If you didn't read about what happened to the social media site Blippy this week, they've explained it better than I will here. Basically 5 credit card numbers were exposed to Google. Two unnamed small banks pushed the number to Blippy's system in a way that is not consistent with any other bank, and therefore Blippy had not accounted for it in their first beta. The issue with these numbers is now resolved, and the question remains, has the damage already been done?
If you didn't read the actual statement from Blippy transparently explaining the problem and how they fixed it, you're not alone. On Twitter especially, there was a flood of retweets exclaiming "I told you so! It's obviously a crazy idea!" without any real information. This company was figuratively set aflame in the eyes of the web. As someone that has studied identity theft extensively, I have been watching Blippy from the beginning, and what I can't stress enough here is "That's not the lesson!" We should NOT be treating this incident as proof that Blippy is a bad idea, because this incident DOESN'T prove that.
In the Information Security community especially, I was shocked to see how many people didn't get why this is scary. Bugs happen. In the age of the Web App, bugs are public. They get fixed, and people are made whole. What concerns me here is the lack of flames set towards Google for caching those numbers in the first place. The numbers were NOT accessible from blippy.com, they came from google.com. Google has the ability to edit their cache, and scrub CC numbers, yet we are not demanding this from them. How did we get to this point where we tar and feather an innovative start-up company, while the big guy behind the curtain gets no critique?
InfoSec community, I expected more from you. Instead of mounting a campaign to find out who the banks were and offer to improve their payment card practices, we sent out LOLz in the Echo Chamber and acted like brats. In the hopes that we redeem ourselves from this display of clueless elitism, I am calling out the the community to start this discussion:
How can we protect Blippy and make the credit card companies embrace this new class of user?
It's a public world, and people are sharing their lives, whether we think they should or not. We need to start facilitating this change, not just saying "No" because we don't understand this industry.