Why Aren't Credit Card Companies Using A Google Defense Mechanism?

from the interesting-ideas dept

Bennett Haselton has written up an interesting article at Slashdot, highlighting just how easy it is to find large collections of credit card information using Google. The method is pretty straightforward -- and has been written about extensively in the past. What's interesting, though, is that Haselton wonders why the credit card companies haven't done anything about it. Obviously, they can't prevent card info from being leaked or available online -- but they absolutely can continue to scan for such information and issue new cards to those whose info was compromised. Of course, the reason they don't do this is that the "cost" probably seems high, and the cost of not doing anything isn't particularly high. However, Haselton also notes that this is the type of thing that others could easily help fix as well -- and if the credit card companies could build up more of a community, it's likely that volunteers probably would have written scripts that would find these cards and alert the victims years ago, when this issue was first discovered. While it's fun for some people to bash companies that bring together a community of supporters and volunteers, it's not hard to see cases such as this one where having a community who can be a lot more efficient at solving big problems can be a good thing.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 24 May 2007 @ 5:06pm

    Wouldn't the companies systematically scanning the internet against their enormous cache of credit card numbers present a much greater security risk than... uh... any other conceivable action they could take?

    link to this | view in thread ]

  2. identicon
    Jon, 24 May 2007 @ 5:07pm

    Excuse me, but...

    Wouldn't the companies systematically scanning the internet against their enormous cache of credit card numbers present a much greater security risk than... uh... any other conceivable action they could take?

    link to this | view in thread ]

  3. identicon
    zcat, 24 May 2007 @ 7:39pm

    finding credit-card numbers..

    They don't need to search for any particular number; they just need to search for a particular pattern. Better still the major banks could come to some arrangement with google to look out for these pages (example; any page with three or more numbers in the form "4060 ?????? ??????") and automatically send the bank a list of URL's as fast as googlebot finds them.

    link to this | view in thread ]

  4. identicon
    T.J., 24 May 2007 @ 8:00pm

    Communities???? Sure its a good idea in theory, but we all know with the ridiculous interest rates credit companies that they could easily afford to have a staff take care of it. It's one of the things your interest pays for. Thats like saying McDonald's saying it's not responsible for hairs in your food. While I do think open source software and communities are an excellent thing, i also believe that these credit card companies should be obligated to take care of the problem themselves.

    link to this | view in thread ]

  5. identicon
    Answer., 25 May 2007 @ 6:10am

    Why don't the credit card companies do anything?

    Credit card companies don't do anything because they don't have any incentive to fix the problem, but they do have an incentive not to.
    I have a close friend who was a victim of identity theft. The thief/thieves used his personal information to open new credit cards under his name and ring up charges as fast as he could shut the cards down. Because he had reported his cards as stolen and the credit card companies were aware of what was going on, the companies would obligingly take off the charges. But they kept raising his interest rate every time it happened. So on one hand, they were acknowledging that it wasn't his fault, while on the other hand, they were gouging him for it. His credit rating and interest rate got so bad that no store will accept his credit card and he has to use cash for everything.

    The worst part? The guy worked for the Attorney General's Identity Theft department at the time. And what he learned there was that there was absolutely nothing he could do about his situation, because the credit card companies do whatever they want.

    link to this | view in thread ]

  6. identicon
    SailorRipley, 25 May 2007 @ 8:33am

    Re:

    I don't agree.

    The credit card companies are under no obligation whatsoever to pro-actively take care of the problem themselves.

    As long as it is cheaper for them to do nothing (and just eat the loss resulting from the information being out on the web) as annoying that may be for anybody whose cc information is out on the web, it's their right to do nothing. Why would/should the CC be obligated to take care of a problem they had nothing to do with creating? It's not their fault other companies are careless enough to let CC information leak onto the web (TJ Maxx comes to mind...hmmmm coincidence?)

    If/when it becomes more costly to do nothing, they will take care of the problem. But they'd have the right to whine it's not fair they have to spend $$ on taking care of a problem they had no part in creating

    and btw, the McD analogy is so fundamentally flawed I'm not even going to bother

    link to this | view in thread ]

  7. identicon
    nedu, 25 May 2007 @ 12:38pm

    Identification and Authorization

    Step back a bit...

    Using an account identifer as an authorization token is just idiotic.

    How many of you use your username as your password? Please (virtually) raise your (virtual) hands. We have a FAQ on security basics for you.

    In-person transactions in 3-space usually require the actual card. That is, the account number is used for account identification. Meanwhile, something owned (the card itself) together with something characteristic (a signature) is sufficient for authorization.

    But for distance transactions, the authorization component is stripped off. That's just stupid.

    In a ubiquitiously networked world, a remote transaction should involve the customer communicating with the card issuer and securely authorizing the specific transaction.
    There's no reason that this shouldn't be a relatively seamless part of a transaction with a merchant. The merchant, the customer and the several banks involved are all capable of communicating with each other in real time over the network.

    Of course, this architecture wouldn't work for telephone or mail-order purchases. But as on-line purchasing increases in importance, those older methods become less important. Thus, it should be possible to place additional burdens on those older styles of remote transaction without burdening most customers and most merchants excessively.

    The flat fact is that account identifiers cannot realistically be kept secret. The identifier has to be disclosed to too many parties. Otoh, transaction authorization tokens should be shared with the minimum number of parties. A customer shouldn't be disclosing their transaction authorization token(s) to anyone but their own bank.

    link to this | view in thread ]

  8. identicon
    Credit Cards, 13 Jul 2008 @ 6:37pm

    Credit Cards Australia

    Compare credit cards with Australia’s leading financial
    comparison web site, Credit world.

    link to this | view in thread ]

  9. identicon
    Mike, 2 Dec 2008 @ 8:07am

    It's true

    Being manager of a credit card application website, I notice as well that financial providers are really lack credit card information and communities, apart from small promotions of their cards and online application.

    link to this | view in thread ]

  10. identicon
    Credit Card, 15 Dec 2008 @ 12:10am

    Safe shopping online with credit cards

    Shopping online safely with credit cards is such a serious issue. It really defies logic that they don't do anything about it.

    link to this | view in thread ]

  11. identicon
    Bob Marley, 15 Dec 2008 @ 3:58pm

    Thanks

    Thank you for posting this article. It's a great read! Google

    link to this | view in thread ]

  12. identicon
    Credit Cards Australia, 11 Feb 2009 @ 7:24pm

    Shopping Online

    Always be very careful when shopping online and using a credit card, make sure the website you're purchasing a product from has a secure yellow lock on the bottom toolbar.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.