public web page with ALL their CC numbers.

    Then I found another page somewhere with a big list of people apparently ordering take-out food three years ago. It was HTML without ".html" at the end, so it came up as a wall of tags. There was a credit card numbe

No amount of careful planning will ever replace dumb luck.

Working...