The reaction most people have when you point out people are naive enough to post pictures of credit and debit cards online is to laugh, surely no one could be that unaware of the risks. But the fact is that the situation has become that common place that a number of Twitter accounts have been set-up to automatically identify and repost the images.
Some, like @CancelThatCard/http://cancelthat.cc/ attempt to show the posters the error of their ways, while others merely highlight the posts and request that people “Please quit posting pictures of your debit cards”.
As an example (and as proof for those that don’t believe me), the latest image in the @needadebitcard feed at time of writing:
As a side note, it looks like Twitter is stamping down on the practice of highlighting these posts, the last message posted by @cancel thatcard on April 14th indicate that the service has essentially been censored. I hope Twitter reverse this, providing security information to end-users is not something that should be prevented.
I’ve been following both accounts for sometime; at first my reaction to that I’ve discussed above, having a laugh at the expense of those who don’t recognise the security implications of their actions. As time went by I started messaging the accounts posting their cards to further highlight the error; this didn’t have the impact I was expecting, instead of thanks for providing free advice it more regularly resulted in insults, abuse and full denial that there was any risk imposed.
Recently I came across an image of a card where the owner had attempted to obscure part of the card number and name; smart. Not so smart was that it was the first 5 digits of the 16 digit card number that was obscured. It’s little known, and wasn’t to me until I started following these cards in more depth, is that the first 6 digits don’t identify the account or card holder, but the bank that issued the card. In this case the poster was so helpful to identify the card as a personalised BarclayCard. A quick Google search lead to this page, which knowing the 6th digit of the card lead to the fact that the missing digits could only be one of two possibilities, reducing the potential entropy gained from obscuring part of the card from ~10k possible numbers to two possible card numbers, effectively posting the entire 16 digits online.
In the above example, which is far from uncommon, when suggesting the owner may want to remove the image and cancel the card the response was one of confusion, with no understanding of the risk. Despite further information and links, the image is still online (I have no way of knowing if the card has been cancelled).
To end I’ll echo the plea from @needadebit card: Please quit posting pictures of your cards people.
– Andrew Waite
P.S. I’ve not identified any of the examples directly in this post, but I’ve also not cleared any of the conversations from my Twitter time-line if anyone is interested enough to search. If people post pictures of their account details online, and then don’t remove the same information once several people highlight the stupidity then, well, me deleting a couple of Twitter posts aren’t going to improve their security.
Cleaning the harddrive of any machine, be it desktop, laptop or server, before either repurposing or selling (or even scrapping), should be a basic requirement of any organisation. But there is a seemingly unrelenting stream of reported incident, some of which coming from organisations that really should know better, MI6 and military contractors for example.
Is securely wiping data from drives really that difficult? Not really.
Simply boot the system with nearly any live linux system (I use Knoppix for this kind of work), then simply use dd (discussed previously to image drives) to overwrite the drive with random data. For example:
dd if=/dev/urandom of=/dev/sda
This simple overwrites the entire physical drive, sda, with random data taken from the pseudo device /dev/urandom. For more indepth info on wiping with dd and some different options see this guide.
The downside to wiping drives in this method is the length of time involved, in recent cases I have seen a 80GB drive take a little of five hours to complete.
Disclaimer: this may not make your data completely irratrievable but it should be enough to prevent the data being obtained by the simply curious. To truely ensure irratrievable data, try this method.
Disclaimer’s Disclaimer: Server destruction should only be carried out be trained professionals, InfoSanity accepts no responsibility for loss of live, limb or eyebrow)
Quick heads up to anyone following the Phorm/privacy debates: The government’s response to an e-petition to ask the government to stop ISP’s from breaching privacy laws has been released.
The full response can be read here, it’s fairly short so I won’t go into too much detail, but I’m glad to see the government is taking this seriously and not passing the buck to the ICO (the ICOs view):
ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions. However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology. They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.
“Thank you for bringing this to our attention; your concerns are very important to us; your concern will be answered shortly…”
Once again I’m glad I don’t do business with BT(with the exception of line rental). First Phorm: now this
BT has begun transforming its commercial customers’ Business Hubs into OpenZone hotspots for any passing Tom, Dick or Harry to share, and leaving businesses to figure out how to opt out of the scheme after the fact.
“Free BT public wi-fi hotspot for every business broadband customer” claims the release, proudly suggesting that “Hub owners buy BT Openzone access vouchers … and can choose to pass the vouchers to their customers or resell the prime business service and add revenue”, so you can either screw visitors to your office by selling them vouchers, or pay BT twice for the same bandwidth by giving them away.
Full info can be found here. BT keep managing to setting the bar lower and lower….
Just read an interesting article on El Reg about Adam Laurie, who has supposedly been ‘hacking’ satellite feeds. Unless I’m missing something it appears to be more a case of sniffing unencrypted communication coming from and going to satellites, but it is interesting in any case.
One of the parts of the article I liked was the comment on the UK’s Privacy laws:
A resident in the UK, Laurie says he’s careful to obey the country’s privacy laws. While he is able to identify certain traffic as email, for instance, he doesn’t actually read the contents of the message. Still, he says it isn’t always easy to follow the letter of such laws because they prohibit people from receiving a message if they aren’t the intended recipient.
“It’s a bit of a quandary,” Laurie says. “You can’t tell you’re not supposed to see that data until after you see it. I can’t unsee what I’m not supposed to have seen.”
Whilst I’ll agree that some of the privacy laws are ‘strange’ the actions Laurie took was looking for traffic in which he wasn’t the intended recipient for any of it, as someone pointed out: if you’re concerned you might be breaking the law you can stop looking.