The question is, why would banks put your credit card number on the description of transactions in the first place? I've never seen that done before.
I think they're perhaps not as apologetic as you'd like because the premise (Blippy publishes credit card numbers) is incorrect. They made a mistake in a beta period which they fixed.
why would banks put your credit card number on the description of transactions in the first place
This is actually pretty common. It happens on my statements, and while I think that my bank could do something better (last 4 digits would be enough), there is at least a reason. For my joint checking account with multiple debit cards, it helps figure out who bought what. Since each purchase has the exact card number, we can figure out who went to Starbucks 3 times in one day...
The first 5+ digits are public (if the "attacker" knows what bank your card is issued by). Adding 3 digits and a check digit to the mix makes guessing your number all that much easier.
Personally, I am not sure why any digits need to be on sales receipts. Or why I even need a receipt.
Yeah - all the relevant details are in there, and he's technically right about the CC# liability bit, but the last way you want to come off in a situation like this is "it's not all that bad..."
Well, it does at least show that the title of this news story is sensationalist link bait.
Some times people mess up. But there's a difference between "oh oops in the beta period we didn't realize that banks put credit card numbers in descriptions :/ and we didn't realize Google would index that. 4 people were affected and we're sorting it"
and
"We routinely share credit card numbers!!!"
Personally I'd give them a break about it. They're probably feeling pretty crappy about it all already without people blowing things out of all proportion. (This is one of the worst things about the internet IMHO - blowing tiny things up into mammoth proportions through rumor, misunderstanding and incorrect assumptions. And always assuming everyone is evil).
Out of proportion? Sure at least in the US you are protected from credit card fraud assuming you take the appropriate actions.However, such a problem on their end shows a lack of attention to security and while this may be an isolated incident it reveals a lot about how the company acts and prioritizes their responsibilities to their users. People like to repeat their mistakes, especially when they don't have the necessary resources, whether it be time, man power, money or something else, to correct them therefore I doubt this is the last serious blunder they will make and that is reason enough for me to avoid them.
* They got some data
* The data has a "description" field
* They naively displayed that description field
* They then found to our horror that sometimes this
description field contains CC numbers :/
I don't think you can really blame them too much for that.
It would be another story if they were actually storing CC numbers and 'accidentally' published them, but that doesn't seem to be what happened.
"Today someone discovered a Google search that displays the credit card numbers of 4 Blippy users."
If as they say, all they released were 4 credit card numbers, I understand why they act like this isn't a big deal.
Their system works and has worked the entire time for 99.98 percent of all people. Those few people who did get their numbers published, well, send them a ham or something. At worst, if the cards are used, the user will have a couple days of saying "Chargeback X chargeback Y". This isn't even about a bug currently in their software, but a small one from a long time ago from a credit card processor arguably doing something incorrectly (or at least, quite strangely).
Yeah, not apologetic at all. I'm not sure I equate giving my credit card number to a waiter or store clerk with having it published on Google for virtually anyone in the world to freely access, as they do.
The question is, why would banks put your credit card number on the description of transactions in the first place? I've never seen that done before.
I think they're perhaps not as apologetic as you'd like because the premise (Blippy publishes credit card numbers) is incorrect. They made a mistake in a beta period which they fixed.