Aussie accidentally uncovers 19,000 CC numbers, Visa and Mastercard didn't care.

Mar.20, 2009 in rest of australia, the internet

Whirlpool forum member ‘benjee’ accidentally stumbled across 19,000 credit card numbers after receiving a ‘Google alert’ for a name.

Before Whirlpool took the thread down citing “being handled by authorities“, ITNews got in contact with benjee and ran with the story.

‘Google alert‘ is a website that offers a tracking service for google searches. Presumably the forum member was tracking a particular name and the service picked up a new search result and emailed it to him.

Disclaimer: The whirlpool thread has since been deleted between me reading it at work and looking it up again once I got home so I’m going off what I remember for some things. Usual ‘accuracy might not be 100%’ disclaimer applies.

After checking out the alert the forum member found themselves at the compromised site, ItNews quotes the forum member;

I received a Google Alert for a name,” said the worker who discovered the problem, speaking on condition of anonymity to iTnews.

“The alert started with a bunch of other numbers, so I went to the web page and it was just a virtual directory listing with a bunch of directories underneath and a load of files inside.”

“It looks like the site might have been a payment processing gateway that handled credit card transactions for a bunch of websites before it went belly-up,” the worker speculated.

manvisamastercard The Whirlpool thread detailed the forum member’s attempts to bring this massive breach of security to the credit card companies, Visa and Mastercard (might have been American Express instead of Mastercard but one was definitely Visa).

One company’s representative told him it ‘simply wasn’t their problem’ and that he should contact the offending retailers.

The other company got him to verify he actually had the details by matching names to credit card numbers along with the sensitive CVV (that 3 digit number at the back that’s supposed to be the be all and end all of security). After confirming that this was a legitimate call they placed him hold for a long period of time and he eventually hung up out of frustration.

They didn’t call him back.

Google’s cache managed to catch the start of the thread before it was deleted;

I called Visa who put me to the US, who then put me on hold, screw that.

And I called MasterCard and the rude yankee lady said it’s not their business, I have to contact all of the issueing financial institutions. No… way!!!!

I am trying to do the right thing, in my own time, for no reward.

ITNews are reporting that out of the 19,000 (the whirlpool thread stated it was 19,500 numbers), there are “up to 60 Australian numbers”.

The credit card numbers are for accounts held with Visa, Mastercard, American Express, Solo, Switch, Delta and Maestro/Cirrus.

Within the address bars of the cached pages are URLs of companies, including UK retailers of laboratory supplies, sports and health goods, apparel, photo imaging and clothing.

As far as I know the matter has now been referred to the Australian Federal Police and presumably google have been contacted and the matter is being dealt with.

Obviously a massive security leak like this is a big deal and you can’t help but wonder for just how long Google was caching the sensitive information and secondly whether or not there is a pattern to these Google search cachings that scammers can use to quickly identify security breaches before the authorities do.

googlecreditcarddetails

It’s very easy to want to point the finger at Google, especially seeing as it’s apparently a “known issue” and has been around since at least 2004, if not earlier. The problem doesn’t lie with Google however, as it’s impossible for them to distinguish between sensitive unprotected data and everything else on the internet.

Ideally databases containing sensitive information and connections used to access them are encrypted (that little padlock icon in the bottom right that pops up when you use paypal etc.), but if a company goes bust or a careless admin leaves parts of their database open, even for a brief period of time before realising, there’s a very good chance Google’s web crawlers will pick it up and index it.

From there the compromised information might stay indexxed for months until either someone realises (either Google themselves, the authorities or a member of the public) and appropriate action it taken. It’s important to understand that unsecured, unencrypted publicly available sensitive information look exactly the same as non-sensitive information to a webcrawler.

Furthermore the indexing of websites and page/database updates is not a simultaneous thing, the internet is huge and automated updates to the search engine index can take weeks if not months to come into effect. So even if a hole is plugged, if the data has been available for even more then half an hour and nobody reports it, there’s a good chance it might be indexxed somewhere just waiting to be discovered.

So just how easy is it to discover?

Well you could probably pull out the yellow pages and start punching in random names all day and see if anything comes up, you might just get lucky. A more alarming thought though would be the realisation of possible keywords, or strings that are commonly found on such data leaks could enable scammers to perfect automated data harvesting of these leaks.

Back in 2005, the US Federal Trade Commission put the credit card number black market worth at an estimated $48 billion annually, four years later in 2009 and god knows what it’s worth today. With such large amounts of money at stake it wouldn’t be surprising the lengths of study scammers have gone into to be the first to identify possible security leaks as they pop up on Google before anyone else catches on.

In fact some people have even put up guides on what to look for.

A webserver with Index browsing enabled means anyone can browse the webserver directories like ordinary local directories. his becomes an easy source for information gathering for a hacker.

Imagine if the get hold of password files or others sensitive files which are not normally visible to the internet. Below given are few examples using which one can get access to many sensitive information much easily.

“Index of /credit-card”

Out of curiosity I plugged “Index of /credit-card” into Google and it returned 43,200,000 results (forty three million, two hundred thousand). That’s not to say that’s how many compromised sites are out there, far from it as you’ll see most sites are just have the keywords in their body of text.

Still, forty three million results is a ton of data to sift through and it’s more then a start for the aspiring Nigerian prince.

It should be noted that in the world of scamming most information is obsolete well before it trickles down into the public arena. Scamming tactics and techniques are highly valuable assets protected by the scammers that use them so don’t expect to kick start a successful scamming career from guides publicly available on the internet.

Personally I’ve never had my credit card numbers stolen via the internet or otherwise so I really can’t comment on what it feels like or the process involved in any great detail. I’d love to hear from some people who have though so feel free to leave a comment if you’ve had your card details stolen.

Others have put up their stolen credit card numbers online, Eugene writes;

First off, I had a bunch of fraudulent charges on my credit card. Had to get sent a new card, then had to do due diligence and make sure it was just a stolen card number and not full-blown identity theft. I know three other people who’ve had similar things happen to them in the past three months. Makes me think the economy has got criminals working overtime.

Trevor Shipp also shares his experience;

My phone rang this morning at about 9 am. I neglected to pick it up because I was busy with work but later glanced over to see where the call had come from. It turned out to be an unrecognizable 800 number, and I had a feeling that I should listen to the voice mail. The message was from my credit union’s Risk Management Division.

I quickly called back and spoke to an individual who informed me of a charge that took place 8 minutes ago from a recognized credit card information seller. Somehow my credit card information was taken by somebody, reported to this known seller, and charged $5.78 this morning as a test to make sure my credit card worked This is, of course, very typically before your information gets sold, as the buyers want to be sure they’re getting credit card details that work.

Between details randomly being stolen, defunct websites leaking your information and Google caching your details, there seems to be quite a lot of randomness in the equation that equals your details winding up online.

While it is a bit scary to think about and the example of the Whirlpool user today illustrating just how random it can be, I probably won’t stop shopping online for the same reason most of you won’t either; it’s just too damn convenient.

Ah well, worst comes to worst at least i’ll get some reward points out of it because we all know how useful they are.