
Blippy And Credit Card Numbers - Official Blippy Blog - ashishk
http://blippy.posterous.com/blippy-and-credit-card-numbers
======
patio11
_We take security seriously and want to assure Blippy users that this was an
isolated incident from many months ago in our beta test, and doesn't affect
current users.

While it looks super-scary and certainly sucks for those few people who were
affected, and is embarrassing to us, it's a lot less bad than it looks._

This could have been phrased a bit better to include an actual apology. It's
pretty easy to do: "Several months ago Blippy's limited beta test leaked data
about four customers, including their credit card numbers. That is totally our
fault. We have apologized to those four customers personally and have taken
steps to make sure it cannot happen again. The site currently does not leak
data, but those four customers' numbers are still visible on Google searches.
We are working with Google to correct this and expect it to be resolved in a
few hours.

Here are the improvements Blippy has made to deserve our customers' trust:"

[Edited to add:

The Japanese salaryman in me would suggest that the CEO sign this post.
Phrasing might include "This was ultimately a failure of our internal quality
controls, because it should have been caught several times before this data
was exposed publicly. I take full responsibility for the lapse and have
begun..."]

~~~
patio11
A quick elaboration on the CEO thing, because I didn't want to give the
impression I'm grinding anybody's nose in it: Tactically I think it is a good
idea because it demonstrates that the company has no higher priority than the
users' security and their trust. (And if your business is publishing folks'
info, that is probably true. Heck, everybody on the Internet who takes credit
cards, in any capacity, has a built-in "Are they going to scam me?" objection
to address.)

Culturally, in Japan, the title for the CEO (often) literally means "Person
With The Highest Responsibility." (最高責任者 -- all the other CXOs are "Person
with the Highest Responsibility For [Information, etc]") Within the company,
I'm sure some junior engineer is going to get a royal chewout today, but to
the rest of the world, the company is an impenetrable mass. When an employee
screws up, the company has screwed up, and when the company screws up, the CEO
(or division chief or whomever) apologizes because his job is managing the
business such that it does not screw up.

 _When done well_ , I think this is one of the most emulation-worthy bits of
the Japanese corporate culture. It sends a message internally that you will
always back your people come what may, and externally that you're worthy of
the trust your customers, shareholders, and business partners place in you.

~~~
donw
Patrick, it's always a pleasure reading your posts. How I wish companies in
the US acted like this...

------
tptacek
Yeah, I don't know. My lizard brain wants to see them writhing on the ground
pleading for mercy, but the teeny tiny rational part of my brain wonders what
I expected them to say instead of this.

If you get past your expectations about their attitude, they are being pretty
forthright about what actually happened; in many more contrite disclosures,
you don't get this level of detail. I appreciate the detail.

I'd like to see something other than the standard "now we're getting third-
party security audits" platitudes. For instance, I'd like to know that they
have a software security person _on staff_ now, since they're clearly dealing
with credit card information that they don't fully understand.

------
cjeane
_sucks for those few people who were affected_

Pretty much guarantees I'll never use this site.

~~~
pinstriped_dude
I have never used this service and from reading what it does, I probably never
will. BUT, if were the kind of person into these type of things, I would feel
pretty good about them. The explanation sounds sincere, honest and heart-felt.
They have done their research and discovered what caused the problem. The
credit card numbers were only in the source-code of the HTML, not actually
diaplayed on the HTML page (I know it only takes 2 clicks to see the source,
but how many people check out the source code of every page we see through the
day ?). And they are telling us that they are well-funded to dedicate more
resources on security. I feel pretty good about them.

~~~
stingraycharles
_(I know it only takes 2 clicks to see the source, but how many people check
out the source code of every page we see through the day ?)_

The same kind of people that go hunting for credit card numbers online?

~~~
robobenjie
I'm pretty sure there are much easier ways to get credit cards online than
randomly looking at webpages. Can't you buy them in bushels from Romanian
hackers? I hear the going rate is much less than a dollar a number.*

*I hear this from a person who used to work in e-commerce stopping illegitimate transactions, not from illegal activity, btw.

~~~
jacquesm
Credit card numbers alone can be generated, no need to steal them. Only in
combination with the expiry date and cvv do they have any value, newer cards
are protected with a pin code for that reason.

The whole reason the VBV program exists is to make the numbers alone
worthless.

Why would you single out the Romanians?, there are people doing that sort of
thing all over the world.

------
thirdstation
Their anonymously-signed blog post doesn't engender much confidence in them as
a company. Except that they try hard to protect their own identity.

~~~
pinstriped_dude
The apology is signed by the Co-Founder. What am I missing?

"Thank you for reading. Philip Kaplan, co-founder"

~~~
weaksauce
Probably 2 hours of time in which they could edit the page and append a
signature.

------
samd
Either you want businesses to communicate with the public like normal human
beings or you can complain and nitpick their statements for not being
perfectly phrased. Not both.

I'm glad they candidly told us about what went wrong. There's an important
lesson to remember about how everything put on the web can be indexed and
stored even if it was only up for a short time.

------
icey
Wow, I would have thought they would have at least made a motion to apologize.
Instead they've basically said "hey, this isn't a big deal, stop complaining".

~~~
nathanb
Seems like they apologized to the four users involved. I don't know that they
owe the public in general an apology. They basically explained why this is
less scary than the headlines (including the one here on HN) makes it look and
said that they were committed to keeping this from happening again, including
giving examples of steps they were going to take.

What would you have liked to see from them? Prostrating themselves before you
for revealing someone else's credit card data?

~~~
jmathai
Leaking 4 of thousands of credit card number IS a huge deal. It's a disservice
to their users (even the ones who weren't affected) for them to downplay it.

~~~
bh3
I'm personally getting the feeling that downplaying it was more of a trip up
on their part. They wake up, find they are suddenly being viewed as the devil,
and for some strange reason want people to believe that things are not as bad
as they look. The problem, though, is they should never have said that
directly. They should have given us every reason to believe that things are
not as bad as they look and have us come to that conclusion for ourselves.
They should also get some PR people on pay; they probably need them more than
the added security.

------
dsplittgerber
If the onus is soon going to be on the user having to explain why he sees a
problem with his private details being shown to the whole world, there are
going to be lots of problems and incidents which people are in no way ready
for.

------
sriramk
I was chatting with someone about the language used in a lot of these
apologies. This has come up in a lot of issues - like in the Justin.tv suicide
case.

I think companies fear legal repercussions. If you use certain words, you
might be taking blame onto yourself in a legal sense and might have someone
use that against you in a lawsuit.

I'm not sure about this incident but I definitely sensed that was the issue
with the Justin.tv apology.

------
donw
Sorry, but this blog post indicates that Blippy is in no way serious about
security. Blippy handled sensitive data (credit card numbers) in a highly
insecure fashion, and rather than treating it like a full-scale emergency,
which it is, regardless of the number of people affected, we get this "hey,
it's no big deal" blog post.

What other massive security mistakes are lying around in their codebase? Why
does this sort of reply give me absolutely no faith that they'll deal with
those problems seriously when/if they arise?

------
ssp
Their response is totally fine and in proportion to the actual harm done.

------
waxman
Everyone and every company makes mistakes, so it's not a matter of whether or
not you screw up (because you will), but rather how will you deal with it when
it happens. I think Blippy dealt with it pretty well.

Having said that: I think Blippy was a dumb idea to begin with, and this dumb
mistake may have been the final nail in the $11-million-Series-A-funded
coffin.

------
there
now that this whole thing has blown over, i'd love to hear from someone at
blippy regarding how this affected their subscriber count. i have a feeling it
went up today despite the negative press.

------
lallysingh
Hint for the future: if you're processing raw data that could include credit
card #s, filter out 16-digit sequences as a whole.

~~~
tzs
15 for American Express. 14-16 for various kinds of Diner's Club. 16, 18, or
19 for Solo and Switch.

It would not have occurred to me that the number might even be in the raw
data. Sounds like the supplier is violating PCI. (That doesn't apply if the
supplier is the card company or issuing bank--PCI is just something they
require others to follow. They hold themselves to a much lower standard).

~~~
_delirium
It might be a useful heuristic for companies anywhere remotely in this space
to use during early alpha/beta periods though. There aren't _that_ many
legitimate cases where you're going to be sending 14-to-19-digit numbers in
HTML, so at least during the early phases, flag them and make sure they're not
CC#s that somehow got there.

------
codemechanic
"That's why it's okay to hand your credit card over to waiters, store clerks,
and hundreds of other people who all have access to your credit card numbers."

I don't like this attitude. Anyway who cares when you have $11.2 million
funding

------
jamesshamenski
all publicity is good publicity.

------
latch
u guys are being too hard on them. Shit happens. Even serious shit. I feel
like they are being accountable and honest.

