Google hacking and Credit Card Security (or lack of it)
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Google hacking and Credit Card Security (or lack of it)

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Google hacking and the state of web security

    An Anonymous Coward on Slashdot posted this today:
    Try googling:

    visa 4356000000000000..4356999999999999

    For example. Not saying this is the only way to find these, but it certainly is an interesting application of Google.
    Damn, looks like many folks arenít careful about what data they put on the web.

  2. #2
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Google queries provide stolen credit cards

    Simple queries using the Google search engine can turn up a handful of sites that have posted credit card information to the Web, CNET News.com learned on Tuesday.
    The lists of financial information include hundreds of card holders' names, addresses and phone numbers as well as their credit-card data. Much of the credit-card data that appears in the lists found by Google may no longer be valid, but CNET called several people listed and verified that the credit cards numbers were authentic. The query, the latest example of "Google hacking," highlights increasing concern that knowledgeable Web surfers can turn up sensitive information by mining the world's best-known search engine.

    "It seems like everyone has their own trick," said Chris Wysopal, vice president of research and development for digital security firm @Stake. "This is really searching for data that should be secret but has been exposed through either through misconfiguration or by someone who has stolen it."

    There is no shortage of ways to search Google to find such data. Whole sites spell out how to search for financial information and describe software vulnerabilities and vulnerable configurations on Internet machines. Google is the tool of choice because its powerful search options, such as the ability to search for a range of numbers--useful in finding credit card data--is not present in other company's search engines.

    Google would not comment, citing the quiet period before the company's initial public offering. However, a company source did say that the search firm has a tool for Web masters to remove pages from the archive, if they find that parts of their site violate laws or regulations. Moreover, the company has decided to allow anyone to request the removal from search results of any document that includes a Social Security or credit card number--a note to help@google.com with a link to the page will suffice, the source said.

    Keith Ernst--a Durham, N.C., resident and, ironically, a worker at a financial antifraud company--found himself on the receiving end of a data leak earlier this year that resulted in his debit-card number being posted on such a list. Before Ernst canceled his card, the number had been used for a variety of charges. A foreign student had attempted to pay college tuition with the stolen number.

    "It was very unsettling to see those charges come up on your account," said Ernst, who normally works to prevent fraud from happening to others. "It was interesting, to say the least, to be on the other side of the issue."

    Ernst's information is now posted to an Arabic bulletin board with more than a hundred other people's financial records, at the beck and call of a simple search on Google. His credit union refunded the charges and now he only uses credit cards to make Internet purchases, because fraudulent charges using a credit card are not immediately debited from his bank account.

    The FBI could not immediately comment on whether the agency was investigating the sites listing financial information. The sites seemed to be spread out over the globe: One had a Russian domain name, another was written in Arabic, and a third was based in the Netherlands.

    Good guys can Google, too
    The rise of such Web sites has convinced @Stake's Wysopal that major credit issuers should start using Google as a security tool, searching for vulnerabilities and leaked information before other, potentially malicious, people find the data.

    "Shouldn't Visa be proactive and do these searches on a daily basis?" he asked. "The bad guys are doing it, so why aren't the good guys doing it and beating them to the punch?"

    The sentiments echoed statements made at the Black Hat Security Briefings in Las Vegas last week, where security researchers and hackers were surprised to learn the extent to which Google can pinpoint weakly secured servers and databases.

    Visa already has many sources to pinpoint fraud, said Rosetta Jones, a spokeswoman for the company.

    "When we run them against a database, it is very common to find that, in most cases, we have known that the credit card was stolen," she said.

    While the company may not use Google to track when sites containing credit-card information appear, it has moved to have many such sites taken down when tipped off to the situation. So far this year, Visa has had 20 sites pulled from the Web for trafficking in stolen credit cards.

    One big haystack
    With 4 billion Web pages on the Internet, Google is not able to police its archives very effectively, a source at the company said. The firm has legally positioned itself as an intermediary of content beyond its control, which releases it from being held responsible for any content the company archives or to which it links.

    That means consumers are left to carefully watch their information. Yet, the degree to which fraud has become more common makes consumers like Ernst fatalistic.

    "I am sure that the information is out there," the fraud-fighter said.
    Source : http://zdnet.com.com/2100-1105_2-5295661.html
    -Simon \"SDK\"

  3. #3
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Crap! I've been found out! *flees planet*

    Seriously, this has me worried even more now...

    One big haystack
    With 4 billion Web pages on the Internet, Google is not able to police its archives very effectively, a source at the company said. The firm has legally positioned itself as an intermediary of content beyond its control, which releases it from being held responsible for any content the company archives or to which it links.

    That means consumers are left to carefully watch their information. Yet, the degree to which fraud has become more common makes consumers like Ernst fatalistic.
    Yet again businesses can just EULA-everything out and by any "consumer" using their web page in any context, they're released from any responsibility, etc...*sigh* The consumers are left out in the cold..the same consumers who don't know how to protect their own PCs.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  4. #4
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I posted an example in this thread:

    http://www.antionline.com/showthread...hreadid=260580

    at about the same time you posted this. Sick minds think alike.

  5. #5
    Senior Member
    Join Date
    May 2004
    Posts
    519
    Thats absolutely insane .... There is no real way of fixing that too i suppose

  6. #6
    Senior Member
    Join Date
    Jun 2004
    Posts
    184
    Wow...that could beciome a great problem to some people.
    Espaecially if there are a little unsecure with info...such as that!

  7. #7
    Excellent Google hacking tutorial.
    http://www.antionline.com/showthread...512#post743663


    Here are some automated tools for Google security:
    http://www.foundstone.com/resources/s3i_tools.htm


    I would figure that googling your name would let you know if you are a victim.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Merged threads into one. Renamed thread (if you have issues with the rename pop me a PM).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Thats some really freaky ****. I just pulled up about 1000 people. Many of them have SS #s. Someone has gotta fix that ****.

    My guessing is that some website store their customer's information online, and do not encrypt them hence google picks it up?

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    My guessing is that some website store their customer's information online, and do not encrypt them hence google picks it up?
    Or the websites themselves haven't got simple protections in place. As an exam, I know some professors will use their websites space to store exams (ie., they create the exam at home, upload it to their website but not post it or link it and then download it at work). Because they often have poor permissions (e.g., 777) one can use Google (or other search engines) to search. A simple exam+".doc" can pull up a few responses. I've done this kind of search and found exams (and ANSWERS!!) for exams that semester. It was incredibly scary but an unfortunate reality.

    In some of the google responses it looks like text files on Russia or Indian sites (the ones I saw) that some CC crackers got. Interesting that it includes addresses, etc. I suspect we may see some new "protect yourself from Google" phishing scams coming out of this.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •