Sunday, April 25, 2010

"That's not the lesson!!" Lessons unlearned from the Blippy CC number exposure.



If you didn't read about what happened to the social media site Blippy this week, they've explained it better than I will here. Basically 5 credit card numbers were exposed to Google. Two unnamed small banks pushed the number to Blippy's system in a way that is not consistent with any other bank, and therefore Blippy had not accounted for it in their first beta. The issue with these numbers is now resolved, and the question remains, has the damage already been done?

If you didn't read the actual statement from Blippy transparently explaining the problem and how they fixed it, you're not alone. On Twitter especially, there was a flood of retweets exclaiming "I told you so! It's obviously a crazy idea!" without any real information. This company was figuratively set aflame in the eyes of the web. As someone that has studied identity theft extensively, I have been watching Blippy from the beginning, and what I can't stress enough here is "That's not the lesson!" We should NOT be treating this incident as proof that Blippy is a bad idea, because this incident DOESN'T prove that.

In the Information Security community especially, I was shocked to see how many people didn't get why this is scary. Bugs happen. In the age of the Web App, bugs are public. They get fixed, and people are made whole. What concerns me here is the lack of flames set towards Google for caching those numbers in the first place. The numbers were NOT accessible from blippy.com, they came from google.com. Google has the ability to edit their cache, and scrub CC numbers, yet we are not demanding this from them. How did we get to this point where we tar and feather an innovative start-up company, while the big guy behind the curtain gets no critique?

InfoSec community, I expected more from you. Instead of mounting a campaign to find out who the banks were and offer to improve their payment card practices, we sent out LOLz in the Echo Chamber and acted like brats. In the hopes that we redeem ourselves from this display of clueless elitism, I am calling out the the community to start this discussion:

How can we protect Blippy and make the credit card companies embrace this new class of user?

It's a public world, and people are sharing their lives, whether we think they should or not. We need to start facilitating this change, not just saying "No" because we don't understand this industry.

1 comment:

Ax0n said...

My first reaction via Twitter (having seen the search results via twitter in my not-so-smartphone's OpenWave WAP Browser) was simply: "*headdesk*"

Since the links didn't work, I figured it was fixed some time ago, or maybe fixed immediately after the "crapstorm" hit twitter. Regardless, I couldn't really dive any further into it, being in a doctor's waiting room using only my phone.

Without seeing how many (or rather, few) pages of results there were, I couldn't tell how far-reaching this problem was, but on my drive home, I got to thinking it might not be a bad idea for WAF's to block anything that looks like cardholder data (properly-formatted numeric strings that are Luhn-algorithm true, for example) or that search engines might flag a page containing that kind of data for some kind of manual verification.

Granted, there are a lot of long strings of numbers that happen to resemble card numbers. And for all I know, this technology already exists. My primary thought along the drive home was "why on earth is this cached?"

By the time I got home, Google was dishing out "you're a bot!" style error messages for the blippy searches. Problem solved, in my book. Thanks for injecting a dose of sanity into this FUD-fest!