Hacker News new | ask | show | jobs
by axod 5896 days ago
I think it's a pretty solid response.

The question is, why would banks put your credit card number on the description of transactions in the first place? I've never seen that done before.

I think they're perhaps not as apologetic as you'd like because the premise (Blippy publishes credit card numbers) is incorrect. They made a mistake in a beta period which they fixed.
2 comments
mbreese 5896 days ago
why would banks put your credit card number on the description of transactions in the first place

This is actually pretty common. It happens on my statements, and while I think that my bank could do something better (last 4 digits would be enough), there is at least a reason. For my joint checking account with multiple debit cards, it helps figure out who bought what. Since each purchase has the exact card number, we can figure out who went to Starbucks 3 times in one day...

link
axod 5896 days ago
In the UK it's common to see last 4 digits only on receipts, statements etc. NEVER the whole CC number. Anywhere.
link
jrockway 5896 days ago
The last 4 digits, however, are the ones that are unique to you.
link
axod 5896 days ago
4 digits is enough for you to know which account holder made the purchase, but not enough to be of any use to anyone else.
link
jrockway 5896 days ago
The first 5+ digits are public (if the "attacker" knows what bank your card is issued by). Adding 3 digits and a check digit to the mix makes guessing your number all that much easier.

Personally, I am not sure why any digits need to be on sales receipts. Or why I even need a receipt.

link
axod 5896 days ago
Don't forget in the UK the vast majority of purchases are Chip+PIN only, so a credit card number is only really useful for making online purchases from other countries, which are usually scrutinized far more by banks.

Also you have the CSV on the back of the card and expiry date. You also have the "Verified by Visa" stuff where you have to enter your password for any online purchase, also you'll usually have to enter the card holders full address.

I agree though, receipts are mainly useless wastes of paper these days, and the less paper with personal details on the better.

Given the massive library of photos available on Flickr, it'd be unlikely that there aren't some credit cards on there - perhaps a credit card left on the coffee table in the background that can be enhanced... Maybe even a credit card in someones very thin see through shorts :/ Wonder how long it'd take to find some examples.

link
kevintwohy 5896 days ago
Yeah - all the relevant details are in there, and he's technically right about the CC# liability bit, but the last way you want to come off in a situation like this is "it's not all that bad..."
link
axod 5896 days ago
Well, it does at least show that the title of this news story is sensationalist link bait.

Some times people mess up. But there's a difference between "oh oops in the beta period we didn't realize that banks put credit card numbers in descriptions :/ and we didn't realize Google would index that. 4 people were affected and we're sorting it"

and

"We routinely share credit card numbers!!!"

Personally I'd give them a break about it. They're probably feeling pretty crappy about it all already without people blowing things out of all proportion. (This is one of the worst things about the internet IMHO - blowing tiny things up into mammoth proportions through rumor, misunderstanding and incorrect assumptions. And always assuming everyone is evil).

link
tdmackey 5896 days ago
Out of proportion? Sure at least in the US you are protected from credit card fraud assuming you take the appropriate actions.However, such a problem on their end shows a lack of attention to security and while this may be an isolated incident it reveals a lot about how the company acts and prioritizes their responsibilities to their users. People like to repeat their mistakes, especially when they don't have the necessary resources, whether it be time, man power, money or something else, to correct them therefore I doubt this is the last serious blunder they will make and that is reason enough for me to avoid them.
link
axod 5896 days ago
Unless I've misunderstood their description:

  * They got some data
  * The data has a "description" field
  * They naively displayed that description field
  * They then found to our horror that sometimes this
    description field contains CC numbers :/
I don't think you can really blame them too much for that.

It would be another story if they were actually storing CC numbers and 'accidentally' published them, but that doesn't seem to be what happened.

link
jayliew 5896 days ago
There, I fixed it:

if(/\d{4}((\s|-)?\d{4}){3}/){

  # don't print it
}

n.b. not trying to be a smart-ass, just saying it can't be that hard.

link
ghoerz 5896 days ago
And now you have two problems.
link
danudey 5896 days ago
It's only 'not that hard' if you know that the numbers are going to be there. Perhaps the Blippy folk have never seen or heard of a credit card company that puts the card number in the description field. I certainly haven't. Have you?

It seems like a ridiculous idea, and while it makes sense in some corner cases, I'm not surprised that they missed something that was only a problem for four users ever.

Perhaps what we should be doing here is asking why Google kept a cache of months-old HTML instead of updating their cache instead?

link