even if it is test data, we must wonder, why did anyone ever build the system such that credit card numbers were visible to google? Why did someone include the credit card number in the select clause, add it to the html template, and put it on a public server that could be crawled by Google?
Honestly looks like a credit card processor is being strange and publishing the card number in the wrong field. Only a couple people using the service had this error (not caused by them). This has been fixed long ago, just this was a cached paged caught from beta.
i'm sure there wasn't a "credit card number" field that this information came from. when downloading OFX transaction data, some banks include the full credit card number in the transaction description, and some only include the last 4 digits.
PCI compliance is something mandated through merchant agreements upon credit card processors. Blippy is not processing payments on those cards, and PCIDSS is not a law.
PCIDSS is as good as law for a credit card processing company, though. If they are not authorized by the credit card companies, they cannot process the cards. If they cannot process the cards, they are out of business.
There are lots of alternatives to accepting credit cards for payment by the way. Lots of restaurants take cash only and online, there are many third parties like Paypal to move to.
But you won't see anyone fining CitiBank for putting credit card numbers where they don't belong. Banks are, in my experience, one of the weakest links in the CC security chain.
5424 is also used outside of Citibank as my old debit card (with a MasterCard logo) from Fifth Third Bank started with 5424. I don't believe they're affiliated with Citibank, but I could be mistaken.
Not all online credit card processors require a CVS code. I don't know if you can try enough different expiration dates before it gets shutdown for fraud.
In the US, it depends entirely on the merchant. They tell the CC processor how secure they want it to be. A lot of them only need the CC number and any expiration date in the future.
In general, having the wrong CVV code will decrease the chance of the purchase going through, not stop the transaction completely. If you have, for example, the wrong CVV but the correct address and name, there is a good change the transaction will go through any way.
Wow. That is a 100 lb. sack of FAIL! More fodder for my PCI slides to show clients. Thanks Blippy, you've replaced CardSystems for me (their story was getting old).
Community? I know nobody here. Everyone, like me, is hiding behind a screen name. People get to 'downvote' anonymously, which to me is absurd. Yesterday, I make a near meaningless remark about Apple fan-boys, and got 7 points. Today, I make a more meaningful remark about how this really is a noteworthy failure -- and I'm losing Karma right and left. To me, this is comical. Community? How do you define that word?
:) I'd call this a community. You can find my real name and the real names of others on our profile. I've also met many people from here and have had people reach out to me through this site. It's the most real online community I'm part of. It's this way because most of us act sensible most of the time.
Shut up. You're making noise and you're talking like a kid. Just stop trying. You're not funny. It's not about being "touchy" is about being tired of EPIC FAIL MAGICAL REVOLUTION and how fucking tired we're from this language.
Also, I'm only responding to you because you have this account for one year and I thought you should know better. Eat your downvotes like a man and stop acting like a primadonna.
I hope your PCI slides start by pointing to the biggest security problems in the CC industry: the banks themselves. They have no real interest in fixing the security problems.
Blibby policy says "Our Services are primarily designed to help you share information about your purchases with others. This information will be public by default, but you may make it more private by editing your account settings. You should be careful about all information that will be made public by Blippy."
I do not see lots of reason to sign up for this service in the first place. With the social media interconnecting all the data even on a passive way which the F8 from FB hinted it we are heading into a direction were someone has to be more careful with personal information.
Because when you rebill a client you have to give the number again.
You can use a 3rd party gateway that acts as an intermediary between you and the bank that issued your merchant account and the 3rd party gateway will offer services such as scheduled rebilling. The gateway has to store the number though because the APIs at the highest level have no clue how to deal with internet and subscription type billing. They're still stuck in a very brick-and-mortar mindset. In this case it's the 3rd party gateway that has to deal with PCI compliance, not you.
If your transaction volume is high enough to justify it you can save a lot by cutting out another middleman and writing your own gateway. In this case though you generally have to be PCI compliant and have regular security audits to stay compliant.
PCI compliance only makes sense when you store CC numbers since PCI is a set of requirements on how to store them. Saying you don't store CC numbers and are PCI compliant makes no sense. EDIT: As andrewf points out below I'm wrong about this paragraph.
Saying you don't store CC numbers and are PCI compliant makes no sense.
Yes I know, that's why I didn't say that.
I'm wondering why you would ever (as a startup) choose to write your own gateway and not outsource this to a company that can be PCI compliant (i.e. the Gateway)
I wasn't implying that you were, I was just trying to be clear.
Why is simple. It's the economics. If you're a startup that does lots of micro-transactions you're paying a good chunk of overhead in gateway processing fees. If you feel it's worth the continual development effort (because don't kid yourself, writing a secure internal gateway takes a long time and essentially never ends) then you do it.
In Blippy's case they probably had to write their own because I don't know of any 3rd party gateway that has an API to return a list of user purchases when you give them a credit card number. I'm actually surprised the banks even support that kind of request.
If you feel it's worth the continual development effort then you do it.
I would think that when you start thinking your first application requires a second application (that you have to build yourself) just to efficiently exist, you should be taking a good solid look at the viability of your idea.
In Blippy's case they probably had to write their own
Case in point I suppose.
PCI compliance isn't something a startup should be looking to saddle themselves with, in my mind. Once you're established and can analyze whether you want to internalize an outsourced function, it's on the table with everything else I suppose.
PCI compliance isn't something a startup should be looking to saddle themselves with, in my mind. Once you're established and can analyze whether you want to internalize an outsourced function, it's on the table with everything else I suppose.
Exactly.
That's the point I was trying to get across. Guess I wasn't very clear. =)
PCI DSS states: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted.
If a system accepts CC numbers from a form and then passes them to a 3rd party gateway for processing, it's within PCI scope, even if it doesn't store them.
Certain companies (like Braintree) offer a service where the credit card data is POSTed directly to their server, relieving you of most aspects of PCI compliance.
It looks like the credit card numbers are included in the Blippy section starting with "The purchase appears on your statement as:", followed by the actual text of the line entry from the statement.
From that, I'm guessing that Blippy lets users automatically import their credit card statements, but they didn't anticipate that the entries in those credit card statements would occasionally include full credit card numbers. Embarrassing but a corner case.
I don't mean this to sound snarky but I'm having a hard time understanding the basic utility of blippys service.
Why would you want to automatically share information about every purchase you make with your credit/debit card with the world? It just sounds like a recipe for disaster with very little upside.
Can anyone who uses this service (if any HN members do) explain the usefulness of it to me? I might just be misunderstanding the purpose.
I don't use the service, but I see it as a blog like tool. If you have one, you only use it in scenarios you'd like to tell everyone about. If you're at a baseball game, you use it to buy beers and they automatically post something like "John Doe bought 4 beers at the Giants game".
I was wondering the same thing, it just seems like a service where they'll be able to sell your data to companies down the road, or advertise you stuff you might be interested in.
Even if this turns out to be test data, it's still pretty shocking and will tarnish the service forever.
It's definitely an example of what can happen to your financial info if a website you give it to makes a mistake or gets greedy. It's why I'd never use a service like that or mint, et al...
It's only for the most exhibitionist type of people. Think of sci-fi books with people being "life actors" or some such where people can tune in to them 24/7 and see what they're doing. It's basically just a stepping stone to that. I don't see this ever becoming even close to mainstream.
Yet, strangely, the people who want to sell me crap never let me cash in directly on my personal information. They always want to buy through some middleman that claims to be offering me some other service.
(OT/X-Post Just getting to this now:)
Silly, everybody knows you don't have a Discover card, because you're on Facebook, where all of us friends know this about you....
btw i cant believe nobody point a finger on google yet, this part of their fault too. there should a 'proper' mechanism on their webmaster tool an option to excluded a sensitive data Or make it an opt-out features Or add one regex line to detect an anomaly data on their search.
Google shouldn't bear responsibility for indexing something sensitive, as the sensitive information should not be reachable via any link anywhere, let alone on the public Internet. It's about as sane as expecting the government to clean up after one's own mistakes, and just as damaging to the concept of personal or corporate responsibility.
There is such a proper mechanism: robots.txt. Whenever I put all my users' credit card numbers on a public web server I make sure the URL is properly protected by robots.txt. If I want to be absolutely sure everything is safe I use CSS to make the numbers invisible on top of that! ;-)
Why on earth would you let credit card numbers be publicly accessible; furthermore, one can simply view source to see those numbers. Security through obscurity is not a very good approach - you should read up on PCI compliance by starting here: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Secu....
Obscurity? Pffft. Simplicity! Nothing beats an HTML page right there in htdocs. You can store anything there and it's totally NoSQL as well. Anything else would be premature optimization. Do the simplest thing that could possibly work! Agile! I've got it all covered by unit tests so there can't be a problem. And if there's a breach I'll just rewrite it all in Haskell. Who are you anyway to tell a seasoned professional how to deal with credit card numbers securely? :)
I use it - not the credit card part - and its fun. I don't check it often, but every now and then. I guess the appeal is that its unique, new, and has potential.
I don't think that's entirely fair. Twitter has some purposes other than sheer vanity. Sharing links, 1 to many communication, etc.
Don't get me wrong, I don't care for Twitter myself. I don't use it, and I do find most of it to be trite and little more than navel gazing. But I can see some useful signal on Twitter, I just cannot see how it could not get buried under an avalanche of noise.
I can definitely see the value from a sales/marketing perspective, but the trick is getting people using this. They're going to have a pretty big challenge consistently delivering value to their users and not becoming at best an ephemeral fad.
From comments I have heard Leo Laport making on his TWIT podcast, he uses the service and has found several products he has happily bought when other users on Blippy brought them to his attention.
I am also keeping in mind that there are many jokes in the podcasts about Mr. Laport's proclivity to purchase tech items, at times in quantity, as an early-early adopter.
Is Twitter that much different than HN? They're both collective link sharing filters albeit we get sweet threaded comments and peanut gallery points here
It could also be financial therapy for the serious shopaholic, to have all spendings be public for critique among friends and family... much like calorie counting/blogging for those on diet
As an experiment i followed up 5424xxxxxx number to check if its a test number. I could track down the card's owner and a little judicious googling gave away the owner's home address as well.
165 comments
[ 69.0 ms ] story [ 4182 ms ] threadSome line items 'comments' field had credit card details included in them, which they didn't bank on.
I wonder if this is something to do with test data.
edit: I was wrong, it's the full number that's a test number. 5424 0000 0000 0015
(Edited to remove actual numbers in case they're not test numbers)
The two numbers listed on that site are test numbers. 5424 is a very common MasterCard prefix.
Why would only Citibank cards show up?
http://mashable.com/2010/04/23/blippy-credit-card-numbers
http://twitter.com/owenthomas/statuses/12705151399
ref: http://www.crunchbase.com/company/blippy
http://news.ycombinator.com/item?id=1287503
Also, I'm only responding to you because you have this account for one year and I thought you should know better. Eat your downvotes like a man and stop acting like a primadonna.
Why do they (or any other startup) even know what actual credit card numbers are?
How many of you operate in the same way? Why? Are you PCI compliant?
You can use a 3rd party gateway that acts as an intermediary between you and the bank that issued your merchant account and the 3rd party gateway will offer services such as scheduled rebilling. The gateway has to store the number though because the APIs at the highest level have no clue how to deal with internet and subscription type billing. They're still stuck in a very brick-and-mortar mindset. In this case it's the 3rd party gateway that has to deal with PCI compliance, not you.
If your transaction volume is high enough to justify it you can save a lot by cutting out another middleman and writing your own gateway. In this case though you generally have to be PCI compliant and have regular security audits to stay compliant.
PCI compliance only makes sense when you store CC numbers since PCI is a set of requirements on how to store them. Saying you don't store CC numbers and are PCI compliant makes no sense. EDIT: As andrewf points out below I'm wrong about this paragraph.
Yes I know, that's why I didn't say that.
I'm wondering why you would ever (as a startup) choose to write your own gateway and not outsource this to a company that can be PCI compliant (i.e. the Gateway)
Why is simple. It's the economics. If you're a startup that does lots of micro-transactions you're paying a good chunk of overhead in gateway processing fees. If you feel it's worth the continual development effort (because don't kid yourself, writing a secure internal gateway takes a long time and essentially never ends) then you do it.
In Blippy's case they probably had to write their own because I don't know of any 3rd party gateway that has an API to return a list of user purchases when you give them a credit card number. I'm actually surprised the banks even support that kind of request.
I would think that when you start thinking your first application requires a second application (that you have to build yourself) just to efficiently exist, you should be taking a good solid look at the viability of your idea.
In Blippy's case they probably had to write their own
Case in point I suppose.
PCI compliance isn't something a startup should be looking to saddle themselves with, in my mind. Once you're established and can analyze whether you want to internalize an outsourced function, it's on the table with everything else I suppose.
Exactly.
That's the point I was trying to get across. Guess I wasn't very clear. =)
If a system accepts CC numbers from a form and then passes them to a 3rd party gateway for processing, it's within PCI scope, even if it doesn't store them.
Is there any way to report this to Citibank?
From that, I'm guessing that Blippy lets users automatically import their credit card statements, but they didn't anticipate that the entries in those credit card statements would occasionally include full credit card numbers. Embarrassing but a corner case.
Why would you want to automatically share information about every purchase you make with your credit/debit card with the world? It just sounds like a recipe for disaster with very little upside.
Can anyone who uses this service (if any HN members do) explain the usefulness of it to me? I might just be misunderstanding the purpose.
Even if this turns out to be test data, it's still pretty shocking and will tarnish the service forever.
If you buy something and then a number of your 'followers' buy the same item a few days afterwards, that information is very valuable.
Then they will monetize by giving it to the only people who really care how much you spend at Starbucks: Starbucks (and competitors).
It's the easiest way to share your credit card information with the world.
2) Submit photo to hacker news
btw i cant believe nobody point a finger on google yet, this part of their fault too. there should a 'proper' mechanism on their webmaster tool an option to excluded a sensitive data Or make it an opt-out features Or add one regex line to detect an anomaly data on their search.
ffs they have billions to tinker around with it
On a more serious note, I think Blippy's main use is efficient bragging.
Don't get me wrong, I don't care for Twitter myself. I don't use it, and I do find most of it to be trite and little more than navel gazing. But I can see some useful signal on Twitter, I just cannot see how it could not get buried under an avalanche of noise.
Blippy seems totally vacuous.
I can see it catching on with kids definitely.
I am also keeping in mind that there are many jokes in the podcasts about Mr. Laport's proclivity to purchase tech items, at times in quantity, as an early-early adopter.
Kids that don't have a credit card?
Doesn't look like a test number.