Posted on 09/18/2004 11:04:05 AM PDT by Justice
Consumer fear of identity- and credit-card theft over the Internet continues to escalate. Yet analysts and retailers continue to assert that the risk is minimal. The bigger fear, say analysts, should be of an inside job.
Many of the recent thefts "have been crimes committed by employees of companies that have legitimate access to personal data, that decide to use it for their own gains," Christian Byrnes, senior vice president of technology research services at Meta Group, told NewsFactor.
In an effort to ascertain actual theft risk associated with ordering online, NewsFactor conducted an informal test of the Web. The findings were alarming: Basically, anybody who can use Google can get access to credit-card and personal-identification information.
Testing, Testing 1-2-3
Practically everyone knows that hackers will continue to wreak havoc. That handful of malicious misfits is a very savvy, determined group, against whom retailers and other companies must be on guard.
"Personal-identity information is on computer systems everywhere," says Byrnes.
That being the case, NewsFactor elected not to test hacker tools and security measures on individual Web sites, since both change tactics almost daily. Instead, the test was conducted using basic search engines to determine how accessible personal-identity and credit-card information was to a more ordinary criminal mind.
The first search engine tested was Google, merely because of its popularity. It is important to note that Google is not at fault in this study, as the search engine can only detect data, not judge how it is used.
We Got Your Number
The search request was simple. Using a researcher's Visa debit card, we started with the first four numbers on the card and extended the span of possible number combinations. So we entered in the google.com search window: visa 4060000000000000..4060999999999999.
The result was a long list of Visa card numbers complete with name, address, phone number, expiration dates and a list of recent purchases. In less than two seconds, we found everything a cyber crook would need for one heck of a shopping spree or a fresh new identity.
We found similar results on other search engines using the same number-spread methodology for numerous credit-card issuers, including MasterCard and American Express (NYSE: AXP - news).
NewsFactor urges readers to check and see if your information is listed on these simple searches. If so, you would be well-advised to contact your credit-card issuer immediately and request a new credit-card number.
In the future, it may be wiser to limit your exposure by using a stored-value card, like those issued by Visa, American Express and other companies. Stored-value cards have no value after the purchase is made, thereby limiting their value to criminals.
Do You See What I See?
"Many retailers are offering reassurances [to consumers] by asking for additional information before completing an online credit-card transaction," Carrie Johnson, senior analyst, Forrester Research, told NewsFactor.
But, giving more information may do more harm than good, our researchers found. Among the results retrieved in our Google search, we found links that exposed entire databases, complete with internal company accounting records. Even social-security numbers are included on some of the lists -- not a very reassuring discovery, to say the least.
Bigger Is Better
We found no indication that the larger, more credible, retail sites were the source of credit-card information leaks. Web sites like eBay (Nasdaq: EBAY - news), Amazon (Nasdaq: AMZN - news), Office Depot (NYSE: ODP - news), Best Buy (NYSE: BBY - news), Sears (NYSE: S - news), and many others appear secure. At least, none of the online purchases recorded in any of the credit-card lists we found contained purchases from major retailers.
It was the mom-and-pop shops, home-based businesses, and smaller companies that showed vulnerability, apparently from ignorance or a lack of professional I.T. resources.
"To get around consumer-security and fulfillment concerns, Internet startups and small businesses will have to align themselves with more credible marketplaces like eBay, Amazon, and Yahoo (Nasdaq: YHOO - news). Otherwise, customers will be afraid to buy online from them," Rob Garf, retail analyst at AMR Research, told NewsFactor.
Plug the Hole
In the meantime, Web-site owners may want to employ a few simple fixes to make sure their critical files and their customers' personal information are not so easily found by search engines. Features that mask files from the view of search engines and cloak sensitive databases are an absolute must-have. One simple and inexpensive example is a "robot" file that blocks search engines from accessing specified files on a Web site.
However, sensitive files also need to be encrypted using updated encryption programs.
"Don't skimp on technology and process investments," says Garf. "If a customer has a bad experience, that customer is gone forever."
this has to be GWB's fault!
I just tried it and got NOTHING.
I simply will not place my card number in my computer, any banking info, will not buy over the internet....I am paranoid about stolen identity.
I just did it with the dots included and got enough to be concerned about, but nothing live (links to pages were 404'd, but perhaps in response to the article).
DITTO, nothing!
GOOD.
I tried AMEX too.
I was fully prepared to be shocked and awed.
Also, to keep in context, your chances of having your ID stolen by the merchant, whether online or offline, are a great deal higher than your chances of a hacker getting to your card numbers (essentially inside jobs, as the article noted).
Both dangers exist, but the ones you have everyday from using your card anywhere, online or offline are greater.
One day I found dozens of stacks of old, bundled credit card receipts lying all over the sidewalk near a dumpter, dumped by a fashionable and upscale retailing company whose secretary thought throwing them into a construction dumpster on a street was somehow secure enough. Some whino had been rummaging through it the next night and hence they became scattered all over the street.
The use of dots means their search engine looks for a range of numbers?
yes, it looks for a range.
I just put in a string range for Amex and got more than I wanted to see. 142 results, and at least a few looked like they might have live data. Yikes.
I found pdf documents of court cases with credit card numbers and savings account numbers of parties. Damn.
I tried AMEX and got nothing.
Wondering out loud...so to speak,
If you do a search of your card#, aren't you putting it out on the net in the most unsecured way.....your card number is now part of what was researched on Google. Doh.
Wait a minute! I just put in exactly what this post says it put in and all I got was a return to about 5 posts from Free Republic!! This is BS.
I'm not overly concerned. Credit card users have been exposed to fraud and theft for as long as there have been credit card users. I was in retail management for years and fired numerous people for things like copying credit card numbers, selling carbons of cc slips, pulling cc copies out of the trash. Nothing new.
I typed exactly the following:
Amex 370100000000000...379999999999999
Just did it again. Got 151 hits (must have used 3711 the first time).
Each number string has a total of 15 numbers in it (not the normal 16 for Visa and MC).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.