August 3, 2004 4:24 PM PDT

Google queries provide stolen credit cards

Simple queries using the Google search engine can turn up a handful of sites that have posted credit card information to the Web, CNET News.com learned on Tuesday.

The lists of financial information include hundreds of card holders' names, addresses and phone numbers as well as their credit card data. Much of the credit card data that appears in the lists found by Google may no longer be valid, but News.com called several people listed and verified that the credit card numbers were authentic. The query, the latest example of "Google hacking," highlights increasing concern that knowledgeable Web surfers can turn up sensitive information by mining the world's best-known search engine.

"It seems like everyone has their own trick," said Chris Wysopal, vice president of research and development for digital security firm @Stake. "This is really searching for data that should be secret but has been exposed either through misconfiguration or by someone who has stolen it."

There is no shortage of ways to search Google to find such data. Whole sites spell out how to search for financial information and describe software vulnerabilities and vulnerable configurations on Internet machines. Google is the tool of choice because its powerful search options, such as the ability to search for a range of numbers--useful in finding credit card data--is not present in other companies' search engines.

Google would not comment, citing the quiet period before the company's initial public offering. However, a company source did say that the search firm has a tool for Web masters to remove pages from the archive, if they find that parts of their site violate laws or regulations. Moreover, the company has decided to allow anyone to request the removal from search results of any document that includes a Social Security or credit card number--a note to help@google.com with a link to the page will suffice, the source said.

Keith Ernst--a Durham, N.C., resident and, ironically, a worker at a financial antifraud company--found himself on the receiving end of a data leak earlier this year that resulted in his debit card number being posted on such a list. Before Ernst canceled his card, the number had been used for a variety of charges. A foreign student had attempted to pay college tuition with the stolen number.

"It was very unsettling to see those charges come up on your account," said Ernst, who normally works to prevent fraud from happening to others. "It was interesting, to say the least, to be on the other side of the issue."

Ernst's information is now posted to an Arabic bulletin board with more than a hundred other people's financial records, at the beck and call of a simple search on Google. His credit union refunded the charges and now he only uses credit cards to make Internet purchases, because fraudulent charges using a credit card are not immediately debited from his bank account.

The FBI could not immediately comment on whether the agency was investigating the sites listing financial information. The sites seemed to be spread out over the globe: One had a Russian domain name, another was written in Arabic, and a third was based in the Netherlands.

Good guys can Google, too
The rise of such Web sites has convinced @Stake's Wysopal that major credit issuers should start using Google as a security tool, searching for vulnerabilities and leaked information before other, potentially malicious, people find the data.

"Shouldn't Visa be proactive and do these searches on a daily basis?" he asked. "The bad guys are doing it, so why aren't the good guys doing it and beating them to the punch?"

The sentiments echoed statements made at the Black Hat Security Briefings in Las Vegas last week, where security researchers and hackers were surprised to learn the extent to which Google can pinpoint weakly secured servers and databases.

Visa already has many sources to pinpoint fraud, said Rosetta Jones, a spokeswoman for the company.

"When we run them against a database, it is very common to find that, in most cases, we have known that the credit card was stolen," she said.

While the company may not use Google to track when sites containing credit card information appear, it has moved to have many such sites taken down when tipped off to the situation. So far this year, Visa has had 20 sites pulled from the Web for trafficking in stolen credit cards.

One big haystack
With 4 billion Web pages on the Internet, Google is not able to police its archives very effectively, a source at the company said. The firm has legally positioned itself as an intermediary of content beyond its control, which releases it from being held responsible for any content the company archives or to which it links.

That means consumers are left to carefully watch their information. Yet, the degree to which fraud has become more common makes consumers like Ernst fatalistic.

"I am sure that the information is out there," the fraud-fighter said.

29 comments

Join the conversation!
Add your comment
Google not the problem
The problem is NOT Google. The problem is the individuals who post social security numbers, credit card numbers, and other personal information on the Internet (only the world's largest public forum).

Google does not break security to get information... it only picks up information already posted. For example, one city recently published the information (with social security number) of people who had failed to pay their taxes.

Police reports including credit card numbers have been posted on the Internet. The same cops probably know better than to post their police reports on the outside of the police station.

Put the blame where it belongs! On the authors!
Posted by Ibreakstuff (7 comments )
Reply Link Flag
Google not the problem
The problem is NOT Google. The problem is the individuals who post social security numbers, credit card numbers, and other personal information on the Internet (only the world's largest public forum).

Google does not break security to get information... it only picks up information already posted. For example, one city recently published the information (with social security number) of people who had failed to pay their taxes.

Police reports including credit card numbers have been posted on the Internet. The same cops probably know better than to post their police reports on the outside of the police station.

Put the blame where it belongs! On the authors!
Posted by Ibreakstuff (7 comments )
Reply Link Flag
Google was hacked by TERRORIST'S in 1996 and stolen from its inventor. It has never been recovered from the thieves and online pirates that have stolen the identity of everyone and anyone that has used my stolen search engine since 1996. http://www.truthapedia.com

p.s. don't trust the FBI = GESTAPO
Posted by DannyVegas (3 comments )
Link Flag
How do I?
How would I search for my credit card number on google? I'm not going to enter MY number to see if it comes up because other sites, like dogpile, let you see what other people have searched for. so if my card number wasn't on before, it might be once I enter it. Any ideas?
Posted by sdencar (28 comments )
Reply Link Flag
Partial
Dont input the complete number just do a search for the first 8 or 10 digits. Without the full number anyone seeing your query would still have to resort to guessing it but the partial string would return very few numbers one of which would be yours if it was indeed leaked to the internet.
Posted by Fray9 (547 comments )
Link Flag
How do I?
How would I search for my credit card number on google? I'm not going to enter MY number to see if it comes up because other sites, like dogpile, let you see what other people have searched for. so if my card number wasn't on before, it might be once I enter it. Any ideas?
Posted by sdencar (28 comments )
Reply Link Flag
Partial
Dont input the complete number just do a search for the first 8 or 10 digits. Without the full number anyone seeing your query would still have to resort to guessing it but the partial string would return very few numbers one of which would be yours if it was indeed leaked to the internet.
Posted by Fray9 (547 comments )
Link Flag
why is it google's problem
I don't understand the recent attacks by CNET on Google. Google is merely a search engine that goes out and finds what ever is out there on the web. The are hardly responsible for what's out there, nor should they censor information. You get into what's okay and what's not by whose opinion.

It's the responsibility of the companies that did not have sufficient security to protect people's information.

It's the responsiblity of companies such as visa to do daily search's of what is out there, close those accounts, and issue new accounts to the users.

None of this has anything to do with Google, other than the fact they were the engine that was used to search the ether.
Posted by kxmmxk (320 comments )
Reply Link Flag
why is it google's problem
I don't understand the recent attacks by CNET on Google. Google is merely a search engine that goes out and finds what ever is out there on the web. The are hardly responsible for what's out there, nor should they censor information. You get into what's okay and what's not by whose opinion.

It's the responsibility of the companies that did not have sufficient security to protect people's information.

It's the responsiblity of companies such as visa to do daily search's of what is out there, close those accounts, and issue new accounts to the users.

None of this has anything to do with Google, other than the fact they were the engine that was used to search the ether.
Posted by kxmmxk (320 comments )
Reply Link Flag
How quick Microsoft can manipulate TI press ?!
It's impressive how tech journalist are "discovering" a lot of problems in Google search.

And nobody links those critics with Microsoft.

In the Fear Nation, governed by Nazi Bush and Mr.Gates, the next step is saying that Google is a terrorist cell...
Posted by josir (4 comments )
Reply Link Flag
Why is it that someone always blames
Microsoft? I wonder if they ever did a google search for security problems with their beloved linux? I have some beefs with MS, but to blame all things that happen on them is about a sensable as saying the world if flat! Grow up! MS is not the only company out there with problems with their software, and that includes you very own favorite OS!
Posted by (5 comments )
Link Flag
How quick Microsoft can manipulate TI press ?!
It's impressive how tech journalist are "discovering" a lot of problems in Google search.

And nobody links those critics with Microsoft.

In the Fear Nation, governed by Nazi Bush and Mr.Gates, the next step is saying that Google is a terrorist cell...
Posted by josir (4 comments )
Reply Link Flag
Why is it that someone always blames
Microsoft? I wonder if they ever did a google search for security problems with their beloved linux? I have some beefs with MS, but to blame all things that happen on them is about a sensable as saying the world if flat! Grow up! MS is not the only company out there with problems with their software, and that includes you very own favorite OS!
Posted by (5 comments )
Link Flag
What great timing!
How much MS is paying you. Don't worry, we wont tell them! Its so funny how all of a sertain this comes out when Microsoft is lunching their search site.
makes you go, Hmmmmmm.
Posted by dave95 (9 comments )
Reply Link Flag
What great timing!
How much MS is paying you. Don't worry, we wont tell them! Its so funny how all of a sertain this comes out when Microsoft is lunching their search site.
makes you go, Hmmmmmm.
Posted by dave95 (9 comments )
Reply Link Flag
Google = P2P should be illegal!
Thanks to the ever wise Senator Orin Hatch, we can now take out Google AND P2P networks with one quick and far-reaching legislation.

Since everyone knows that P2P networks can be used to break the law, so can Google! So what if Google can be used to search for helpful pages on the internet - the mere fact that it can be used to search out credit card numbers, and <gasp!> simple things like how to make a Nuclear / Biological / Chemical weapon is surely a sign that Google is the tool of "evil-doers" everywhere!

Go Orin!!! We're on your side!

P.S. Please outlaw the internet while you're at it - since it can also be used to break the law.

Boy, this country is getting dumber and dumber by the second.
Posted by Tex Murphy PI (165 comments )
Reply Link Flag
First realsistic response to question!!
Good points! Perhaps what we need is for them to outlaw MS Windows, and that way the uppercrust tekies can take over and we will never again have a problem on the net!! Anyone want to buy some ocean front property in Knasas?
Posted by (5 comments )
Link Flag
Google = P2P should be illegal!
Thanks to the ever wise Senator Orin Hatch, we can now take out Google AND P2P networks with one quick and far-reaching legislation.

Since everyone knows that P2P networks can be used to break the law, so can Google! So what if Google can be used to search for helpful pages on the internet - the mere fact that it can be used to search out credit card numbers, and <gasp!> simple things like how to make a Nuclear / Biological / Chemical weapon is surely a sign that Google is the tool of "evil-doers" everywhere!

Go Orin!!! We're on your side!

P.S. Please outlaw the internet while you're at it - since it can also be used to break the law.

Boy, this country is getting dumber and dumber by the second.
Posted by Tex Murphy PI (165 comments )
Reply Link Flag
First realsistic response to question!!
Good points! Perhaps what we need is for them to outlaw MS Windows, and that way the uppercrust tekies can take over and we will never again have a problem on the net!! Anyone want to buy some ocean front property in Knasas?
Posted by (5 comments )
Link Flag
Google was hacked by TERRORIST'S in 1996 and stolen from its inventor. It has never been recovered from the thieves and online pirates that have stolen the identity of everyone and anyone that has used my stolen search engine since 1996. http://www.truthapedia.com

p.s. don't trust the FBI = GESTAPO
Posted by DannyVegas (3 comments )
Link Flag
Google & Peer-to-peer Networks
From Article: "The firm has legally positioned itself as an intermediary of content beyond its control, which releases it from being held responsible for any content the company archives or to which it links."

So how is peer-to-peer networks any different? Why are they being targeted and held responsible for the content that is not theirs?

I guess its all because of what people like and dislike. They choose to go after and shut down the things they dont like. because really i dont see any difference. I dont see anyone trying to shut down google because they link to a site that has copyrighted material!
Posted by (3 comments )
Reply Link Flag
Google & Peer-to-peer Networks
From Article: "The firm has legally positioned itself as an intermediary of content beyond its control, which releases it from being held responsible for any content the company archives or to which it links."

So how is peer-to-peer networks any different? Why are they being targeted and held responsible for the content that is not theirs?

I guess its all because of what people like and dislike. They choose to go after and shut down the things they dont like. because really i dont see any difference. I dont see anyone trying to shut down google because they link to a site that has copyrighted material!
Posted by (3 comments )
Reply Link Flag
Nagasthra-Novel approach to Credit Card Security
Hi!

Nagasthra is Novel approach to over come the design flaws of current Credit card Transactions. This idea has been presented to Nokia and the same has been well rewarded by Nokia in the year 2000. Full details could be found at <a class="jive-link-external" href="http://www.geocities.com/nagkumar.rm" target="_newWindow">http://www.geocities.com/nagkumar.rm</a>

Regards,
Nagendra
Posted by nagkumar123 (4 comments )
Reply Link Flag
Nagasthra and Paymate
The paymate.co.in, looks same as my idea to Nokia in the year 2000 (this was a part of waphothouse context). This ideas has won me First prize in india and details of the same are <a class="jive-link-external" href="http://www.geocities.com/nagkumar.rm" target="_newWindow">http://www.geocities.com/nagkumar.rm</a>

Not sure, what paymate is patenting in this regard, as the idea was made public in the year 2000 only, If any one could help me finding the patent app, it would help.

Regards,
Raja Nagendra Kumar,
C.T.O
Posted by nagkumar123 (4 comments )
Link Flag
Nagasthra-Novel approach to Credit Card Security
Hi!

Nagasthra is Novel approach to over come the design flaws of current Credit card Transactions. This idea has been presented to Nokia and the same has been well rewarded by Nokia in the year 2000. Full details could be found at <a class="jive-link-external" href="http://www.geocities.com/nagkumar.rm" target="_newWindow">http://www.geocities.com/nagkumar.rm</a>

Regards,
Nagendra
Posted by nagkumar123 (4 comments )
Reply Link Flag
Nagasthra and Paymate
The paymate.co.in, looks same as my idea to Nokia in the year 2000 (this was a part of waphothouse context). This ideas has won me First prize in india and details of the same are <a class="jive-link-external" href="http://www.geocities.com/nagkumar.rm" target="_newWindow">http://www.geocities.com/nagkumar.rm</a>

Not sure, what paymate is patenting in this regard, as the idea was made public in the year 2000 only, If any one could help me finding the patent app, it would help.

Regards,
Raja Nagendra Kumar,
C.T.O
Posted by nagkumar123 (4 comments )
Link Flag
ok so...
i am lazy.. didnt want to read it all.. so what do i search to find the cc numbers? i really want to buy **** right now and im broke. so if you steal any credit cards, let me kno. thnaks =)
Posted by lenzouskij (2 comments )
Reply Link Flag
ok so...
i am lazy.. didnt want to read it all.. so what do i search to find the cc numbers? i really want to buy **** right now and im broke. so if you steal any credit cards, let me kno. thnaks =)
Posted by lenzouskij (2 comments )
Reply Link Flag
Google was hacked by TERRORIST'S in 1996 and stolen from its inventor. It has never been recovered from the thieves and online pirates that have stolen the identity of everyone and anyone that has used my stolen search engine since 1996. http://www.truthapedia.com

p.s. don't trust the FBI = GESTAPO
Posted by DannyVegas (3 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.