I'm not quite sure where to put this or whether this should even be posted here. Mods are welcomed to trash it if need be or move it accordingly. If this was posted before, I apologize. I did a search but didn't find anything.
I'm going to assume (I know.. dangerous option) that members are ethical and do things "legally". What is scary is how easy a tool like Google is for attackers. This should be a reminder to those that manage websites, specifically those that are "e-shops", to limit the activity of search engines and their web crawling spiders.
Full Version: Google Can Find Anything.. Including Credit Card #
| QUOTE |
| Source: ZDNet Simple queries using the Google search engine can turn up a handful of sites that have posted credit card information to the Web, CNET News.com learned on Tuesday. The lists of financial information include hundreds of card holders' names, addresses and phone numbers as well as their credit-card data. Much of the credit-card data that appears in the lists found by Google may no longer be valid, but CNET called several people listed and verified that the credit cards numbers were authentic. The query, the latest example of "Google hacking," highlights increasing concern that knowledgeable Web surfers can turn up sensitive information by mining the world's best-known search engine. "It seems like everyone has their own trick," said Chris Wysopal, vice president of research and development for digital security firm @Stake. "This is really searching for data that should be secret but has been exposed through either through misconfiguration or by someone who has stolen it." There is no shortage of ways to search Google to find such data. Whole sites spell out how to search for financial information and describe software vulnerabilities and vulnerable configurations on Internet machines. Google is the tool of choice because its powerful search options, such as the ability to search for a range of numbers--useful in finding credit card data--is not present in other company's search engines. Google would not comment, citing the quiet period before the company's initial public offering. However, a company source did say that the search firm has a tool for Web masters to remove pages from the archive, if they find that parts of their site violate laws or regulations. Moreover, the company has decided to allow anyone to request the removal from search results of any document that includes a Social Security or credit card number--a note to help@google.com with a link to the page will suffice, the source said. Keith Ernst--a Durham, N.C., resident and, ironically, a worker at a financial antifraud company--found himself on the receiving end of a data leak earlier this year that resulted in his debit-card number being posted on such a list. Before Ernst canceled his card, the number had been used for a variety of charges. A foreign student had attempted to pay college tuition with the stolen number. "It was very unsettling to see those charges come up on your account," said Ernst, who normally works to prevent fraud from happening to others. "It was interesting, to say the least, to be on the other side of the issue." Ernst's information is now posted to an Arabic bulletin board with more than a hundred other people's financial records, at the beck and call of a simple search on Google. His credit union refunded the charges and now he only uses credit cards to make Internet purchases, because fraudulent charges using a credit card are not immediately debited from his bank account. The FBI could not immediately comment on whether the agency was investigating the sites listing financial information. The sites seemed to be spread out over the globe: One had a Russian domain name, another was written in Arabic, and a third was based in the Netherlands. Good guys can Google, too The rise of such Web sites has convinced @Stake's Wysopal that major credit issuers should start using Google as a security tool, searching for vulnerabilities and leaked information before other, potentially malicious, people find the data. "Shouldn't Visa be proactive and do these searches on a daily basis?" he asked. "The bad guys are doing it, so why aren't the good guys doing it and beating them to the punch?" The sentiments echoed statements made at the Black Hat Security Briefings in Las Vegas last week, where security researchers and hackers were surprised to learn the extent to which Google can pinpoint weakly secured servers and databases. Visa already has many sources to pinpoint fraud, said Rosetta Jones, a spokeswoman for the company. "When we run them against a database, it is very common to find that, in most cases, we have known that the credit card was stolen," she said. While the company may not use Google to track when sites containing credit-card information appear, it has moved to have many such sites taken down when tipped off to the situation. So far this year, Visa has had 20 sites pulled from the Web for trafficking in stolen credit cards. One big haystack With 4 billion Web pages on the Internet, Google is not able to police its archives very effectively, a source at the company said. The firm has legally positioned itself as an intermediary of content beyond its control, which releases it from being held responsible for any content the company archives or to which it links. That means consumers are left to carefully watch their information. Yet, the degree to which fraud has become more common makes consumers like Ernst fatalistic. "I am sure that the information is out there," the fraud-fighter said. |
From Slashdot:
| QUOTE |
| Try googling: visa 4356000000000000..4356999999999999 For example. Not saying this is the only way to find these, but it certainly is an interesting application of Google. |
wow....scarry....but! what on earth are u gonna do with CC#'s unless u wanna go to jail? uselfull info tho.
NICE FIND!..
use the google cache link btw.... and you might want to try a proxy at some point in time
use the google cache link btw.... and you might want to try a proxy at some point in time
| QUOTE (tweakz20 @ Aug 4 2004, 02:26 AM) |
| NICE FIND!.. use the google cache link btw.... and you might want to try a proxy at some point in time |
very good idea....the sad thing now though, is that its public...*sniff* o well.
frosty...i see u looking....no comments?
Wow, so its that easy to get somebodys card number, this realy shoulden be possible for the safety of normal internett users.
But, if evil ppl get this numbers, how can they abuse them? Bruteforce the password or what?
But, if evil ppl get this numbers, how can they abuse them? Bruteforce the password or what?
If they get the number they can create a fake credit card. The ability of carders has grown and it's quite a booming business. I've had a VISA rep in to speak to a security class. It's scary how easy it is to do this (aka Carding). While it does get harder to do the man made cards, some online companies still don't check the true validity of cards. If you check the cache of some of the results you get full addresses, names and SSN. That kind of detail is very scary.
but dont you need an expiry date too ?
It helps. Some of the ones listed in the Google search have that as well.
well, I don't really find this that much disturbing since we all know that its been around for a long time (carding)....doing it a way or another
anyway, Credit Cards companies pay if your card is use fraudulously, so I guess this is more a problem for them, and not so much for us...
anyway, Credit Cards companies pay if your card is use fraudulously, so I guess this is more a problem for them, and not so much for us...
this sux
a simple google search took me to a site which listed many CC numbers
many were not expired so ready for illegal usage
a simple google search took me to a site which listed many CC numbers
many were not expired so ready for illegal usage
| QUOTE (mrBob @ Aug 4 2004, 04:10 PM) |
| this sux a simple google search took me to a site which listed many CC numbers many were not expired so ready for illegal usage |
well, the fact that there are some usable Credit card flowing around like that....shouldn't we, maybe, send them to Visa/MasterCard/others for them to cancel the numbers....I know I wont use the #'s and I don't think anybody should....
maybe they'd even give the people sending them the infoa reward...
i was bored and tried some of the paypal and ebay accounts listed on one site.. and NONE of them worked... so if those were closed when the site was closed by the government, they probably closed the credit cards that didn't expire yet also...
and yes, i saw a few that were set to expire in 2005
and yes, i saw a few that were set to expire in 2005
| QUOTE (mortello @ Aug 4 2004, 12:04 PM) |
| well, I don't really find this that much disturbing since we all know that its been around for a long time (carding)....doing it a way or another anyway, Credit Cards companies pay if your card is use fraudulously, so I guess this is more a problem for them, and not so much for us... |
Yes and no. One of the biggest issues is the inclusion of the SSN (Social Security Number). Identity theft is a growing industry and while CCs companies will cover most fraud costs (except up to $50 IIRC), the cost to get your identity back can be harder (upwards of $50,000 last I heard).
It should be a reminder to the average citizen and user that *ANYTHING* can be found out about someone on the Internet. It's just a matter of time, effort and resources.
| QUOTE (chris105 @ Aug 4 2004, 02:52 PM) |
| but dont you need an expiry date too ? |
try searcing you'll get em with the expiry dates too 0.o
i would be very wary using this now its open knowledge...because
now who's to say this search string is not being monitored by ...say various fraud squads from around the world ... with the help of google to trap all you guys via the request logging your IP's...
coz quite a few of you will not have used proxys to view your hits....
and then there is honeypots with cc numbers ..beit fake ..just itching to suss you out !!!....
then with the help of your ISP watch your every steps.... and sting you when they have enough proof ?
tread carefully... you could be setup... !
now who's to say this search string is not being monitored by ...say various fraud squads from around the world ... with the help of google to trap all you guys via the request logging your IP's...
coz quite a few of you will not have used proxys to view your hits....
and then there is honeypots with cc numbers ..beit fake ..just itching to suss you out !!!....
then with the help of your ISP watch your every steps.... and sting you when they have enough proof ?
tread carefully... you could be setup... !
| QUOTE (MsMittens @ Aug 4 2004, 08:01 PM) | ||
Yes and no. One of the biggest issues is the inclusion of the SSN (Social Security Number). Identity theft is a growing industry and while CCs companies will cover most fraud costs (except up to $50 IIRC), the cost to get your identity back can be harder (upwards of $50,000 last I heard). It should be a reminder to the average citizen and user that *ANYTHING* can be found out about someone on the Internet. It's just a matter of time, effort and resources. |
Didn't think of that part, but you are right
Something from CNN that might be of interest to some of you regarding this thread.
Also Mortello mentioned
Also Mortello mentioned
| QUOTE |
| well, I don't really find this that much disturbing since we all know that its been around for a long time (carding). |
the level of advancement in this area is actually very very interesting. I especially found the part about shadow scanning- and cleared cards to be an interesting read. Especailly since there able to implement a feature to overcome the security key, when creating a specific type of credit card.
take a look at this article about google big brother... might find interesting
http://www.governmentsecurity.org/forum/in...showtopic=10518
..
http://www.governmentsecurity.org/forum/in...showtopic=10518
..
it should be noted that all of those that you find have been seen by countless other users, dont attempt to use em, i can guarentee they've all been flagged.
| QUOTE (twistedps @ Aug 13 2004, 05:49 AM) |
| it should be noted that all of those that you find have been seen by countless other users, dont attempt to use em, i can guarentee they've all been flagged. |
maybe but the interessant hole is that you take an old card expired in 07/01 for example, I just tried to update the expire date like 07/05.It worked, because if you keep you card, only the exp date is updated + some websites doenst check really the CVV2 num
| QUOTE (101 @ Aug 13 2004, 10:05 AM) | ||
maybe but the interessant hole is that you take an old card expired in 07/01 for example, I just tried to update the expire date like 07/05.It worked, because if you keep you card, only the exp date is updated + some websites doenst check really the CVV2 num |
*shakes head*
*watches the red flags pop up in the government databases*
| QUOTE (twistedps @ Aug 20 2004, 05:13 AM) | ||||
*shakes head* *watches the red flags pop up in the government databases* |
bwauahaha
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
