ABOUT | News | July 15, 2009

San Jose Family Finds Credit Card Info Online

cbs5.com
Reporting: Anna Werner

July 15, 2009

How would you like to find your credit card information online for anyone to use? A San Jose family found just that, and asked CBS 5 to Investigate This.

It was a random internet search by Jacques Robinson's daughter that turned up his wife's private information online, and not just her name and address.

"It shows the credit card number, the expiring date, the security code, type of card," Robinson told CBS 5 Investigates.

The spreadsheet his daughter found had headings in Russian and listed name after name of people in places such as Walnut Creek and Richmond. Their personal information was right out there on the Internet for anyone to steal.

Robinson's reaction? "It was a big gasp and a few seconds of heart-thumping," he said, followed by the thought that "this is some sort of mafia site or Russian hacker site."

Robinson works as a freelance IT consultant and quickly came to his own conclusions after reviewing the sheet, which includes a list of "payday loan" type websites.

"It appears people are stealing credit card information and then using it to start loan accounts at online banks and then drawing down on those loans and then sticking the credit card owners with the bill," Robinson said.

Chris Hoofnagle directs the UC Berkeley Center for Law & Technology's information privacy program. After reviewing the spreadsheet, he told CBS 5 Investigates similar sheets are used by would-be criminals to collect and sell individuals' credit card numbers.

"Your main point of this would be to resell it to someone who would actually charge these numbers," Hoofnagle said.

It's something that happens frequently on the Internet. As a spokesman for search giant Google pointed out, the company's search engines merely locate what someone else puts up on the Internet. But Robinson wanted to know why Google couldn't do more to stop people from accessing that private information.

"My concern is that the underlying document here is a spreadsheet that is on a Russian website, but Google has cached it and made it searchable," Robinson said.

The cached page is essentially a copy of the page stored by Google that can come up in searches. Google told CBS 5 Investigates there is a way to get a page removed from coming up in a search. The link is located in Google's "webmaster tools." The item stays "removed" for six months.
 
But Google said for the page to be permanently stopped from showing up in search results, people have to contact the webmaster of the offending site.
In Robinson's case, that may pose a problem since the webmaster may be somewhere in Russia.

He believes Google could do more.

"I understand Google's problem, but Google also has the technology for example, to be able to spot when 16 digits or a credit card number," said Robinson. "And so they should be able to make that not searchable if there are credit card numbers on the page. That's one starting point."

Expert Hoofnagle calls Google's response "largely reasonable," since the search engine is "a reflection of the web."

But he points out that in the past, Google has taken additional steps to protect individuals' privacy, such as blurring faces on the company's "Street View" mapping feature.

"Google has taken some steps here and there to obscure information to protect privacy," Hoofnagle said. "And there are a number of things one could do to make the document disappear if you really wanted them to."

For now, Robinson's called the credit card company and CBS 5 Investigates.

"Having seen your program, the next best thing is to get as many people informed as possible," he believes.

And he just hopes that not too many people fall victim to a common problem with potentially big consequences.

"I think the possibilities are there that this is the tip of a substantial iceberg," said Robinson.

CBS 5 Investigates also contacted Alex Stamos, a security consultant with San Francisco's ISEC Partners, regarding the spreadsheet found; here are his comments:

"There is a bustling trade in credit card information and personal details among hackers, phishers and other online criminals. This is called "carding", and is generally how individual technical hackers get paid by organized crime for stealing information. Occasionally spreadsheets, databases, and other lists of personal information end up in public places on the web and get spidered by Google, and that's what happened here. " –Alex Stamos, ISEC Partners.

The FBI provides the following recommendations:

1.  The FBI recommends these types of reports be filed with the IC3--where data is complied, analyzed, and referred to law enforcment.  The Internet Crime Complaint Center has received multiple reports alleging foreign subjects are using fraudulent credit cards. The unauthorized use of a credit/debit card, or card number, to fraudulently obtain money or property is considered credit card fraud. Credit/debit card numbers can be stolen from unsecured websites, or can be obtained in an identity theft scheme.  

2. Visit any of the three credit bureaus, Equifax, Experian, or TransUnion, for more information or to place a fraud alert on your credit report. Visit the Federal Trade Commission for additional information on security and fraud prevention tips.

 


BCLT's Program Booklet
The Law & Technology Program Booklet outlines the curriculum at Boalt Hall, the Law & Tech Certificate, BCLT and affiliated organizations, student organizations, and the Law & Tech Faculty. (1 mb)

Annual Bulletin
BCLT's Annual Bulletin overviews our events and developments; core teaching faculty; current and upcoming classes; student activities; and affiliated programs, scholars, and sponsors. They are now available online dating back to 2001.