Hacker News new | ask | show | jobs
by tdmackey 5894 days ago
Out of proportion? Sure at least in the US you are protected from credit card fraud assuming you take the appropriate actions.However, such a problem on their end shows a lack of attention to security and while this may be an isolated incident it reveals a lot about how the company acts and prioritizes their responsibilities to their users. People like to repeat their mistakes, especially when they don't have the necessary resources, whether it be time, man power, money or something else, to correct them therefore I doubt this is the last serious blunder they will make and that is reason enough for me to avoid them.
1 comments
axod 5894 days ago
Unless I've misunderstood their description:

  * They got some data
  * The data has a "description" field
  * They naively displayed that description field
  * They then found to our horror that sometimes this
    description field contains CC numbers :/
I don't think you can really blame them too much for that.

It would be another story if they were actually storing CC numbers and 'accidentally' published them, but that doesn't seem to be what happened.

link
jayliew 5894 days ago
There, I fixed it:

if(/\d{4}((\s|-)?\d{4}){3}/){

  # don't print it
}

n.b. not trying to be a smart-ass, just saying it can't be that hard.

link
ghoerz 5894 days ago
And now you have two problems.
link
jayliew 5894 days ago
Sorry, I don't get it. What do you mean?
link
pyre 5894 days ago
http://regex.info/blog/2006-09-15/247
link
jayliew 5894 days ago
interesting, never heard of that one before - thanks for sharing.

And I agree, that a root cause analysis should be done. E.g. asking the 5 why's (as Eric Ries advocates), for behind every technical problem, there's a human problem.

link
danudey 5894 days ago
It's only 'not that hard' if you know that the numbers are going to be there. Perhaps the Blippy folk have never seen or heard of a credit card company that puts the card number in the description field. I certainly haven't. Have you?

It seems like a ridiculous idea, and while it makes sense in some corner cases, I'm not surprised that they missed something that was only a problem for four users ever.

Perhaps what we should be doing here is asking why Google kept a cache of months-old HTML instead of updating their cache instead?

link
jayliew 5894 days ago
I agree with your first statement, which is one of the things the Black Swan theory is about (love the book, def. recommend reading it): that you don't know what you don't know.

To that I would say, one should be very very very paranoid about what you print, given that you know that you're printing things from people's credit card bill statement.

Blippy shouldn't have output'd the cc numbers, whether or not Google caches it or not is a secondary to this. Note that Google's cache wasn't explicitly out to get Blippy, they just happened to cache whatever Blippy was emitting.

link
pyre 5894 days ago
> To that I would say, one should be very very very paranoid about what you print, given that you know that you're printing things from people's credit card bill statement.

...to a point.

What other 'bad information' might be in that description? Social Security # for a USA customer? Social Insurance # for a Canadian customer? Pretty soon you'll have a laundry list of 'bad numbers' that you have to try and filter out.

link