165 comments

[ 69.0 ms ] story [ 4182 ms ] thread
Looks like Amazon were right to ban them over privacy concerns...
it seems like this is old test data in the google cache, not current data
even if it is test data, we must wonder, why did anyone ever build the system such that credit card numbers were visible to google? Why did someone include the credit card number in the select clause, add it to the html template, and put it on a public server that could be crawled by Google?
From their response, as far as I understand it,

Some line items 'comments' field had credit card details included in them, which they didn't bank on.

Honestly looks like a credit card processor is being strange and publishing the card number in the wrong field. Only a couple people using the service had this error (not caused by them). This has been fixed long ago, just this was a cached paged caught from beta.
i'm sure there wasn't a "credit card number" field that this information came from. when downloading OFX transaction data, some banks include the full credit card number in the transaction description, and some only include the last 4 digits.
That does not seem PCI compliant
PCI compliance is something mandated through merchant agreements upon credit card processors. Blippy is not processing payments on those cards, and PCIDSS is not a law.
PCIDSS is as good as law for a credit card processing company, though. If they are not authorized by the credit card companies, they cannot process the cards. If they cannot process the cards, they are out of business.
There are lots of alternatives to accepting credit cards for payment by the way. Lots of restaurants take cash only and online, there are many third parties like Paypal to move to.
But you won't see anyone fining CitiBank for putting credit card numbers where they don't belong. Banks are, in my experience, one of the weakest links in the CC security chain.
"A fool and his credit card number are soon parted" -- blippy, 2010
This is one case where telling them first might have caused less damage. Very terrible situation though ...
All the card numbers start 5424 (Citibank MasterCard) and there are actually only a small number of different card numbers.

I wonder if this is something to do with test data.

5424 is a MasterCard test number. http://www.topbits.com/test-credit-card-numbers.html

edit: I was wrong, it's the full number that's a test number. 5424 0000 0000 0015

I'm reasonably sure that's not true. Perhaps the whole 16 digit sequences listed there is a test number.
You are right, I was wrong. It's the full number that's a test number. 5424 0000 0000 0015
(comment deleted)
(comment deleted)
There are the only 4 numbers in the results. Although I do see a few in this format XXXXXXXXXXXX2376.

(Edited to remove actual numbers in case they're not test numbers)

My actual MasterCard # starts with 5424.
According to the link that you posted, 5424 0000 0000 0015 is a test number. That's not the same number that I'm seeing in the Google results.
So you're telling me that I've been using a test card for the past 5 years? I hope not.

The two numbers listed on that site are test numbers. 5424 is a very common MasterCard prefix.

(comment deleted)
Anyway what were they testing? The "publish_credit_card_numbers" module?
5424 is also used outside of Citibank as my old debit card (with a MasterCard logo) from Fifth Third Bank started with 5424. I don't believe they're affiliated with Citibank, but I could be mistaken.
Ouch. I guess I'm glad I didn't get around to trying out Blippy.
only seems to be a few users, is it a certain card make or something?
While incredibly stupid, is this enough information to do actual harm? Don't you also need the CVS code?
Credit card numbers by themselves are no big deal, but this will haunt Blippy forever. I don't know how you can recover from a PR disaster like this.
Slightly melodramatic. No one will care tomorrow. We'll all be on to being outraged by something else.
Not all online credit card processors require a CVS code. I don't know if you can try enough different expiration dates before it gets shutdown for fraud.
Being pedantic, it's often called a CVV code, or a number of different acronyms, but none of them are CVS afaik.
In the US, it depends entirely on the merchant. They tell the CC processor how secure they want it to be. A lot of them only need the CC number and any expiration date in the future.
In general, having the wrong CVV code will decrease the chance of the purchase going through, not stop the transaction completely. If you have, for example, the wrong CVV but the correct address and name, there is a good change the transaction will go through any way.
And this, the day after they raised $11 million in a series A. I really don't understand that investment at all. Could someone explain it to me?

ref: http://www.crunchbase.com/company/blippy

Maybe they somehow convinced investors they were going to be the new "twitter".
Wow. That is a 100 lb. sack of FAIL! More fodder for my PCI slides to show clients. Thanks Blippy, you've replaced CardSystems for me (their story was getting old).
You all are offended by calling out a fail? Touchy today, eh?
Let's see how far this can go.
The first rule of being in a hole: Stop digging.
If I cared about 'Karma', I'd heed that post. But, I don't.
What's the point of participating in a community when you don't care what others think? Seems pretty pointless to me.
Community? I know nobody here. Everyone, like me, is hiding behind a screen name. People get to 'downvote' anonymously, which to me is absurd. Yesterday, I make a near meaningless remark about Apple fan-boys, and got 7 points. Today, I make a more meaningful remark about how this really is a noteworthy failure -- and I'm losing Karma right and left. To me, this is comical. Community? How do you define that word?
Only about 220 left to go. Let's see if we can reach zero by noon.
:) I'd call this a community. You can find my real name and the real names of others on our profile. I've also met many people from here and have had people reach out to me through this site. It's the most real online community I'm part of. It's this way because most of us act sensible most of the time.
Not everyone is hiding behind a screen name. In general the most active users also tend to be the ones who say in their profiles who they are.
There are a lot of reasons to participate in a community other than to seek consensus or approval. Has nothing to do with Blippy though.
Oh come on, now. Man-up and reply, if you have anything worth reading.
Shut up. You're making noise and you're talking like a kid. Just stop trying. You're not funny. It's not about being "touchy" is about being tired of EPIC FAIL MAGICAL REVOLUTION and how fucking tired we're from this language.

Also, I'm only responding to you because you have this account for one year and I thought you should know better. Eat your downvotes like a man and stop acting like a primadonna.

I hope your PCI slides start by pointing to the biggest security problems in the CC industry: the banks themselves. They have no real interest in fixing the security problems.
Blibby policy says "Our Services are primarily designed to help you share information about your purchases with others. This information will be public by default, but you may make it more private by editing your account settings. You should be careful about all information that will be made public by Blippy." I do not see lots of reason to sign up for this service in the first place. With the social media interconnecting all the data even on a passive way which the F8 from FB hinted it we are heading into a direction were someone has to be more careful with personal information.
Can I ask a question?

Why do they (or any other startup) even know what actual credit card numbers are?

How many of you operate in the same way? Why? Are you PCI compliant?

Because when you rebill a client you have to give the number again.

You can use a 3rd party gateway that acts as an intermediary between you and the bank that issued your merchant account and the 3rd party gateway will offer services such as scheduled rebilling. The gateway has to store the number though because the APIs at the highest level have no clue how to deal with internet and subscription type billing. They're still stuck in a very brick-and-mortar mindset. In this case it's the 3rd party gateway that has to deal with PCI compliance, not you.

If your transaction volume is high enough to justify it you can save a lot by cutting out another middleman and writing your own gateway. In this case though you generally have to be PCI compliant and have regular security audits to stay compliant.

PCI compliance only makes sense when you store CC numbers since PCI is a set of requirements on how to store them. Saying you don't store CC numbers and are PCI compliant makes no sense. EDIT: As andrewf points out below I'm wrong about this paragraph.

Saying you don't store CC numbers and are PCI compliant makes no sense.

Yes I know, that's why I didn't say that.

I'm wondering why you would ever (as a startup) choose to write your own gateway and not outsource this to a company that can be PCI compliant (i.e. the Gateway)

I wasn't implying that you were, I was just trying to be clear.

Why is simple. It's the economics. If you're a startup that does lots of micro-transactions you're paying a good chunk of overhead in gateway processing fees. If you feel it's worth the continual development effort (because don't kid yourself, writing a secure internal gateway takes a long time and essentially never ends) then you do it.

In Blippy's case they probably had to write their own because I don't know of any 3rd party gateway that has an API to return a list of user purchases when you give them a credit card number. I'm actually surprised the banks even support that kind of request.

If you feel it's worth the continual development effort then you do it.

I would think that when you start thinking your first application requires a second application (that you have to build yourself) just to efficiently exist, you should be taking a good solid look at the viability of your idea.

In Blippy's case they probably had to write their own

Case in point I suppose.

PCI compliance isn't something a startup should be looking to saddle themselves with, in my mind. Once you're established and can analyze whether you want to internalize an outsourced function, it's on the table with everything else I suppose.

PCI compliance isn't something a startup should be looking to saddle themselves with, in my mind. Once you're established and can analyze whether you want to internalize an outsourced function, it's on the table with everything else I suppose.

Exactly.

That's the point I was trying to get across. Guess I wasn't very clear. =)

PCI DSS states: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted.

If a system accepts CC numbers from a form and then passes them to a 3rd party gateway for processing, it's within PCI scope, even if it doesn't store them.

Certain companies (like Braintree) offer a service where the credit card data is POSTed directly to their server, relieving you of most aspects of PCI compliance.
I use a Citibank MasterCard. :(

Is there any way to report this to Citibank?

Why on Earth am I being downvoted?
Visa, AMEX, Discover. Those guys will do anything...
It looks like the credit card numbers are included in the Blippy section starting with "The purchase appears on your statement as:", followed by the actual text of the line entry from the statement.

From that, I'm guessing that Blippy lets users automatically import their credit card statements, but they didn't anticipate that the entries in those credit card statements would occasionally include full credit card numbers. Embarrassing but a corner case.

And you thought the new Facebook API was intrusive...
I don't mean this to sound snarky but I'm having a hard time understanding the basic utility of blippys service.

Why would you want to automatically share information about every purchase you make with your credit/debit card with the world? It just sounds like a recipe for disaster with very little upside.

Can anyone who uses this service (if any HN members do) explain the usefulness of it to me? I might just be misunderstanding the purpose.

I don't use the service, but I see it as a blog like tool. If you have one, you only use it in scenarios you'd like to tell everyone about. If you're at a baseball game, you use it to buy beers and they automatically post something like "John Doe bought 4 beers at the Giants game".
I was wondering the same thing, it just seems like a service where they'll be able to sell your data to companies down the road, or advertise you stuff you might be interested in.

Even if this turns out to be test data, it's still pretty shocking and will tarnish the service forever.

It's definitely an example of what can happen to your financial info if a website you give it to makes a mistake or gets greedy. It's why I'd never use a service like that or mint, et al...
It's only for the most exhibitionist type of people. Think of sci-fi books with people being "life actors" or some such where people can tune in to them 24/7 and see what they're doing. It's basically just a stepping stone to that. I don't see this ever becoming even close to mainstream.
This reminds me of a scanner darkly where the hero spy himself.
I'd assume the inspiration for the service is grounded on the idea that your social circle influences things that you buy.

If you buy something and then a number of your 'followers' buy the same item a few days afterwards, that information is very valuable.

The problem is it's not really valuable to you or your friends. It's valuable to people who want to sell you crap.
If I could put a dollar amount on my internet reputation that would be very valuable to me. I reckon that's something I could put to good use.
This does the reverse. It doesn't put a dollar amount on your internet reputation. It develops an internet reputation based on your dollar amounts.

Then they will monetize by giving it to the only people who really care how much you spend at Starbucks: Starbucks (and competitors).

Yet, strangely, the people who want to sell me crap never let me cash in directly on my personal information. They always want to buy through some middleman that claims to be offering me some other service.
A Blippy analog that monetized and promised you 10% of the take would probably be insanely popular.
I would definitely be more interested in allowing companies to track my browsing and shopping habits if I was being paid.
I don't mean this to sound snarky but I'm having a hard time understanding the basic utility of blippys service.

It's the easiest way to share your credit card information with the world.

I was just thinking on the way into work this morning that not enough people have my Discover Card number.
1) Get your discover card number as a tattoo (make sure to include your name as it appears on the card, expiration and 3 digit code from the back).

2) Submit photo to hacker news

(OT/X-Post Just getting to this now:) Silly, everybody knows you don't have a Discover card, because you're on Facebook, where all of us friends know this about you....
i hope you mean it in sarcasm way...

btw i cant believe nobody point a finger on google yet, this part of their fault too. there should a 'proper' mechanism on their webmaster tool an option to excluded a sensitive data Or make it an opt-out features Or add one regex line to detect an anomaly data on their search.

ffs they have billions to tinker around with it

Google shouldn't bear responsibility for indexing something sensitive, as the sensitive information should not be reachable via any link anywhere, let alone on the public Internet. It's about as sane as expecting the government to clean up after one's own mistakes, and just as damaging to the concept of personal or corporate responsibility.
There is such a proper mechanism: robots.txt. Whenever I put all my users' credit card numbers on a public web server I make sure the URL is properly protected by robots.txt. If I want to be absolutely sure everything is safe I use CSS to make the numbers invisible on top of that! ;-)
Why on earth would you let credit card numbers be publicly accessible; furthermore, one can simply view source to see those numbers. Security through obscurity is not a very good approach - you should read up on PCI compliance by starting here: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Secu....
Obscurity? Pffft. Simplicity! Nothing beats an HTML page right there in htdocs. You can store anything there and it's totally NoSQL as well. Anything else would be premature optimization. Do the simplest thing that could possibly work! Agile! I've got it all covered by unit tests so there can't be a problem. And if there's a breach I'll just rewrite it all in Haskell. Who are you anyway to tell a seasoned professional how to deal with credit card numbers securely? :)
I use it - not the credit card part - and its fun. I don't check it often, but every now and then. I guess the appeal is that its unique, new, and has potential.
potential for what though?
For sharing lots of private data comfortably with the rest of the world. ;)

On a more serious note, I think Blippy's main use is efficient bragging.

Forgive my naivete, but how do you use it without using the credit card part?
you can share purchase history from online merchants without connecting your credit card - like amazon, itunes, zappos etc
It makes about as much sense as twitter does.
Yup. I'm just amazed that these companies keep finding capital. Didn't we learn anything from the dotcom bubble?
I think what we learned was that its really hard to tell 'which' crazy idea will make it. Even google was dismissed as a feature, not a company.
I don't think that's entirely fair. Twitter has some purposes other than sheer vanity. Sharing links, 1 to many communication, etc.

Don't get me wrong, I don't care for Twitter myself. I don't use it, and I do find most of it to be trite and little more than navel gazing. But I can see some useful signal on Twitter, I just cannot see how it could not get buried under an avalanche of noise.

Blippy seems totally vacuous.

Sharing details of things you've purchased is immediately monetizable. If they can get users using it, it's trivial to make it insanely profitable.

I can see it catching on with kids definitely.

I can definitely see the value from a sales/marketing perspective, but the trick is getting people using this. They're going to have a pretty big challenge consistently delivering value to their users and not becoming at best an ephemeral fad.
From comments I have heard Leo Laport making on his TWIT podcast, he uses the service and has found several products he has happily bought when other users on Blippy brought them to his attention.

I am also keeping in mind that there are many jokes in the podcasts about Mr. Laport's proclivity to purchase tech items, at times in quantity, as an early-early adopter.

> I can see it catching on with kids definitely.

Kids that don't have a credit card?

By kids I mean people in their 20s. Now I feel old.
Is Twitter that much different than HN? They're both collective link sharing filters albeit we get sweet threaded comments and peanut gallery points here
It could also be financial therapy for the serious shopaholic, to have all spendings be public for critique among friends and family... much like calorie counting/blogging for those on diet
As an experiment i followed up 5424xxxxxx number to check if its a test number. I could track down the card's owner and a little judicious googling gave away the owner's home address as well.

Doesn't look like a test number.

I'm glad I never trusted them enough to give them my information.
I hope someone writes a technical post-mortem/case-study on this.