Home > InfoSec, Privacy, Uncategorized > Online Bank Cards

Online Bank Cards

The reaction most people have when you point out people are naive enough to post pictures of credit and debit cards online is to laugh, surely no one could be that unaware of the risks. But the fact is that the situation has become that common place that a number of Twitter accounts have been set-up to automatically identify and repost the images.

Some, like @CancelThatCard/http://cancelthat.cc/¬†attempt to show the posters the error of their ways, while others merely highlight the posts and request that people “Please quit posting pictures of your debit cards”.

As an example (and as proof for those that don’t believe me), the latest image in the @needadebitcard feed at time of writing:

https://twitter.com/Nestorghh/status/331793025019813888/photo/1

Yes, people do post their cards online…..

As a side note, it looks like Twitter is stamping down on the practice of highlighting these posts, the last message posted by @cancel thatcard on April 14th indicate that the service has essentially been censored. I hope Twitter reverse this, providing security information to end-users is not something that should be prevented.

I’ve been following both accounts for sometime; at first my reaction to that I’ve discussed above, having a laugh at the expense of those who don’t recognise the security implications of their actions. As time went by I started messaging the accounts posting their cards to further highlight the error; this didn’t have the impact I was expecting, instead of thanks for providing free advice it more regularly resulted in insults, abuse and full denial that there was any risk imposed.

Recently I came across an image of a card where the owner had attempted to obscure part of the card number and name; smart. Not so smart was that it was the first 5 digits of the 16 digit card number that was obscured. It’s little known, and wasn’t to me until I started following these cards in more depth, is that the first 6 digits don’t identify the account or card holder, but the bank that issued the card. In this case the poster was so helpful to identify the card as a personalised BarclayCard. A quick Google search lead to this page, which knowing the 6th digit of the card lead to the fact that the missing digits could only be one of two possibilities, reducing the potential entropy gained from obscuring part of the card from ~10k possible numbers to two possible card numbers, effectively posting the entire 16 digits online.

In the above example, which is far from uncommon, when suggesting the owner may want to remove the image and cancel the card the response was one of confusion, with no understanding of the risk. Despite further information and links, the image is still online (I have no way of knowing if the card has been cancelled).

To end I’ll echo the plea from @needadebit card: Please quit posting pictures of your cards people.

– Andrew Waite

P.S. I’ve not identified any of the examples directly in this post, but I’ve also not cleared any of the conversations from my Twitter time-line if anyone is interested enough to search. If people post pictures of their account details online, and then don’t remove the same information once several people highlight the stupidity then, well, me deleting a couple of Twitter posts aren’t going to improve their security.

About these ads
Categories: InfoSec, Privacy, Uncategorized
  1. 2013/05/12 at 11:34

    There is (I think) a fairly straightfoward algorithm for working out card numbers so I’d suggest that if enough numbers are divulged you can work out the rest with a little effort.

    On a similar note I had a discussion with someone the other week about when/if chip and pin machines will be made widely available and able to interface with websites, then we could all have them and *perhaps* this would heighten security although i’m not entirely convinced.

    • 2013/05/12 at 16:49

      There is (was?) an algorithm which could validate if the 16digit card number is potentially valid. I’d written a version in vba for a (very) early project. Only downside is that whilst it will eliminate invalid numbers, there was no way to tie the number to a particular account/sort/etc, at least in the version I’d dealt with.

  2. @serenecloud
    2013/05/30 at 07:29

    Hi Andrew,

    Thanks for making this post and keeping up the efforts to raise awareness of the issue of people posting photos of their cards. I made the @cancelthatcard bot but since it was suspended I haven’t been able to open up any real dialogue with twitter and I have been trying.

    If you or anyone else has advice on starting this kind of discussion with twitter and getting @cancelthatcard running again I’m keen to hear them.

    Cheers

    P.S. I found this post through saved searches I have relevant to the bot.

    • 2013/05/30 at 07:57

      Hi,

      thanks for the response, and for setting up @cancelthatcard in the first place. I’d not have discovered people were that naive if I’d not come across the account.

      I’ve posted a request to Twitter raising the issue with your account, probably just yelling into the wind but you never know.

      Cheers,
      Andrew

      • @serenecloud
        2013/05/30 at 08:03

        Thanks Andrew. I’ve tried support tickets, people I know and friends of friends with no luck yet.

        I wasn’t the first to set up an account like this but it seems the ones before mine met the same fate. The twitter rules do forbid bots that repeat the same content to people when they don’t solicit it, so they do have the right to issue suspensions, but it’s a shame that they’ve ended up blocking a useful service.

        However, if people on twitter can spread the word instead then the bot won’t even be needed. It’s always encouraging to see the http://cancelthat.cc/ link being used.

  3. Anonymous
    2013/05/30 at 17:34

    https://twitter.com/cancelthatcard is no longer suspended

    • @serenecloud
      2013/05/30 at 21:02

      Correct, but if it starts automatically tweeting at people again twitter support staff have made it clear that it’ll be suspended, possibly permanently this time.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: