Payments

00:19 AM
Connect Directly
RSS
E-Mail
50%
50%

Is Blippy's Data Breach An Online Payments Cautionary Tale?

The news that the card numbers of five Blippy users had been exposed to anybody with the search savvy to Google "site:blippy.com +'from card'" came as a bit of a shock on Friday. The first question is, who would want to share with strangers all their credit card purchases at a site like Blippy, whose sole purpose is credit and debit card spending voyeurism? What kind of psychological need is being filled by broadcasting that you just purchased an i

The news that the card numbers of five Blippy users had been exposed to anybody with the search savvy to Google "site:blippy.com +'from card'" came as a bit of a shock on Friday. The first question is, who would want to share with strangers all their credit card purchases at a site like Blippy, whose sole purpose is credit and debit card spending voyeurism? What kind of psychological need is being filled by broadcasting that you just purchased an iPhone app or a tee shirt depicting a murderous hot dog? Why is anyone (besides a marketing professional) interested in what other people whom they don't know are buying over the internet?The more serious question, of course, is how did Blippy users' credit and debit card numbers suddenly become accessible to Google searchers? The answer does not have to do with hacking or any other sort of criminal activity, but a simple code error, according to the Official Blippy Blog. "Many months ago when we were first building Blippy, some raw (not cleaned up, but typically harmless) data could be viewed in the HTML source of a Blippy web page," a recent blog post says. "The average user would see nothing, but a determined person could see 'raw' line items. Still, this was mostly harmless - stuff like store numbers and such. And it was all removed and fixed quickly, months ago. Enter Google's cache. Turns out Google indexed some of this HTML, even though it wasn't ever visible on the Blippy website, and was removed from the HTML code months ago. Which exposed 4 credit card numbers on Google.com (but a scary 196 search results). We have contacted Google to requested that they remove all credit card numbers from their servers. [sic]"

The lesson is, don't allow credit and debit card numbers to creep into your HTML code. Or perhaps it's: test your new site to check for any potential security problems before taking it live. In either case, this episode highlights the dangers inherent in developing online applications that make use of customer data. It also may make consumers more wary of sharing personal payment-related information online, as they probably should be.

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
New IT Models for New Financial Services Challenges