Credit Card Numbers Still Google-able 157
If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.
In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.
The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.
So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)
It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."
After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."
Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."
(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)
Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.
Thanks USPTO (Score:5, Funny)
Re:Thanks USPTO (Score:5, Funny)
Which patent number would that be? (Just out of curiosity of what you consider important patent numbers, of course :)
Re: (Score:2)
Re:Thanks USPTO (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
I made that joke in a comment last week. Your favorite meal is copy pasta.
Many are Fake (Score:5, Interesting)
There are thousands of pages of fake credit card numbers, SSNs, etc. This is done intentionally to dilute the value, and some are probably honeypots. The numbers are bogus, expired, etc. that pass the checksum.
Re:Many are Fake (Score:5, Insightful)
Any prospective user of them should assume the Slashdot poll disclaimer: "If you're using these numbers to do anything important, you're insane."
Re: (Score:1)
Hence the reason for the mathematical check mentioned in the TFA.
Re: (Score:3)
Re:Many are Fake (Score:4, Interesting)
It's called a Luhn check, and it's so dirt simple, you can do it in your head if you passed 4th grade math.
1) Reverse the number (this is not actually necessary, but it's part of the "official" algorithm).
2) Now, treating the number as an array of digits, take the even-indexed digits and double their values. Don't worry if they overflow to double digits yet. (If you skipped step 1, you'd simply do this operation to the odd-indexed digits.)
3) Add any double-digit values' digits together (e.g. 12 -> 1+2 = 3) and use these in place of the double-digit values in the array.
4) Sum the contents of the array.
5) Sum of the array, modulo 10. If this is 0, it's a valid CC number.
The easiest way to remember a test card is to remember Visa 4111 1111 1111 1111. All Visa cards start with 4, fill the rest of the digits with 1. When you apply the Luhn check:
1) 1111 1111 1111 1114
2) 1212 1212 1212 1218
3) 1212 1212 1212 1218
4) 30
5) 30 % 10 = 0, pass.
Any competent programmer should be able to reverse this process to generate numbers that pass this test. In fact, a reasonably good program could probably generate all valid Luhn-able numbers in a few seconds, and store them in whatever format you wanted. Like pushing them out to a Google docs spreadsheet that's open to the world. Then, everyone's credit card is "compromised", while no one's credit card is actually compromised. Now the "bad guys" have to come up with a noise filter on their searches.
Re: (Score:2)
I typed my entire Visa number... (Score:5, Funny)
...and google replied "thank you"!
Re: (Score:2)
and gave them a tshirt from the yahoo store.
Re:I typed my entire Visa number... (Score:4, Funny)
The bastards, they could have at least given him a Nexus.
So what (Score:5, Insightful)
Re: (Score:2)
They're not responsible for plenty of other (generally) good things they do either.
Automating a service that warns about leaked data could be another of them...
Re: (Score:3)
So if A gives something to B, and then B passes on to C without A's permission, and C profits from it, C has no responsibility?
Hmm, if only there were a way of compartmentalising my activities... some sort of limited.. liability.. thing... I could make a mint out of this!
Re: (Score:1)
Well in your situation, B is Google. They did not ask A's explicit permission, and aren't knowingly passing you this information. A said it has searchable data, C said they wanted to look for data matching certain criteria, which just happens to have been provided by A. the fact that B has absolutely no real knowledge of the contents insulates them from liability to a very large degree.
Re: (Score:2)
No, B is who ever made it publicly available to be found by Google.
A is the customer, B is the merchant, C is the thief who "stole" the credit card number that B promised both A and violated the contract they have with their payment provider to not let anyone else get the number.
Re: (Score:2)
Except that A is distributing it freely, so why should anyone downstream have liability?
Re: (Score:2)
So if A gives something to B, and then B passes on to C without A's permission, and C profits from it, C has no responsibility?
Interesting... in this situation we're considering whether Google has a responsibility to do something about this issue because it happened to index all these search results, but when it comes to Google being able to help you find torrents we think they should just display the results like they're supposed to and not pick sides in the copyright cops little war.
Re: (Score:2)
Re:So what (Score:5, Interesting)
What merchants? Searching for the first 8 digits of a Wells Fargo Mastercard brings up an Excel file with several worksheets in it, including one that lists a bunch of websites and login information (including bank websites). It's on a user's FTP share at their job. So someone decided to put their important file there and they have no clue it's publicly available.
Re: (Score:1)
They are not responsible for malware infected websites either but they still blacklist them...
Re: (Score:2)
The victim is the merchant, since they are out the goods and the price in the event of a stolen card claim chargeback. In some cases, they are also the leak.
Payment processor is only out money if it is their fault, and usually those are future earnings, not the cost itself, and only if the credit card company can nail them with good proof.
Large merchants can absorb the cost, and probably consider it a cost of doing business. Small merchants take a larger hit, as a percentage, since their profits are by de
Comment Subject: (Score:1)
I don't see why this is Google's problem; if users' credit card numbers are visible to robot crawlers, then they are not being handled correctly by web sites to begin with.
Re:Comment Subject: (Score:5, Interesting)
A bit of anecdote from a client's site I used to work on...
Client was complaining of some random issue and I went to take a look. Right away I was prevented from doing so because he changed his FTP/SSH permissions and I wasn't able to access the files.
I decided to poke around the front-end to try and find clues while I waited for him to respond with a fresh set of credentials. Eventually, I came across a server log that was mistakenly made available to the public at large (though you would have to know the URL to find it). Inside the log file were hundreds... probably thousands of records of customer information, including last four digits of their CC used for payment (if they had one).
I immediately got back to him about to tell him this information was available on his site to anyone and said that I could fix the permissions once he allowed me access. Unfortunately, he never did get back to me and it was a short time afterward that I was fired from that job (thank god).
I didn't develop his site, but I do know the person who did, and he happens to be a director at the company. Out of curiosity, I just checked, and the information is still openly available on his site, and it's been like 8 months. Now, though, there seem to be some additional logs of juicyness. 'authorize_net.log', 'google_checkout.log'....
To top all this off, he used to (not sure if he's come around by now by I doubt it) store customer's CC info in the store database. Before he started using this, I warned him that it was not a good idea, but he said it was the best way. There can be no way his site is PCI complaint, so in all likelihood an audit would completely put him out of business.
Re: (Score:2)
Completely irrelevant, unless we can put the client in the role of merchant, processor, credit card company, intermediary, IT support, search engine, or something else.
Bennett is attempting to place blame. Obviously someone is to blame, but to be helpful you need to tell us which.
From your terms, I assume a merchant, but it would have to be a direct to customer merchant without an intermediary. From your mention of PCI compliance, it could be the processor.
Either way, should Google in absence of other sea
Nothing for me... (Score:5, Interesting)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
You can block javascript for the site using something like noscript.
It degrades quite decently. Or at least did when I was last trying to save my sanity on an underpowered box.
Re:Nothing for me... (Score:5, Interesting)
I tried this with the first eight digits that I got out of a credit card generator (I'm not going to type in my own). The second result as a Word document that contained a full credit card number, expiration date, security code, and name. The .doc was hosted on a website (csonet.org) that claims to be part of the United Nations. So, I did the usual whois lookup and it started looking fishy, like a honeypot: registered to a company that sounded like a front company ("anywhere design" and "computeragent.net"), and really, why would someone post on the web a Word document with exactly the information you need to make a fraudulent transaction? And isn't the UN a bit more competent?
Then I visited the UN's web page and, son of a bitch, csonet.org is plastered everywhere on the actual UN site: it' s apparently how you apply to get money out of the UN. See http://www.un.org/womenwatch/daw/csw/NGO.html for an example. Holy fucking diplomatards, BanKiman! If they're posting credit card info with full validation information online there, what's the rest of their security awareness like? No fucking wonder the UN is a playground for the NSA, CIA, KGB, GCHQ, and everyone with unjustifiable budgets that match only their unjustifiable egos.
Re: (Score:2, Interesting)
It's their database manager/web monkey, a Swede named Ola Göransson. He's apparently been using the NGO Committee directory for his personal files. His name is on the whois registration and on the Word document (I'll leave it to the reader to figure out how to google for "credit card" info on the site csonet.org).
Here's his resume, along with a dolichocephalic, tired-eyed photo: http://csonet.org/ngocommittee/content/documents/app_form_4913.pdf [csonet.org]. His skills include PHP, ASP, and doxing himself, with
Re: (Score:1)
Re: (Score:2)
Same for me.
Re: (Score:2)
Interestingly, I turned these [anonnews.org] up.
These have been, obviously, publicly posted on purpose. Should Google not return this sort of thing in search results as well?
Re: (Score:2)
apparently my debit card is a popular clutch disc part!
Nothing on the first 15 pages of Google results for me. I guess my bank should be happy.
Re: (Score:2)
Re: (Score:2)
I'd love to give it a try (Score:1)
Re: (Score:2)
I started using that after the third time my card was compromised last year.
I have had the same Amex, Visa and MC credit card numbers since around 1999. I have not once received a fraudulent charge. Where am I going right?
Re: (Score:3)
I have had the same Amex, Visa and MC credit card numbers since around 1999. I have not once received a fraudulent charge. Where am I going right?
Herd immunity.
Re: (Score:2)
Not bragging about it.
So there goes that.
The more Google censors (Score:1)
The more incentive there is to build an alternative. I say, keep up the good work. Maybe I'll make my raspberry into a web crawler, since it's always running anyway.
I tried this and found an interesting page (Score:5, Interesting)
It seems that people are deliberately creating millions of fake identities and putting them online just to screw with the bulk data collectors.
Read the explanation on this page: http://xdduk.org/nino/BT889440D [xdduk.org]
Re: (Score:2)
Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?
Re: (Score:1)
Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?
No need to do that... spammers already do it to waste time and resources of anti-spam groups.
Re: (Score:2)
Not a bad idea. How about seeding the internet with lots of legitimate-looking email addresses to cause spammers to waste time and resources?
It'd take some time to create the pages of addresses, even if automated, and the incidental cost to spammers of an extra million invalid email addresses would be negligible.
Basically, good guys spend time to create these, bad guys don't notice much difference. I wish it were so easy, "sigh".
The real question is, "why do people buy from spammers?" Or, "why does comment spam increase page rank scores?"
Now, where's that "your idea won't work because..." form? That thing is hilarious.
Re: (Score:2)
...cause spammers to waste time and resources?
Don't they already waste enough of our time and resources? Whose side are you on?
Re:I tried this and found an interesting page (Score:5, Funny)
Anyway, if there's one thing I've learnt from giving my name as Sir Handjob Sausage-thief, it's that nothing seems to check your name. Gives the postman a laugh, too.
Vernor Vinge's "Friends of Privacy" (Score:2)
They were a group in his sf universe who flooded the net with incorrect personal data so that nobody could ever get reliable dirt on someone else with a web search.
Didn't work for me. (Score:2)
Re: (Score:2)
All my credit cards apparently have a unique 8-digit beginning.
Yeah, I noticed that.
Re:Didn't work for me. (Score:4, Informative)
The first six digits of a card number identify the type of card and the issuing financial institution. The next 9 are the actual number and the last is a check digit via Luhn's method.
There are 100 different numbers once you identified the first 6 (Wikipedia has a nice list). That will get you the first 8 digits quite easily.
And yes, it seems to be a standard format, like Visa begins with 4, MC with 5, and Amex with 6, then the next 5 digits uniquely identify a financial institution that issued that card.
Re: (Score:2)
Re: (Score:2)
If it's don't work. Try this (Score:5, Funny)
Re: (Score:3)
If you want to be sure that you find your number on Google, do the following thing: 1) Write a message here with your first 8 digits here on slashdot. 2) Send me in a private message your last 8 digits. And the 3 digits number at the back of your card. 3) Wait 2-3 weeks After that, you can try to Google your number with success! ;o)
Public service at its best! Thank you for supporting our civil society, Bob!
Re:If it's don't work. Try this (Score:4, Funny)
4777 6632
another solution (Score:4, Insightful)
Credit card companies could google all of the numbers for cards they have issued and take care of it themselves. Why would this be google's responsibility?
Re: (Score:2)
Credit card companies could google all of the numbers for cards they have issued and take care of it themselves
That was his first suggestion.
Why would this be google's responsibility?
As he said in his write-up, it isn't Google's responsibility.
Re: (Score:2)
Don't drill down through the CC number lists! (Score:2, Informative)
If you google around for the first 8 digits of your credit card number, you will undoubtedly come across this link:
In this link is a generated list of all possible combinations of Visa, MasterCard, American Express, etc... credit card numbers and PINs. Each group of card numbers is shown in a range... for instance 1234 4600 through 1234 4699....
If you click through the ranges until you find your card number, and PIN, and it will be in there, you will have given the website owner your credit card number and
Re: (Score:2)
I'm not sure how to display a link in slashdot, but I'll try again:
The same way you "display a link" anywhere else using html.
Type this:
<a href="http://all-the-numbers.com/credit-cards.html">credit card list</a>
and get this:
credit card list [all-the-numbers.com]
It really doesn't get simpler than that -- no square-bracket pseudo-html with incompletely defined semantics, no url autodetection that keeps grabbing stuff you don't want linkified, just html. (If you, somehow, have managed to remain ignorant of even that basic bit of html, then your options are to learn or GTFO.)
ALMOST TEN QUADRILLION NUMBERS! (Score:2)
To generate a list that long, you'd need a computer!
It Used to Be Even Easier (Score:4, Interesting)
Google has a little-known search operator for finding numbers within a range. To find all numbers between two numbers, you Google the two numbers separated by two dots. For example, to find all numbers between 87600 and 89061, you'd Google "87600..89061" as shown below.
https://www.google.com/search?q=87600..89061
It used to be that you could simply Google a large range of possible credit card numbers using this operator and find tons of numbers. However, a few years ago, Google put a stop to this by forbidding number range searches involving large numbers.
For example: https://www.google.com/search?q=8760000000000..89061000000000
It's unfortunate and disappointing that Google crippled its search engine to solve the problem, as there are lots of legitimate reasons for searching number ranges involving large numbers.
reserved for the media industry (Score:3, Insightful)
One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results.
That right is reserved for mpaa to censor my subtitles to my video files and other important stuff like that.
Useful To Law Enforcement, Perhaps? (Score:2)
If the po-po could take five minutes and stop spying on *everyone* they could use google searches to identify such breaches. They could contact the website owners about the CC leaks, which would actually be a public service. They could also partner with the CC companies to see if any of these cards were used in fraud. Any large scale use of exposed CC numbers could then be investigated with the support of the website owners and CC companies, potentially resulting in the apprehension of fraudsters.
Unfortu
Summay of the summary (Score:5, Insightful)
The suggestion that Google should pounce upon any 16 digit numbers it finds that meet the single-digit checksum test is just ridiculous. Oh, and start with "all known 8 digit prefixes". Now, the first four identify the card type, so there's a natural limit there. But the next four are 10,000 possibilities.
We'd complain loudly if someone scanned the web looking for things that LOOK like they shouldn't be there and issue takedown notices. No, people here DO complain loudly when the "someone" matches ??AA and the target is digital media. But credit card companies should scan for their prefixes and issue take downs for anything that matches a possible credit card number?
I can see a wonderful jimmy to the system along the lines of anti-meth and other anti-this or that campaigns. Create "web pages" for Google to index that are pseudo-random number generators so Google or the credit card companies can find tons of "credit cards" to cancel. People who don't want you to find meth recipes through google already pollute the namespace so you can't do that; people who want to put a monkey wrench into the credit card system can do the same thing.
Re: (Score:2)
Not saying it would be effective in fighting credit card fraud. Just looking at the technical aspect.
Re: (Score:2)
Yeah somebody didn't think this article through all the way...
1. Post credit card numbers a website's forum, etc...google would then de-list them for you
2. ???
3. Profit
Not just 4111 1111 1111 1111 which is easy to ignore, but there is an endless supply http://www.getcreditcardnumbers.com/ (or just randomly guess, a decent percent of 16 digit numbers are valid).
Re: (Score:3)
I reported a similar issue to BofA in 2008 (Score:3)
The biggest problem was finding someone to report it to. Customer Service doesn't know dick about Compliance - I had to to cross my fingers that it would get escalated properly. It took about 6 months for that to change.
When I did this 'search test', Most of my hits were PDFs of credit card statements.
Different incentives (Score:5, Interesting)
The value ain't worth the time spent.
If you have to spend 1% of your time/money fighting fraud, well once the amount of fraud drops below that 1%, it isn't worth fighting fraud.
To you.
The problem is that a company might loose only
But to the
The incentives for the corporations are different from those for individuals. Imagine that.
Re: (Score:1)
http://abcnews.go.com/Business/debit-credit-facts-fraud-liability/story?id=16090439 [go.com]
You have a maximum liability of $50 for fraudulant credit card purchases - no liability if the phsyical card wasn't used to make the purchase (.ie online purchases). That's hardly losing "100% of [your] stuff" if someone rips off your card number.
NOTE: Identity theft is WAY different than somoene using your CC#.
Re: (Score:3)
Apparently, that's not obvious enough here on
Re: (Score:2)
Apparently, that's not obvious enough here on /.
Your statement was written incorrectly:
"But to the .05% of the customers who are subject to fraud, especially identity theft, they lose 100% of their stuff."
Adding "especially identity theft" doesn't indicate at all that you are limited to $50 in credit card fraud.
It is the credit card companies fault... (Score:2)
50 years ago, it was understandable that people were flinging account numbers back and forth because there wasn't much else feasible.
Now, probably 95% of transactions could easily be handled using a scheme where private key is used to sign transactions and the merchant is never ever privy to info that could be used multiple times.
If credit card companies did something to encourage point of sale equipment, internet merchants, and so on to work toward a scheme where private keys are kept private to the consum
Re: (Score:1)
I've used search ranges to look for my SS (Score:2)
Way too easy (Score:1)
This site has a ton of them [bit.ly]. It must be someone's excel file laying on a web server share or something.
Check Twitter while you're at it (Score:2)
People post pictures of their credit and debit cards all the freakin' time.
https://twitter.com/NeedADebitCard [twitter.com]
Skroob here (Score:4, Funny)
1234 5678
That's amazing! I got the same combination on my luggage.
What a "discover"y (Score:2)
I used the first 8 of my discover card (all DC start with 6011, FWIW, so there really were only 4 unique digits being searched) and found a couple of hits. One was from 2004 with a list of some students going to Korea for something, and someone put up a public web page with ALL their CC numbers.
Then I found another page somewhere with a big list of people apparently ordering take-out food three years ago. It was HTML without ".html" at the end, so it came up as a wall of tags. There was a credit card numbe
Re: (Score:2)
Don't forget to enable page pre-fetching in your browser, and do NOT use the HTTPS version of your search engine - this declines the quality of results because encryption is lossy.
Re: (Score:2)
dang, it got returned. I'll just forward it to everybody in my address book and hopefully, someone can forward it on to your correct email address.
Thanks for helping.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re:Whats the point (Score:5, Informative)
Trying all the reasonable expiration dates will quickly get a card locked down for fraud. It's reliable DOS attack.
Re: (Score:2)
If you try lots of incorrect expiry dates, the bank will get an alert and suspend the card.
Re: (Score:2)
There is a serious lack of Bennett Haselton hatred going on right now. Have we all forgotten so soon?
No, but he hasn't said anything too blisteringly stupid in this one, and fair's fair - he gets the benefit of the doubt this time around. The uppity, self-aggrandizing tone of his posts are just par for the course at this point.
Re: (Score:2)
I still remember the "Don't Talk to Cops" bit he got on here and was wondering whether anybody else would recognize the name.
Re: (Score:2)
I have spent the last six months trying to get google to de-index an identity theft website that is also full of stolen credit card numbers, and google ignores me pointedly.
Google seems to have no problem at all with a TOR/P2P 'darkweb' silk road type website with no real WHOIS publishing the social security numbers, DOB and contact information of thousands of American citizens plus a horde of other illegal material. Google search is publishing this material live, AND caching it.
I have exchanged over 400 emails with google support on this topic, and they _refuse_ to to anything to stop publishing this criminal activity and blatant identity theft.
For a while, they WERE de-indexing this site, and now they utterly ignore me, we are talking 6 weeks of my ticket being open now with no attention.
here is the google search to get to this foul, illegal black hat hacker/identity theft website:
https://www.google.com/search?q=%22doxbin+social+security+number%22&oq=%22doxbin+social+security+number%22&aqs=chrome..69i57.7974j0j7&sourceid=chrome&espv=210&es_sm=93&ie=UTF-8
and here is the page itself reached from that search:
https://npieqpvpjhrmdchg.onion.to/doxviewer.php?dox=1194_Americans_SSNs
also
https://doxbinumfxfyytnh.onion.lu/doxviewer.php
and here is a sample of what is on that website:
(excised)
I am including the SSN's in this post because GOOGLE NEEDS TO PAY SOME ATTENTION TO THIS MATTER!
google has inhumanly, cruelly and illegally IGNORED hundreds of emails about this issue!
google is monstrous, evil and vile to deal with!
google aids and abets SERIOUS CRIMINAL ACTIVITY!
and google doesn't give a damn who is harmed by it!
Actually, Google has no responsibility for this. If you see illegal activities, contact law enforcement or go vigilante. Going vigilante is really the only scenario which might get some results, but contacting law enforcement will allow you to convince yourself that you're doing something without actually doing something, FTW!
Re: (Score:3)
If they cache them, and it is viewable, they DO have a responsibility.
Actually, the US Safe Harbor regs say that's not true [digital-law-online.info]. Why don't you do a little research before exposing your ignorance to the world? The link I posted took me less than five seconds to find. Sheesh!
From the link:
Re: (Score:2)
that link is not remotely relevant to this situation! especially then this identity theft website IS ON TOR AND HAS NO REAL WHOIS!
Granted, generally the Safe Harbor provision applies to copyrighted materials, but it seems to me that the same should apply to personal information as well. Then again, IANAL so I could be wrong. As to the status of WHOIS entries for a domain, why would that be relevant in any case? It's not even illegal to give false information for WHOIS although doing so would likely violate the registrar's TOS.