
Blippy Publishes User Credit Card Numbers - blasdel
http://www.google.com/search?q=site%3Ablippy.com+%2B%22from+card%22
======
brown9-2
I don't mean this to sound snarky but I'm having a hard time understanding the
basic utility of blippys service.

Why would you want to automatically share information about every purchase you
make with your credit/debit card with the world? It just sounds like a recipe
for disaster with very little upside.

Can anyone who uses this service (if any HN members do) explain the usefulness
of it to me? I might just be misunderstanding the purpose.

~~~
axod
It makes about as much sense as twitter does.

~~~
mattmaroon
I don't think that's entirely fair. Twitter has some purposes other than sheer
vanity. Sharing links, 1 to many communication, etc.

Don't get me wrong, I don't care for Twitter myself. I don't use it, and I do
find most of it to be trite and little more than navel gazing. But I can see
some useful signal on Twitter, I just cannot see how it could not get buried
under an avalanche of noise.

Blippy seems totally vacuous.

~~~
axod
Sharing details of things you've purchased is immediately monetizable. If they
can get users using it, it's trivial to make it insanely profitable.

I can see it catching on with kids definitely.

~~~
Gormo
I can definitely see the value from a sales/marketing perspective, but the
trick is getting people using this. They're going to have a pretty big
challenge consistently delivering value to their users and not becoming at
best an ephemeral fad.

~~~
raintrees
From comments I have heard Leo Laport making on his TWIT podcast, he uses the
service and has found several products he has happily bought when other users
on Blippy brought them to his attention.

I am also keeping in mind that there are many jokes in the podcasts about Mr.
Laport's proclivity to purchase tech items, at times in quantity, as an early-
early adopter.

------
ivenkys
As an experiment i followed up 5424xxxxxx number to check if its a test
number. I could track down the card's owner and a little judicious googling
gave away the owner's home address as well.

Doesn't look like a test number.

------
ig1
Looks like Amazon were right to ban them over privacy concerns...

~~~
billclerico
it seems like this is old test data in the google cache, not current data

~~~
fnid2
even if it is test data, we must wonder, why did anyone ever build the system
such that credit card numbers were visible to google? Why did someone include
the credit card number in the select clause, add it to the html template, and
put it on a public server that could be crawled by Google?

~~~
there
i'm sure there wasn't a "credit card number" field that this information came
from. when downloading OFX transaction data, some banks include the full
credit card number in the transaction description, and some only include the
last 4 digits.

------
kevintwohy
They've responded here: <http://blippy.posterous.com/>

Not as apologetic as one might expect.

~~~
axod
I think it's a pretty solid response.

The question is, why would banks put your credit card number on the
description of transactions in the first place? I've never seen that done
before.

I think they're perhaps not as apologetic as you'd like because the premise
(Blippy publishes credit card numbers) is incorrect. They made a mistake in a
beta period which they fixed.

~~~
mbreese
_why would banks put your credit card number on the description of
transactions in the first place_

This is actually pretty common. It happens on my statements, and while I think
that my bank could do something better (last 4 digits would be enough), there
is at least a reason. For my joint checking account with multiple debit cards,
it helps figure out who bought what. Since each purchase has the exact card
number, we can figure out who went to Starbucks 3 times in one day...

~~~
axod
In the UK it's common to see last 4 digits only on receipts, statements etc.
_NEVER_ the whole CC number. Anywhere.

~~~
jrockway
The last 4 digits, however, are the ones that are unique to you.

~~~
axod
4 digits is enough for you to know which account holder made the purchase, but
not enough to be of any use to anyone else.

~~~
jrockway
The first 5+ digits are public (if the "attacker" knows what bank your card is
issued by). Adding 3 digits and a check digit to the mix makes guessing your
number all that much easier.

Personally, I am not sure why any digits need to be on sales receipts. Or why
I even need a receipt.

~~~
axod
Don't forget in the UK the vast majority of purchases are Chip+PIN only, so a
credit card number is only really useful for making online purchases from
other countries, which are usually scrutinized far more by banks.

Also you have the CSV on the back of the card and expiry date. You also have
the "Verified by Visa" stuff where you have to enter your password for any
online purchase, also you'll usually have to enter the card holders full
address.

I agree though, receipts are mainly useless wastes of paper these days, and
the less paper with personal details on the better.

Given the massive library of photos available on Flickr, it'd be unlikely that
there aren't some credit cards on there - perhaps a credit card left on the
coffee table in the background that can be enhanced... Maybe _even_ a credit
card in someones very thin see through shorts :/ Wonder how long it'd take to
find some examples.

~~~
DrJokepu
I can't help but feel that the way credit/debit cards work is inherently
flawed. About once a year my (UK) bank calls informing me that someone in
Malaysia / New York / etc. tried to use my card so they blocked it and sending
a new one. If someone steals your wallet (happened to me not very long ago)
they get physical access to your card and can spend an awful lot of money
online before the bank blocks the card. In the end my bank refunded all my
money but still it was a quite stressful experience. And if someone manages to
get your PIN (by peeking over you shoulder), you can kiss goodbye to your
daily cash withdrawal limit.

I'm no security expert by any means but still I'm sure that it must be
possible to design a lot safer system. Of course you can never defeat human
stupidity / irresponsibility / malevolence but it should be a lot harder to
commit card fraud.

------
jgrahamc
All the card numbers start 5424 (Citibank MasterCard) and there are actually
only a small number of different card numbers.

I wonder if this is something to do with test data.

~~~
jgilliam
5424 is a MasterCard test number. <http://www.topbits.com/test-credit-card-
numbers.html>

edit: I was wrong, it's the full number that's a test number. 5424 0000 0000
0015

~~~
joshu
I'm reasonably sure that's not true. Perhaps the whole 16 digit sequences
listed there is a test number.

~~~
jgilliam
You are right, I was wrong. It's the full number that's a test number. 5424
0000 0000 0015

------
dsplittgerber
You have got to be fuck*ng kidding me, Venturebeat:

"VentureBeat reporters deduced that all are Citibank-issued MasterCard
numbers. We’re reluctant to publish further details yet."
[http://venturebeat.com/2010/04/23/blippy-credit-card-
citiban...](http://venturebeat.com/2010/04/23/blippy-credit-card-citibank/)

Yet they're showing a screenshot with the exact Google search term to get all
the data.

~~~
gojomo
That's not too unreasonable of an approach for an online news source: avoid
republishing info that could be wrong, but allow readers to observe the same
primary sources, unless/until Blippy and Google change things.

~~~
dsplittgerber
Well, they just could have refrained from publishing the exact "hack" at all.
Which would have been the right thing to do, making it at least a little bit
harder for people to find out which CC #s exactly are compromised. They could
have stuck with reporting about it, not sharing in spreading it all over the
internet.

------
run4yourlives
Can I ask a question?

Why do they (or any other startup) even know what actual credit card numbers
are?

How many of you operate in the same way? Why? Are you PCI compliant?

~~~
smokinn
Because when you rebill a client you have to give the number again.

You can use a 3rd party gateway that acts as an intermediary between you and
the bank that issued your merchant account and the 3rd party gateway will
offer services such as scheduled rebilling. The gateway has to store the
number though because the APIs at the highest level have no clue how to deal
with internet and subscription type billing. They're still stuck in a very
brick-and-mortar mindset. In this case it's the 3rd party gateway that has to
deal with PCI compliance, not you.

If your transaction volume is high enough to justify it you can save a lot by
cutting out another middleman and writing your own gateway. In this case
though you generally have to be PCI compliant and have regular security audits
to stay compliant.

PCI compliance only makes sense when you store CC numbers since PCI is a set
of requirements on how to store them. Saying you don't store CC numbers and
are PCI compliant makes no sense. EDIT: As andrewf points out below I'm wrong
about this paragraph.

~~~
andrewf
PCI DSS states: PCI DSS requirements are applicable if a Primary Account
Number (PAN) is stored, processed, or transmitted.

If a system accepts CC numbers from a form and then passes them to a 3rd party
gateway for processing, it's within PCI scope, even if it doesn't store them.

~~~
fuzzmeister
Certain companies (like Braintree) offer a service where the credit card data
is POSTed directly to their server, relieving you of most aspects of PCI
compliance.

------
gyardley
It looks like the credit card numbers are included in the Blippy section
starting with "The purchase appears on your statement as:", followed by the
actual text of the line entry from the statement.

From that, I'm guessing that Blippy lets users automatically import their
credit card statements, but they didn't anticipate that the entries in those
credit card statements would occasionally include full credit card numbers.
Embarrassing but a corner case.

------
eli
That does not seem PCI compliant

~~~
dangrossman
PCI compliance is something mandated through merchant agreements upon credit
card processors. Blippy is not processing payments on those cards, and PCIDSS
is not a law.

~~~
Freebytes
PCIDSS is as good as law for a credit card processing company, though. If they
are not authorized by the credit card companies, they cannot process the
cards. If they cannot process the cards, they are out of business.

~~~
fnid2
There are lots of alternatives to accepting credit cards for payment by the
way. Lots of restaurants take cash only and online, there are many third
parties like Paypal to move to.

------
iamelgringo
And this, the day after they raised $11 million in a series A. I really don't
understand that investment at all. Could someone explain it to me?

ref: <http://www.crunchbase.com/company/blippy>

~~~
cracell
Maybe they somehow convinced investors they were going to be the new
"twitter".

------
count
So, after reading, it appears this is more of a Citibank failure than a Blippy
failure. It makes Blippy look horrible though (even if it is unfairly).

Is this just an accepted danger of using 3rd party APIs for information, or
can they (Blippy) do something that doesn't look like they're just trying to
shift the blame?

I wonder what other awesome bugs are lying in wait in Citi's API...

------
bigsassy
Does anybody else find it strange that all the visible credit card numbers
start with 5424? According to Wikipedia, Citibank has that issuer code
([http://en.wikipedia.org/wiki/List_of_Bank_Identification_Num...](http://en.wikipedia.org/wiki/List_of_Bank_Identification_Numbers)).

Why would only Citibank cards show up?

------
waxman
And you thought the new Facebook API was intrusive...

------
jfarmer
I use a Citibank MasterCard. :(

Is there any way to report this to Citibank?

~~~
jfarmer
Why on Earth am I being downvoted?

~~~
TotlolRon
Visa, AMEX, Discover. Those guys will do anything...

------
zavulon
Blippy is claiming it only published CC numbers of 4 users, and it's from beta
test.

<http://blippy.posterous.com/blippy-and-credit-card-numbers>

There's also this:

"While we take this very seriously and it is a headache for those involved,
it's important to remember that you're never responsible if someone uses your
credit card without your permission. That's why it's okay to hand your credit
card over to waiters, store clerks, and hundreds of other people who all have
access to your credit card numbers. "

That's true, but how does this diminish their security breach, is beyond me.

------
eande
Blibby policy says "Our Services are primarily designed to help you share
information about your purchases with others. This information will be public
by default, but you may make it more private by editing your account settings.
You should be careful about all information that will be made public by
Blippy." I do not see lots of reason to sign up for this service in the first
place. With the social media interconnecting all the data even on a passive
way which the F8 from FB hinted it we are heading into a direction were
someone has to be more careful with personal information.

------
ig1
Having thought about it for a few days I've realized Blippy has a much more
fundamental security hole. Banks consider this data to be private.

In the past when I've forgotten my password and phoned my bank to get a new
one, typically they ask for a shared secret (like mothers maiden name, first
school, etc.) but if you say "I don't remember" they then ask you to verify
your address and your recent transaction history.

Blippy makes that last bit public and so probably creates a backdoor in the
manual security protocols of a lot of banks.

------
dalton
I hope someone writes a technical post-mortem/case-study on this.

------
paulsmith
I think Google has some responsibility here. Credit card numbers can be
validated with a simple checksum[1]. I don't see why Google can't detect them
in their index and obscure them. It's not like they haven't gone to that kind
of privacy effort for faces and license plate numbers in Street View.

[1] <http://en.wikipedia.org/wiki/Luhn_algorithm>

~~~
snprbob86
And what happens when there is a false positive? I think Google has every
right to claim carrier protections (or whatever the law is) and just turn a
blind eye to this problem.

~~~
paulsmith
I suspect that a combination of the Luhn checksum and contextual information
would give you a fairly high confidence level of it being a valid credit card
number, and not some other innocent string of digits.

They could clearly mark the stricken text as having been done to potentially
protect privacy and provide a contact mechanism to un-obscure false positives.

I think the harm of a few false positives -- remember, we're talking about
obscuring a 16-digit string that has a particular valid checksum, not a very
common occurrence -- is greatly outweighed by the harm of having someone's
financial identity stolen from a Google search.

------
waterlesscloud
Well, there goes that valuation.

------
eelco
While incredibly stupid, is this enough information to do actual harm? Don't
you also need the CVS code?

~~~
tortilla
Credit card numbers by themselves are no big deal, but this will haunt Blippy
forever. I don't know how you can recover from a PR disaster like this.

~~~
axod
Slightly melodramatic. No one will care tomorrow. We'll all be on to being
outraged by something else.

------
invisible
It looks like Google deleted the card numbers from these. Even if this
affected 4 people TOTAL (assuming they are not test numbers), this is not an
epidemic - banks expose more than this a week I'd bet.

I find it difficult for me to swallow the title of the article and makes me
want to flag it.

~~~
codemechanic
[http://blippy.com/business/+1310-6645810epoc-04-02-card-7096...](http://blippy.com/business/+1310-6645810epoc-04-02-card-7096-purchase-55180390092511503005577-+1310-6645810-ca)

------
iamdave
_Turns out Google indexed some of this HTML, even though it wasn't visible on
the Blippy website._

Okay, so my question then, after getting the response that Blippy could do a
better job processing their data, is why Google is indexing data that isn't
being displayed?

What I mean is, I understand crawlers go through pages to gather data for
search results. Why is it gathering data that isn't going to be rendered to
the user, performing search queries, since that is empirically the most
relevant data users need to see in search results?

------
faramarz
I want to hear what they have to say and offer to the four users.

This is a HUGE trust issue and you can somewhat foreshadow the companies
future by how they handle the crises especially with these 4 users.

------
abronte
Ouch. I guess I'm glad I didn't get around to trying out Blippy.

------
arihant
Blippy doesn't look bad at all from what I perceive from the homepage. They
can do better by removing the TIME's quote -"Made me want to spend more". Any
idea which just makes you sit and think about what more can we do is a great
idea. I think Blippy is one of them, kinda gets you excited. I think girls
would just love this service.

------
samratjp
And looks like NYTimes has a take on Blippy and T.M.I online:
<http://www.nytimes.com/2010/04/23/technology/23share.html>

------
crescendo
Blippy's response: <http://blippy.posterous.com/blippy-and-credit-card-
numbers>

------
bengebre
Looks like mashable broke the story:

<http://mashable.com/2010/04/23/blippy-credit-card-numbers>

~~~
pg
No, Venturebeat I think:

<http://twitter.com/owenthomas/statuses/12705151399>

------
axod
Obviously this is bad, but are you able to make a purchase anywhere with only
a CC number? Don't you need the expiry date and CSV and full name?

------
jgilliam
Any theories on how it happened, technically?

~~~
rmaccloy
<http://twitter.com/freerobby/status/12711147469> claims it's a Citi API fail.
(Obviously Blippy should be filtering out this sort of stuff, but dubious on
Citi's part, too.)

------
thehodge
only seems to be a few users, is it a certain card make or something?

------
Oompa
I'm glad I never trusted them enough to give them my information.

------
TotlolRon
"A fool and his credit card number are soon parted" -- blippy, 2010

------
jawngee
A dumb idea does dumb shit, film at 11.

------
dmose
wtf?

------
makmanalp
This is one case where telling them first might have caused less damage. Very
terrible situation though ...

------
adamtmca
Oh my god..

------
eplanit
Wow. That is a 100 lb. sack of FAIL! More fodder for my PCI slides to show
clients. Thanks Blippy, you've replaced CardSystems for me (their story was
getting old).

~~~
eplanit
You all are offended by calling out a fail? Touchy today, eh?

~~~
eplanit
Let's see how far this can go.

~~~
eplanit
If I cared about 'Karma', I'd heed that post. But, I don't.

~~~
TheBranca18
What's the point of participating in a community when you don't care what
others think? Seems pretty pointless to me.

~~~
eplanit
Community? I know nobody here. Everyone, like me, is hiding behind a screen
name. People get to 'downvote' anonymously, which to me is absurd. Yesterday,
I make a near meaningless remark about Apple fan-boys, and got 7 points.
Today, I make a more meaningful remark about how this really is a noteworthy
failure -- and I'm losing Karma right and left. To me, this is comical.
Community? How do you define that word?

~~~
raffi
:) I'd call this a community. You can find my real name and the real names of
others on our profile. I've also met many people from here and have had people
reach out to me through this site. It's the most real online community I'm
part of. It's this way because most of us act sensible most of the time.

