Credit Card Numbers Still Google-able

Credit Card Numbers Still Google-able 157

Posted by Soulskill on Friday November 08, 2013 @12:40PM from the information-is-not-good-at-judging-when-it-should-want-to-be-free dept.

Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.

If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.

In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.

The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.

So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)

It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."

After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."

Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."

(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)

Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.

This discussion has been archived. No new comments can be posted.