Today I accidentally uncovered a huge list of people’s names, addresses and credit card details online. No kidding.
I found more than that: login details to people’s web hosting accounts and e-commerce site memberships as well. It was really freaky to think it was all just staring at me, thanks to a flukey Google search. Nothing more complicated than that. (And no, don’t email me for the search details!)
For whatever reason, a hacker has broken into a number of sites and stored the resulting DB dumps into text files that Google came along and indexed, all because this guy’s site’s directories were set to display their contents when no default file is present.
I have emailed Victoria Police with all the details. But after thinking about it some more, I have a simple observation and a suggestion…
First the observation that if a hacker is dumb enough to have your private login or credit card details online and indexable by Google, then they’re likely to be in a text file and unencrypted. If your credit card is listed, it’s probably had the spaces removed, since that’s how it will be stored (by idiots who don’t use a salted hash).
Search Google for Your “Privates”
So here’s the suggestion: search Google for your credit card number. If something shows up go check it out. See if you also fluke a list of hacked card details with your own details there too. If you find nothing it doesn’t mean you haven’t been hacked… it just means you’re not listed online.
Now, if you have a strange and obscure password you always use (that is most likely your and yours alone), try searching for that too. Again, if it shows up in Google’s SERPs, check out the page and see what’s there.
I must say I was pretty freaked out to have discovered these credit card details online. I mean, you’d think a hacker would be smart enough to keep his stuff away from public web access and Google indexing, but perhaps not.
Crappy Coding of E-Commerce Sites
All this raises an issue that I have been long worried about… the coding and security standards of e-commerce sites out there.
How do you and I know that a given site is secure or not. Suuuuuuuure… it has HTTPS working right and the little key comes up on your browser when you get to the page asking for your credit card details. So what?!
The real worry is whether a hacker can get into the database and suck out all the customer and purchasing records. And if a programmer doesn’t know what a salted hash is (basic basic stuff), he should be shot. If a programmer doesn’t know how to code his querystrings so that SQL can’t be injected in, then he should also be shot.
This is why you SHOULD think about the e-commerce platform chosen by your chosen vendor of whatever it is you’re about to buy online. See, there are known weaknesses with various different shopping cart software platforms out there. And if someone builds one from scratch… well, you’d better hope they know what they’re doing.
If It’s Always The Same Password, One Hack Is Enough
If you’re like me, you use the same username everywhere. It’s a branding thing. I’m “alicam” (or “blogologist”) almost everywhere, unless I can’t get these, or unless I don’t want to be “me”.
If you’re NOT like me, you also use the same password everywhere. (I confess… I used to, until a few years ago when I woke up!)
Here’s the danger of using the same password everywhere: a hacker only needs to compromise any one single website to which you are subscribed as a member to get your username and password (assuming he can get past the hash or whatever obfuscation is in place). Once he’s got these, he can try these again all over the place, looking for what other sites and services you belong to. Along the way he can gather more and more information about you, in readiness for “becoming you”… called Identity Theft.
So don’t use the same password every time. Here’s a trick that may work for you: add part or all of the domain name into your password, along with the bit you usually use. So, if your password was always “fr3dd0″, make it fr3dd0-yahoo, fr3dd0-google, fr3dd0-wordpress, etc. Sure, a person could work out what you’re doing, but not a machine. And often enough the attacks are done by machine, with a person taking over once there is some success breaking in.
In my case, I had a password generator make up 16-character long unique strings (with alpha-numeric and special characters), which I use uniquely for each of the services I use. I’m not taking chances. (How I memorize them all is my secret!)
Important Tips for Your Online Security
So, to conclude, here are some simple tips to keep you safe online:
- Buy online from large, reputable suppliers only.
Ideally, choose vendors in the same “jurisdiction” as you, and vendors who also sell to you offline.
- Don’t buy from ugly sites.
If the site looks really ugly and clunky on the front end, it might be coded that way on the back end too. Just walk away!
- Use Paypal where you can.
It’s an eBay company and gives you a safety net for online transactions. They spend millions getting it right.
- Update your passwords.
You should use really good passwords, and unique ones, for your important online services like banks, hosting suppliers, government, etc. Don’t double up on them.
- Buy from countries you trust.
If sounds snobbish, but if you get in trouble with a vendor who doesn’t deliver, and he’s from a country that can’t protect you in law, you’re up the creek without a strudel.
- Know about phishing.
You think you know what it means, but are you up-to-date on the latest tricks and techniques? Some of them are darned convincing. So use filters and software to help you too.
This is a quick brain-dump of my suggestions. There are more, so leave a comment for the benefit of others if you have some goodies
Do The Right Thing!
Finally, do the right thing. If you find stuff that shouldn’t be there, tell the authorities. If you’re a Google Search Guru with all your advanced operator trickery, then it’s even more possible that you’ll come across stuff like I did… but I sure hope not.