Google queries provide stolen credit cards

The ubiquitous search engine makes it easy to find unprotected personal information, CNET News.com has learned.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
Simple queries using the Google search engine can turn up a handful of sites that have posted credit card information to the Web, CNET News.com learned on Tuesday.

The lists of financial information include hundreds of card holders' names, addresses and phone numbers as well as their credit card data. Much of the credit card data that appears in the lists found by Google may no longer be valid, but News.com called several people listed and verified that the credit card numbers were authentic. The query, the latest example of "Google hacking," highlights increasing concern that knowledgeable Web surfers can turn up sensitive information by mining the world's best-known search engine.

"It seems like everyone has their own trick," said Chris Wysopal, vice president of research and development for digital security firm @Stake. "This is really searching for data that should be secret but has been exposed either through misconfiguration or by someone who has stolen it."

There is no shortage of ways to search Google to find such data. Whole sites spell out how to search for financial information and describe software vulnerabilities and vulnerable configurations on Internet machines. Google is the tool of choice because its powerful search options, such as the ability to search for a range of numbers--useful in finding credit card data--is not present in other companies' search engines.

Google would not comment, citing the quiet period before the company's initial public offering. However, a company source did say that the search firm has a tool for Web masters to remove pages from the archive, if they find that parts of their site violate laws or regulations. Moreover, the company has decided to allow anyone to request the removal from search results of any document that includes a Social Security or credit card number--a note to help@google.com with a link to the page will suffice, the source said.

Keith Ernst--a Durham, N.C., resident and, ironically, a worker at a financial antifraud company--found himself on the receiving end of a data leak earlier this year that resulted in his debit card number being posted on such a list. Before Ernst canceled his card, the number had been used for a variety of charges. A foreign student had attempted to pay college tuition with the stolen number.

"It was very unsettling to see those charges come up on your account," said Ernst, who normally works to prevent fraud from happening to others. "It was interesting, to say the least, to be on the other side of the issue."

Ernst's information is now posted to an Arabic bulletin board with more than a hundred other people's financial records, at the beck and call of a simple search on Google. His credit union refunded the charges and now he only uses credit cards to make Internet purchases, because fraudulent charges using a credit card are not immediately debited from his bank account.

The FBI could not immediately comment on whether the agency was investigating the sites listing financial information. The sites seemed to be spread out over the globe: One had a Russian domain name, another was written in Arabic, and a third was based in the Netherlands.

Good guys can Google, too
The rise of such Web sites has convinced @Stake's Wysopal that major credit issuers should start using Google as a security tool, searching for vulnerabilities and leaked information before other, potentially malicious, people find the data.

"Shouldn't Visa be proactive and do these searches on a daily basis?" he asked. "The bad guys are doing it, so why aren't the good guys doing it and beating them to the punch?"

The sentiments echoed statements made at the Black Hat Security Briefings in Las Vegas last week, where security researchers and hackers were surprised to learn the extent to which Google can pinpoint weakly secured servers and databases.

Visa already has many sources to pinpoint fraud, said Rosetta Jones, a spokeswoman for the company.

"When we run them against a database, it is very common to find that, in most cases, we have known that the credit card was stolen," she said.

While the company may not use Google to track when sites containing credit card information appear, it has moved to have many such sites taken down when tipped off to the situation. So far this year, Visa has had 20 sites pulled from the Web for trafficking in stolen credit cards.

One big haystack
With 4 billion Web pages on the Internet, Google is not able to police its archives very effectively, a source at the company said. The firm has legally positioned itself as an intermediary of content beyond its control, which releases it from being held responsible for any content the company archives or to which it links.

That means consumers are left to carefully watch their information. Yet, the degree to which fraud has become more common makes consumers like Ernst fatalistic.

"I am sure that the information is out there," the fraud-fighter said.