Thursday, July 9, 2009

Internet Surveillance... for your Credit/Debit Cards?

I've been using the identity theft and credit protection services offered through my bank for a couple of years now. Recently I noticed a new menu option for Internet Surveillance which caught my attention. Apparently, this service (which comes with the ID theft prevention/insurance) is one that scours the Interwebs trying to find the credit card numbers and associated data that you enter in it.

This got me thinking... 2 things struck me as wrong.

First off... do I
really trust my bank with every credit card number I own? Maybe it's not so bad since I'm just putting in the name on the card and the full card number (no CVV/CVV2, or Expr Date) and even IF someone stole that data - what good would it be to them?

Second, given that Google (whom I presume they'll be using) and most other search engine's queries can be "read" from your history (or from their cache)... I really want my credit card number as a search string floating around somewhere?

How do those two things balance against my need to be free of ID theft ... on the black market? I'm leaning towards putting in a few card numbers just to see how it goes... do any of you have any thoughts on the matter? Pros? Cons? Have you tried this before (do I need to give a link to the service vendor?)

Soliciting your thoughts, either publicly or privately... thanks!

{ Update }
-- As promised, I went to put in a fake American Express card number (see pasted below) which follow the AmEx algorithm. Immediately, a JavaScript snip flagged the card input as "possibly incorrect" but let me continue anyway. Odd behavior, don't you think? After ignoring the warning I went ahead and hit accept, retyped (same error again, in JS) and then voila! my card was added for monitoring. I have pasted it below just to see if the fake
card number gets picked up!

378511096516050 - Rafal Los - FAKE AmEx card number (not following algorithm!)


Ed Bellis said...

Left you some comments on Twitter as well but thought I would post here in case you missed em.

The cc PAN will still have some value, albeit less than if you had the CV and exp. I would think if they are charging for this service the algorithm would be more complex than just using a Google search, I'd be curious to see what your results were.

What prevents you from entering other card numbers? Do they really want to open up themselves to people using their tool for nefarious recon?

Just a few random thoughts... interesting post.

Rafal Los said...

First... I don't see *anything* that prevents me from entering some other credit cards. In fact, I entered my wife's (which is still in her maiden name) and the system had no problems accepting the number + name. I find this particularly fascinating since it *appears* as though you could possibly use this for nefarious purposes... maybe. If you knew some credit card number you wanted to track on the 'net?

I can't see too much damage you could do - but I think I'll test this by posting up a FAKE credit card number in the system, then leaving it here on my blog and seeing what happens... maybe it'll find it?

Stay tuned!

Ed Bellis said...

I'm interested in seeing the results. Make sure at a minimum your FAKE card number passes the Luhn algorithm in case they are doing some basic checks.

Stephan Wehner said...

When they called me for the "identity theft and credit protection", I said no -- I thought it should be part of their service already.

Similar to Microsoft asking to be paid for Anti-virus software.

Beyond that it looked like little value for a non-trivial monthly fee.

Did you see any benefit at all?


Rafal Los said...

Stephan- I'm looking up results next week, after a week or so of this service running. Now, this is just a small piece of the overall credit monitoring and protection - but still... I really do wonder if it serves and purpose at all.

Interesting... more info when I get it. Keep an eye on this post.